Moving into Internal Audit
This section includes resources for those moving into Internal Audit
Making the move from external to internal auditing
When external auditors move into internal audit, they do not necessarily realise that they need a different approach and some new skill sets to perform what is a very different role. This article aims to highlight some of those differences and can be used to help members moving from external audit into internal audit.
International Standards and Frameworks
What is IA and what does it do
Understanding of subject matter under audit and relevance to business objectives
Questioning techniques for internal auditors
How do you get the information you need as an internal auditor? You first need to put yourself in your auditee’s mindset before posing your question, and be flexible in how you phrase it. The right question matched to the auditee will get you the information you need and create a good working relationship.
Why ask questions?
There are three personality types that you will come across when you ask a question – those who see every single question as some form of attack, those who see it as an opportunity to tell you their life story, and then the people who simply answer your question.
Internal auditors ask questions because they need to collect information, they want to confirm beliefs, and in order to understand. There will be some auditees who wonder why they are being asked the same question again by Internal Audit when they have answered it in the past, why Internal Audit doesn’t believe what they are being told, and why Internal Audit does not understand what appears to be obvious.
Asking questions to get information
Think about the information you actually want - do you want somebody’s life story or a sanitised expurgated version? Do you want evidence or just an answer? Do you want an answer to a very specific question or some general information? How you pose the question will determine what that answer will be. If you want a very specific piece of information, you will have to make that very clear whereas if you want general information then you will phase the question very differently.
If you are simply working your way down a set list of questions without taking care to phrase the question appropriately then the auditee could very well determine what you learn. The auditee may have secrets that he/she does not want to tell you and those secrets may be very important ranging from issues that have been hidden, to successes that management should know about. Your default position should be that the auditee has information that he/she does not want to share.
Asking questions to get confirmation
You may just be looking for confirmation but confirmation is not always straight forward. For example you may ask an auditee whether there have there been any changes and if so, what have those changes been. Just because he/she does not think that anything has changed does not mean that nothing has changed in reality. The auditee may confirm that things are running as programmed but he/she may not be the person who did the actual programming.
Lastly be aware of how the way in which you phrase your question can result in auto suggesting. If you give the impression that you just want an answer that will allow you to tick a box, and the auditee wants to get the interview over quickly, then he/she may give you that confirmation even if it is not true.
Asking questions to understand
Auditees may not understand why what is obvious to them is not obvious to the internal auditor. Their familiarity with processes will lead them to believe that there is nothing to understand and that it is all patently obvious. Conversely they may feel that sharing their special knowledge of processes would reduce job security as anybody would then be able to do their work.
Internal auditors may just want information, confirmation and understanding but in asking questions, they may trigger the wrong thoughts and reactions in auditees.
The three types of responses that you are likely to encounter are those of defensive, unexpurgated and concise.
We take our defensiveness from what we consider to be an attack. Think about how many drivers on a motorway will slow down if they see a police car coming up behind them. An auditee being approached by a person with the title of “Internal Auditor” is going to expect to be asked questions and it is likely to change their behaviour. They may instinctively become defensive if they expect you to attack them. How you phrase your questions can mitigate that instinctive defensiveness.
A different response type is the unexpurgated one where the auditee has been trying to tell everyone their life history for years but nobody has listened. They have so much to tell and along comes an internal auditor who is asking for information. They will give volumes of information and the internal auditor has to try to identify the relevant information within those volumes.
Concise responders may seem ideal in comparison but they will only answer your question and no more. Their answers may be so restricted that you do not get the information you need and that puts enormous pressure on you to ask the “right” question - and of course you have to have the knowledge to ask the right question.
The defensive response
There may be a perception from auditees that if Internal Audit is asking a question then they are under attack - even if they are just being asked for some information. The best form of defense is attack so they may attack back.
Alternatively they will plead the 5th amendment to avoid self-incrimination or else say that they do not know anything. The most extreme defensive behaviour is to lie -some auditees will convince themselves that a little lie is not that bad.
The unexpurgated response
The greatest danger with unexpurgated responders is that they will send you to sleep. It becomes difficult to stay engaged but there is likely to be buried treasure in the information you are getting. If you really are after detailed information about how a department or team operates, the unexpurgated responders are the ones who will tell you what nobody else will, but it will be challenging to keep alert and carry on asking pertinent questions.
The concise response
What you ask is what you get with concise responders. If you should go back to them later and ask them why they did not tell you something, they will rightly say that you did not specifically ask them about it. They will keep it short – perhaps even just yes or no responses - and it is difficult to get these people to tell you all that you need to know.
They will not offer examples - you will have to ask for them to enable you to understand how things work in reality. They will not mind being asked for examples but they will not offer them unsolicited. The biggest danger is that they will guess what you want to know - particularly if they have ever been asked to explain their operations before - and tell you only that.
Dealing with the defensive responder
When you are dealing with a defensive auditee, there is no point in saying to them “don’t get defensive” or “I’m not attacking you” as that will be evidence to them that you are. If you argue with them then they will become more defensive – and the more defensive they become, the less information you will get.
Instead, hold a discussion – show concern and interest and be aware of the expression on your face and your body language. Intense concentration on your part can manifest as a hostile facial expression to an auditee which can trigger a defensive response. If you can instead present yourself as approachable and empathetic then you can reduce the defensiveness. Using the “what if” approach could come across as concern on your part which would be disarming - for example, “what if this scenario happened – would it make things difficult for your team?”
You may encounter lies at some point – a common defensive response. Do not attack lies - instead turn away from them. Change the topic and come back to it later. If you accuse somebody of lying then you will get more defensiveness.
Dealing with the unexpurgated responder
The greatest challenge is to stay awake and keep your concentration. The unexpurgated responder is so happy to have somebody to talk to that if you interrupt them, they will listen to your interruption and then start at the beginning again so do not interrupt them unless you have a plan. Simple interruption will not work but guiding the conversation – without dominating it – may help you find crucial information that you would not otherwise get anywhere else.
Dealing with the concise responder
Plan your questions with care – standard questions may not get you the information that you need. Expect to use probing follow up questions to initial questions. Set the scene when you ask questions of such people – clarify the context and then ask the question, otherwise they may set the context for themselves. Do not be afraid to ask for an example when they have given an answer to a specific question. Otherwise you will not get them and examples often provide the best insight into an operation.
Personal filters need to be considered – we all filter information. Each filter affects the answer that you will get and should therefore impact on the question that you ask. There are many filters but these four are the most useful for questioning purposes:
- The ‘away from: towards’ filter is best explained with an example. In a scenario where somebody is considering how much they weigh, they can aim to lose weight (away from) or they can aim to be slim (towards). There is a difference and if you listen to people then you will get a feel for if they are ‘away from’ or ‘towards’ in their approach and then you can frame your question appropriately.
- The ‘Centre stage: behind the scenes’ filter contrasts those who may feel that what they do is not important (behind the scenes) with those who feel that what they do is critical (centre stage).
- The ‘hands on: not me’ filter contrasts those who accept responsibility (hands on) with those who do not (not me).
- The ‘emotion: logic’ filter contrasts those who are calm and unemotional even amidst a crisis (logic) with those who are prone to react strongly and are less able to cope with a stressful situation (emotion).
Considering response types alongside personal filters will inform how you deal with auditees:
Away from + Defensive = Not my problem
The auditee will feel doubly under attack so take the long route to get to the question you want to ask
Away from + Concise = Your problem
Put your question in the context that the organisation’s problems are everybody’s problems
Towards + Defensive = Talk to him/her/them
Thank the auditee for the suggestion but ask if you can talk to them first and get their ideas so that you can build a rich picture – their thoughts count!
Towards + Unexpurgated = Let me tell you all about what they did
Tell the auditee that you are happy to hear about what others did but first, what did the auditee’s team do? Did the actions of others cause the auditee problems?
Towards + Concise = Ask that person
Tell the auditee that you will ask that person but first you would like to ask the auditee for his/her thoughts.
Centre stage + Unexpurgated = How I feel about this, how it affects me
Try to enable them to see that there are other people around. You may have to let them get it off their chest and then ask the question again. They have access to valuable information but it will only be seen from their angle.
Centre stage + Concise = Bullet pointed facts
Ask lots of questions, probe, use the “what if” approach, and ask for examples. Centre stage people omit information that comes from the hands of others because other people are irrelevant to them. You will have to enable them to see it from other people’s angles as well. For example, what would Bill do? How would Bill react to that?
Behind the scenes + Unexpurgated = How things actually work here
This result might be helpful – a rambling but detailed story about how things work may yield valuable information.
Hands on + Unexpurgated = Only I count around here
Listen to this person but discount 99% of it.
Not me + Defensive = No idea, can’t help
The more you try to get them to see how their actions can cause problems, the worse it will get. They cannot see the other view and there will be limits to what you can get out of this person but try the long route to a question or a discussion approach
Not me + Unexpurgated = I can tell you a thing or two about…
This feels like gossip but it could actually be useful for providing insight to how situations have arisen.
Not me + Concise = Facts about others
This may be useful as it may help you when you come to ask questions of those who you’ve just been given information on.
Emotion + Defensive = Why are you attacking me?
Be careful with your approach and phrasing of any questions as this person might have a strong reaction. The usual approaches for a defensive responder plus extra sensitivity.
Emotion + Unexpurgated = We are under a great deal of pressure
A good inroad is to ask what is causing the stress and how can the stress be removed. You hear and see the symptoms of that stress but you need to understand what is causing the symptoms which may cause problems in the rest of the organisation.
Logic + Concise = We follow the rule book
Ask to double-check the rule book with them – to make sure they are following the current version of the rulebook, etc.
This guidance is based on an ACCA webcast given by Jane Allan of Jane Allan & Associates on Questioning Techniques for Internal Auditors. View the full webcast here.
- Designing the test plan
- Executing testing
What should an audit file look like?
This series of articles is intended to assist ACCA members in addressing the evidencing of key stages in the audit process to demonstrate compliance with the Institute of Internal Auditors (IIA) International Professional Practice Framework (IPPF). The IIA IPPF is also the underlying basis for other sector specific internal audit standards such as the UK Public Sector Internal Audit Standards (PSIAS).
To keep these articles succinct, they assume a basic knowledge of the professional standards and the terms used therein; detail and definitions are provided within the published standards.
Some terms used within the Standards have been substituted for those more commonly used in the UK, such as Chief Internal Auditor (CIA) in place of Chief Audit Executive.
- Report writing
Stakeholder management and communications