Ready, Fire, Aim

Expedite the Internal Audit

When you are assigned a new audit, what are some of the first things that come to mind? Most likely the word Planning comes to mind, and most Audit Departments love spending time with the traditional planning approach…

Ready (preliminary preparation and planning)
Aim (more brainstorming and planning)
Fire (performing the activity)

You say, “what does the title of this article mean?” In this article, you will find information about the Ready, Fire, Aim approach that can be used with new audits.

When you have the right tools, Just Go
Imagine being lost in a forest and you are only handed a compass and only know that you are supposed to head north, you must be out of the forest in 24 hours, and you cannot see beyond 50 feet. Since you cannot see more than 50 feet in front of you, the best thing to do would be to start walking north and deal with obstacles as they come. If you just stand there and wonder where the obstacles are, you run the risk that you spend too much time planning, and not enough time walking (otherwise stated, spending too much time and resources getting ready and aiming). Obstacles such as ravines, cliffs, and rapidly flowing rivers, cannot be known until you start walking north. Then, when the obstacle is reached, you will need to make the proper adjustments (to scope) depending on what you ‘find.’

The reason for the Ready, Fire, Aim approach is that many times a “new” audit shows up on the Audit Schedule, the individual performing the audit, no matter the experience or credentials achieved, cannot know precisely what the problem areas are until some work is complete. Just like in the forest, you must first begin walking before you identify the problem areas/obstacles. This is not to say that no planning should go into an audit, rather, once some basic plans are mapped out, start heading in that direction.

In order to be successful using the Ready, Fire, Aim approach, you will need to think of the Audit Program as a “continuous” Audit Program. What I mean by this is, start out in a known higher-risk area of the auditable entity (interview management in this area) and then, more times than not, you will start to have a better idea of what is most important to the audit vs. just writing the Audit Program and beginning your sampling. By using the “continuous” Audit Program approach, the scope will reveal itself rather than spending value time and resources determining what the scope should be. In addition, if all your time is spent planning, what time will you have when you need to develop audit findings? Probably none. If you have no time to develop audit findings, you will have no time to make sound and profitable audit recommendations.

I have had some of the best scope changes take place as a result of interviewing management first. If management is cooperative with Internal Audit, many times you will extract “problem areas” and find that your initial risk assessment may have been off. And what Auditor wants to admit they missed a particular area with significant audit findings. No Audit Program should be set in stone. In a “continuous” Audit Program is where the most significant audit findings exist, as you will be more capable to adjust the scope and adapt as the audit progresses. What is “value-added” about a program that is set in stone? Although you are giving assurance based on what was tested, it’s what is not tested because the Audit Program is set in stone that should make you wonder.

If you have been assigned an audit of an area that has never been audited and your supervisor asks you how the audit is going, which answer would you rather have?

1) “I’ve been planning the audit for several days but I’m almost done with the planning phase and will begin interviewing management and testing really soon.”
or
2) “I’ve started the audit by outlining a few key areas to focus in on, and after interviewing two different managers, I was able to obtain valuable information from them that has helped me determine areas of higher risk that I previously did not consider. In addition, I do see the likelihood of audit findings with recommendations as a result.”

If YOU cannot perform an audit efficiently and expeditiously, how are YOU (and the Internal Audit Department) going to have a leg to stand on when you’re recommending another Department/Division perform their work more efficiently and expeditiously? This simply will not work because the Internal Audit Department will be viewed by Senior Management as a “hypocrite” Department. Essentially, the Internal Audit Department will have shot itself in the foot because they are not practicing what they preach.

One of the first mistakes I made as a new auditor was over-plan. Over-planning, I’ve found, is the enemy of progress. If, before the game or during the game a basketball player plans all of his shots that he wants to take, but takes none of them, the results on the ESPN highlights board will be an obvious, Zero Points! for that basketball player.

In-depth planning is for the Annual Risk-Assessment process that involves, audit staff, senior-level Internal Audit Management and Senior Management (and of course the approval of the Audit Committee). Over-planning is the enemy of progress.5

A majority of employees of a company fall into two categories:

In-the-box thinker:
In-the-box thinkers are the death of sound audit recommendations and profitable business solutions because they don’t see beyond the micro-view of what they are doing. When this type of thinker is performing work, they cannot see outside of their own box, therefore, they are not visionary minded. Instead, they are the employees that are paid to do precisely one job and that job only. No significant business recommendations come out of this group of thinkers.

Out-of-the-box thinkers that just Go:
Internal Auditors should be out-of-the-box thinkers. What do companies like Google, Home Depot, Meijer, and Walmart have in common? All of their founders were visionaries. Google, the largest and most popular search engine in the U.S. Home Depot, the #1 in their industry and #2 of all retailers in size. Meijer, who pioneered the supercenter concept, and last but not least, Walmart, the #1 retailer in the world. None of these companies have non-visionaries at the helm.

Recommendations by nature are out-of-the-box suggestions and opinions that promote profitable change and keep the business a “going concern.” However, the above information is not based on opinion, rather, first-hand experience, as I have tested this approach out many times on brand new audits. IT DOES WORK!

My Solution to be an Expeditious Internal Auditor: Ready, Fire, Aim! … in that order.

Try this approach and you will not only get the most important business issues identified quicker, but the positive results of taking these actions will be felt sooner.



About the Author:
Paul Gillett is an auditing consultant and author. If you would like more information on auditing solutions, click this link: audit solutions and post a comment or email:phgillett@hotmail.com. You may reprint this article electronically or as a hard copy as long as the author's resource box remains intact, with the active links included.