Auditing Practices Overview

Too often, internal auditors report what is easy to say and avoid inconvenient truths. Audit committees do not need comfort. They need candor. In my latest blog post, I focus on the quiet things internal auditors must be prepared to say out loud to the audit committee, especially when: • Management limits or interferes with internal audit’s work • Internal audit lacks the resources to meet stakeholder expectations • Organizational culture is elevating enterprise risk • Audit findings or conclusions are suppressed • Corrective actions are not prioritized or sustained These are not abstract concerns. From my experience, they are real, often recurring, and inevitably consequential. When they go unspoken, oversight weakens and risk grows. I welcome your thoughts. https://lnkd.in/eUKXVRbX

5-WHY ROOT CAUSE ANALYSIS (RCA) Problem Statement: A batch of parts was rejected due to an oversized hole diameter. 5-Why Analysis: 1.Why was the batch rejected?→ Because the hole diameter was larger than the specified tolerance. 2.Why was the hole diameter too large?→ Because the drilling machine was not properly adjusted. 3.Why was the machine not properly adjusted?→ Because the operator used an outdated setup sheet. 4.Why did the operator use an outdated setup sheet?→ Because the latest revision was not available at the machine. 5.Why was the latest revision not available at the machine?→ Because there is no system in place to ensure controlled document distribution. Root Cause: No document control system for distributing updated setup sheets. Corrective Actions: •Introduce a document control procedure to issue and display the latest revision only. •Restrict access to outdated setup sheets by removing old versions from machines. •Train machine operators and line leaders on verifying document revision before setup. Preventive Measures: •Digitize all setup sheets with access through a centralized network folder or MES (Manufacturing Execution System). •Implement revision control logs with sign-off for updates and acknowledgments by operators. •Conduct regular audits on setup documents at workstations. •Establish standard work that includes a revision check step before every job setup. •Integrate barcode or QR code scanning to verify correct document versions at machines.

𝐓𝐡𝐞 𝐈𝐧𝐯𝐨𝐢𝐜𝐞 𝐓𝐡𝐚𝐭 𝐀𝐥𝐦𝐨𝐬𝐭 𝐆𝐨𝐭 𝐀𝐰𝐚𝐲 During an audit for a client, I noticed a curious pattern. Several invoices had back-to-back serial numbers but wildly different dates. One invoice, dated March 30th, recorded a sale worth ₹10 lakh. Curious, I traced it back to the dispatch records. Turns out the goods were still sitting in the warehouse — untouched. Classic case of fictitious sales to inflate revenue. 𝘛𝘩𝘢𝘵'𝘴 𝘸𝘩𝘦𝘯 𝘐 𝘭𝘦𝘢𝘳𝘯𝘦𝘥: An invoice isn't just a piece of paper — it's a story. And as auditors, we need to connect the dots. 𝐊𝐞𝐲 𝐃𝐞𝐭𝐚𝐢𝐥𝐬 𝐭𝐨 𝐀𝐥𝐰𝐚𝐲𝐬 𝐂𝐡𝐞𝐜𝐤: 1. Seller and buyer details 2. Date of the transaction 3. Description of goods/services 4. Quantity and rates 5. Tax details (like GST) 6. Terms of payment 7. Invoice currency for international transactions 8. Proper authorization and approval signatures 𝐑𝐞𝐝 𝐅𝐥𝐚𝐠𝐬 𝐭𝐨 𝐖𝐚𝐭𝐜𝐡 𝐅𝐨𝐫: 1. Missing invoice numbers (potential fake invoices). 2. Unusually high amounts without approvals. 3. Invoices dated just before year-end to boost sales. 4. Multiple invoices issued to the same buyer within a short span. 5. Frequent cancellations or credit notes without clear reasons. 𝘕𝘦𝘹𝘵 𝘵𝘪𝘮𝘦 𝘺𝘰𝘶 𝘳𝘦𝘷𝘪𝘦𝘸 𝘪𝘯𝘷𝘰𝘪𝘤𝘦𝘴, 𝘳𝘦𝘮𝘦𝘮𝘣𝘦𝘳 — 𝘵𝘩𝘦 𝘯𝘶𝘮𝘣𝘦𝘳𝘴 𝘮𝘢𝘺 𝘵𝘦𝘭𝘭 𝘢 𝘴𝘵𝘰𝘳𝘺, 𝘣𝘶𝘵 𝘪𝘵'𝘴 𝘶𝘱 𝘵𝘰 𝘺𝘰𝘶 𝘵𝘰 𝘶𝘯𝘤𝘰𝘷𝘦𝘳 𝘵𝘩𝘦 𝘵𝘳𝘶𝘵𝘩. #vouching #stat_audit

If your controls only exist for the auditor, you don't have controls. You have theatre. And a lot of organisations have more of it than they realise. A control can be documented. Tested. Reviewed. Signed off. Reported as operating effectively. And still fail to change behaviour when it matters. That is the uncomfortable bit. Because control value is not created when evidence exists. It is created when the control improves a decision, prevents a bad outcome, clarifies ownership or changes how people act under pressure. A control that only works for the audit file is not a control. It is performance. The real test is different: ✅ Does the control change what someone does? ✅ Does it create useful friction before a poor decision is made? ✅ Does it clarify who owns the risk? ✅ Does it produce evidence that helps management act, not just audit test? ✅ Does it still work when the business is busy, stretched or under pressure? If the answer is no, the issue is not documentation. It is value leakage. That is why I created the free Beyond the Lines™ Internal Audit Value Leakage Map. It helps audit, risk and controls leaders diagnose where value disappears between insight and action, including where controls look fine on paper but fail to create real ownership or outcomes. 👉 You can access it here: https://lnkd.in/er_NbN-m 🗣️ Where do you see the most “control theatre” in organisations? Policy, evidence, sign-offs, remediation, reporting, or somewhere else? #InternalAudit #RiskManagement #InternalControls #Leadership #Audit

Internal Audit: Value for Management or the Audit Committee? Internal auditors are frequently told to “add more value.” The harder question is this: value for whom? The answer is rarely clear. Instead, we hear familiar remarks like, "Internal audit is a cost centre," or "we need to be more commercial." These comments reveal uncertainty about who internal audit ultimately exists to serve. It is easy to focus on what management says. The more important issue is what auditors themselves internalise. When we adopt defensive language about being a cost centre, it shapes how we behave. It influences how firmly we express judgement and how confidently we challenge. Management may see value in cost efficiency and practical recommendations. An audit committee usually sees audit value differently. It looks for independence, clarity of judgement and early visibility of emerging risk and issues. Having served on audit committees for many years, I have seen where real value is recognised. Committees want stability and the absence of unpleasant surprises. They also value candour when issues are uncomfortable and clarity when risks are still forming and before they become real issues. Above all, they value independence of mind, because without it, assurance carries limited weight. When value is not consciously defined, the internal audit function drifts. Messages soften to preserve comfort and effort spreads across competing expectations. The function risks becoming agreeable rather than authoritative. Being a cost centre is not a weakness. Many essential governance functions are cost centres. Accounting, the Company Secretary and Human Resources do not generate revenue, yet no organisation can operate without them. Internal audit plays a similar role. It creates assurance value between management and the board. That value may not appear in profit figures, but its absence becomes clear when governance fails. Clarity about whom the function serves sharpens focus and judgement. Internal audit is mandated by the audit committee - that defines its primary accountability. This does not exclude value to management. Much of internal audit’s work benefits management directly. The two are not mutually exclusive. The distinction lies in where ultimate accountability sits. From that clarity, trust deepens. When the audit committee can rely on internal audit's independence of mind, is when internal audit moves beyond confirming controls and becomes a trusted source of judgement.

Compliance isn’t choosing one framework, it’s understanding how they work together. Many organizations view SOC 2, ISO 27001, and GDPR as competing obligations, but the reality is far more integrated. SOC 2 validates data security controls for US-based service providers voluntary but expected by enterprise clients. ISO 27001 provides a globally recognized ISMS foundation with comprehensive risk management and continuous improvement. GDPR legally enforces personal data protection for EU citizens with significant financial penalties for non-compliance. The strategic advantage lies in their overlap: access controls, incident response, vendor risk management, encryption, and breach notification requirements align across all three. Organizations that map controls once and satisfy multiple frameworks simultaneously reduce audit fatigue while strengthening their overall security posture. Rather than treating compliance as separate silos, mature GRC programs build unified control environments that address shared requirements, turning regulatory burden into operational excellence. What’s your approach to managing overlapping compliance frameworks? #GRC #SOC2 #ISO27001 #GDPR #Compliance #InformationSecurity #DataProtection

How to Win Any Audit Conversation 5P Audit Talk Code Ever feel like you're walking into an ISO audit with a target on your back? You know your work is solid — but the moment the auditor walks in, your confidence walks out. One wrong word. One nervous ramble. One offhand comment — and suddenly, the conversation spirals. Let’s fix that. Here’s how to talk to any ISO Auditor — without slipping up or sounding unsure. 🧭 THE 5P Audit Talk Code **Think of it like your GPS for audit conversations 1. Polite – But Not Passive Tone rule: calm, respectful, not overly eager. → Avoid over-explaining or defending. → Don’t fill silences — let them ask. → Use neutral phrasing:  “Let me walk you through how we approach that”  “This is how it’s currently structured” 2. Precise – No Rambles Stick to the question. Answer what was asked. Nothing more. Nothing less. Auditor: “Do you monitor this?” Wrong: “Well… not really, but we tried to set it up last year…” Right: “Yes. We monitor it monthly using [X]. I can show you the last three reports.” → Think Twitter, not TED Talk. 3. Process-Based – Not People-Based Talk about the system, not individuals. Wrong: “John usually checks it.” Right: “The process requires a monthly review by the department lead, documented in [system/tool].” Use phrasing like:  “The process we follow is…”  “Our current procedure outlines…” 4. Proof-Backed → Don’t explain it — show it.  → If you say it exists, have it ready.  → Screenshots, logs, reports, checklists — whatever backs your point. Pull up real examples if asked: “Here’s the form we use” Don’t explain verbally what you can demonstrate visually. 5. Professional – Stay in Audit Mode No complaints. No sarcasm. No improvisation. And never (!) blame another person or team — even if you really want to. If you don’t know, say:  “That’s outside my scope, but I can connect you with the right owner”  “Let me confirm that and follow up — would you like that in writing?” 🔄 Bonus: When You’re Unsure – How to Stay in Control Even the best-prepared person hits a moment of doubt. When that happens, don’t guess. Use audit-fluent bridging phrases like: → “I want to be accurate on that — let me double-check the current setup” → “That’s owned by another team — I’ll loop them in so you get the full picture” → “We’ve been updating this area — can I show you where we are with it right now?” → “Give me a second — I’ll pull up the latest record so you can see exactly what we’ve got” → “That’s a fair question. The way we currently approach it is evolving, but here’s what’s in place today” These buy you time, maintain confidence and show that you know your process. *** Auditors don’t just listen to your words. They read your behavior and mindset. This Code helps you speak with clarity, alignment and credibility. Tell me — what you always use to stay cool during an audit? P.S. Want the 5P Audit Talk Code™ as a printable card? Comment “5P” and I’ll send it your way. #Auditor #Quality

Most internal audit reports are thorough, detailed… and underutilized. Why? Because decision-makers don’t need more pages. They need clarity. This is where a high-level audit dashboard changes the game. A powerful one-page dashboard can: ✔ Highlight critical risks instantly ✔ Show what truly matters to the business ✔ Drive faster, better decisions ✔ Strengthen Audit Committee engagement ✔ Create accountability for action Frameworks like the Institute of Internal Auditors emphasize effective communication as a core pillar of Internal Audit. And in today’s fast-moving business environment, visual storytelling is no longer optional. From my experience, the real value of Internal Audit is not in identifying issues, it’s in ensuring they are understood, prioritized, and acted upon. A well-designed dashboard typically answers: 🔹 Where are the biggest risks? 🔹 What needs immediate attention? 🔹 Are issues recurring? 🔹 Who is accountable? 🔹 What is the business impact? When done right, it transforms Internal Audit from "a reporting function" to "a strategic decision enabler". One page. Clear insights. Real impact. #InternalAudit #RiskManagement #CorporateGovernance #AuditCommittee #DataVisualization #Leadership

🔹 Quarterly Results: Governance or Pressure Cooker? Current rules around quarterly results have become a race against time, pushing management to prioritize speed over substance. This creates incentives to manipulate earnings, or worse, hide mistakes—defeating the very purpose of transparency. Should SEBI consider abolishing public quarterly results altogether or limiting them to confidential filings with regulators? Management bandwidth is consumed preparing accounts four times a year, and Audit Committees often receive financials too late to meaningfully review them. The rush creates unrealistic expectations: management has 365 days to operate but just a couple of days of real oversight each quarter. Instead, a biannual reporting regime could balance transparency with the need for quality. Allowing companies to publish audited accounts 30 days after finalization would give auditors and Audit Committees time for thorough review. 🔹 Audit Committees: Form Over Substance? While corporate governance talks a good game, the reality inside many Audit Committees remains troubling. Accounts are often finalized overnight, delivered to committees at the last minute under the pretext of avoiding insider trading leaks. Meetings start late, run short, and are rushed—chairpersons need to leave for flights, auditors have 15 minutes to present, and critical committee reports get just a few minutes of attention. When non-accounting directors face mountains of standards and disclosures with no time to review, expecting effective oversight is unrealistic. How can Audit Committees truly fulfill their responsibility if they’re given less than an hour to review complex financials? 🔹 Recommendations: A Bold Rethink ✅ Dispense with mandatory public quarterly results and limit filings to regulators. ✅ Allow Audit Committees to meet with adequate time—at least 48 hours’ notice with full access to financials. ✅ Consider scheduling meetings over weekends, so directors can review accounts without weekday time pressures. ✅ Track and disclose the number of times Audit Committees make material changes to financials; consistent ‘NIL’ adjustments can signal lack of diligence. If we genuinely care about investor protection, we must move beyond box-ticking. It’s time to bring substance to corporate governance—rebalancing regulation, removing unnecessary compliance burdens, and empowering Audit Committees to act effectively. To be continued…

Last week I spoke with a CISO looking for a GRC platform to manage SOC 2, ISO 27001, ISO 9001, CSA Star, and PCI DSS. These are dream projects for me because there is such a huge opportunity for ROI. 𝗖𝗨𝗥𝗥𝗘𝗡𝗧 𝗣𝗥𝗢𝗚𝗥𝗔𝗠 & 𝗖𝗛𝗔𝗟𝗟𝗘𝗡𝗚𝗘𝗦 - Today they have 2 audit firms: One for SOC 2/PCI/CSA and one for ISO 27001 - As a result they have two audit seasons and end up burning a lot of political capital with engineering teams and IT asking for the same audit evidence 2x per year - The audits drive all compliance activity and there is no visibility between audits -The business has aggressive plans to acquire 1-2 companies a year and they needs to be able to inherit and maintain new programs 𝗪𝗛𝗔𝗧 𝗪𝗘 𝗔𝗥𝗘 𝗚𝗢𝗜𝗡𝗚 𝗧𝗢 𝗗𝗢 𝟭. 𝗛𝗮𝗿𝗺𝗼𝗻𝗶𝘇𝗲 𝘁𝗵𝗲 𝗽𝗿𝗼𝗴𝗿𝗮𝗺 𝗶𝗻 𝗳𝘂𝗹𝗹𝗖𝗶𝗿𝗰𝗹𝗲 First we are going to harmonize all the frameworks and audit evidence in our platform fullCircle. This way they can slice and dice by framework, by control, by evidence, by owner, or however else they need to. This will enable gathering evidence once to meet requirements across multiple frameworks. They can also generate "audit packages" of evidence with a click of a button. 𝟮. 𝗦𝘁𝗿𝗲𝗮𝗺𝗹𝗶𝗻𝗲 𝗮𝘂𝗱𝗶𝘁𝘀 Next, we need to work with the external auditor to create a single audit season, understand mapped evidence, and buy in on the strategy. The best audit firms we work with are great partners in pulling off this strategy while also doing a thorough high quality audit. 𝟯. 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲 𝗮𝗻𝗱 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 We also have to get the team to a place where they aren't pulling everything manually and they have some confidence things are running well between audits. First, we did this is by automating a few big ticket items - focusing mostly on their AWS and GCP instances (access, secure configs, etc.). Second, we set up a cadence of internal audit spot checks on a monthly basis for high risk items. --- This will likely save the customer $1M and 1000+ hours a year of largely non-value add work. That's a solid project.