Auditor, defined.

I have held positions as a quality auditor, lead quality auditor, and audit and compliance manager. However, some organizations use job titles such as "operational auditor" or "business analyst" to refer to job duties consistent with my own in previous positions, while others use the word auditor to refer specifically to an accountant who audits financial statements. Rather than attempt to precisely define auditor in a manner consistent with my own experience, I prefer to broadly define auditor so that its definition is a superset of more specific definitions, and which encompasses the most commonly used definitions.

Before I broadly define auditor, it would perhaps be best to discuss audit, auditors, and auditing in general, to establish a common perspective about auditing:

  1. Auditors are highly visible management representatives.

    It has been said that auditors are the eyes and ears of management. This description of the role of auditors is very generous and, perhaps in a healthy corporate environment, reasonably accurate.

    However, in an unhealthy corporate environment auditors are all too often:

    • enforcers of a "zero tolerance" policy for real or perceived personal or professional failure.
    • middle-men in a battle of "metrics warfare" between managers who mistakenly believe words like "tactical" or "strategic" should be used to describe resource allocation decisions at the executive level.
    • middle-men in a battle between competing management factions maneuvering in a corporate political environment to take over each other's resources, for example by identifying the other faction's "nonessential" personnel.

    In any case, it cannot be argued that auditors are not highly visible management representatives.

  2. Audit is a tool of management.

    In general, auditors receive their assignments directly or indirectly from management. Audit is therefore a tool of management.

  3. Auditors report directly to management.

    In general, auditors report the results of their investigations directly to management.

  4. Effective audit produces business wisdom.

    Many companies claim to produce business intelligence. However, effective audit does not produce business intelligence. Effective audit produces business wisdom.

    The pejorative that auditors wander the battlefield after the battle is lost to bayonet the wounded is true, after a fashion. However, if a military metaphor is appropriate to effective audit, it would be this:

    "...a victorious army first wins and then seeks battle; a defeated army first battles and then seeks victory." - Sun Tzu (The Art of War)

    Audit produces business wisdom through investigation, evaluation, and assessment. Business wisdom ensures victory.

  5. Audit conclusions create conflict.

    Because auditors are highly visible management representatives, audit is a tool of management, and auditors report directly to management, audit conclusions create conflict.

    This is especially true when the audit process is used punitively, for example, to:

    • enforce, rather than evaluate, compliance,
    • penalize lack of compliance, or
    • assert there is a problem without adequate objective evidence supporting this conclusion.

    These examples give meaning to the phrase "to audit into compliance".

  6. Auditors base their conclusions on a state map.

    For an auditor's conclusions to have any value, they must be based on a comparison between the expected state and the observed state. To provide a meaningful comparison, the auditor must have an accurate state map, that is, he or she must be aware of the requirements which establish the expected state. This state map must be communicated to management and establishes the scope of the audit.

    Frequently, it is stated that management establishes the scope of an audit by deciding what will be audited, and from one perspective, this is true. However, abuse and mis-use of audit, for example as described above, has directly resulted in the development of independent quality standards, such as ISO 9001:2000, and frameworks, such as COBIT, with which organizations assert compliance. An auditor therefore enters an engagement knowing, broadly, what the expected state is, although he or she may have no knowledge of the organization's specific implementation. This is true even if the organization's own internal policies and procedures establish the state map.

    An auditor identifies deficiencies by comparing the expected state to the observed state. For example, an auditor may identify as a deficiency failure to follow issued work instructions if this is clearly the expectation. However, an auditor may also identify as a deficiency a work instruction that does not provide adequate instruction to the worker if this is clearly the expectation, or failure of management to establish an expectation.

  7. Auditors base conclusions on facts supported by objective evidence.

    An assertion is a declaration that a statement establishes a fact, for example: "The company complies with all the requirements of ISO 9001:2000." However, an assertion is not a fact.

    An assertion becomes a fact when independently verified and supported by objective evidence.

    The most frequent, and fundamental, objection to an auditor's conclusions are disagreements about facts, i.e., that insufficient evidence exists to establish a fact or that the auditor's conclusions are not supported by facts. For this reason, objective evidence supporting facts and facts supporting an auditor's conclusions are frequently documented by an issued report. The issued report documents the problem in sufficient detail to establish credibility, i.e., that facts are supported by objective evidence and that any conclusions are supported by facts.

  8. Auditors must overcome the audit reaction when presenting findings.

    Most personnel in highly regulated environments are familiar with the audit process. To varying degrees, most recipients of audit findings react in a similar fashion, which I refer to as the audit reaction:

    • Some organizations question the need to report.

      When a problem is reported, most organizations take immediate corrective action to resolve the problem, if possible. If they are able to immediately resolve the problem, some organizations then question the need to report it. However, if the problem is not reported, it is unlikely appropriate action will be taken to prevent the problem from recurring. With no previous problems establishing a history, recurrence may be perceived as an isolated problem, and not evidence that previous corrective action was ineffective.

      For this reason, most professional auditors establish a practice of reporting the results of all audits, whether or not problems were identified, including any for which corrective action is in progress, or complete.

    • Some organizations question the need to report "findings".

      Briefly, a finding is a conclusion. Public perception is that findings are negative, in that they document discrepancies or deficiencies, but this is incorrect. An auditor may also find that a company is acting in accordance with its policies and procedures.

      However, there is no uniform definition of "finding". This lack of consistency results in some organizations attempting to redefine a finding for which corrective action is in progress or complete as an "observation", or volunteering to accept a "recommendation" in lieu of a finding to reduce the incidence and perceived severity of the word "finding".

      This is especially true for findings which are classified as material. A material finding is a kiss of death in a Sarbanes-Oxley Section 404 compliance audit. No company will accept a conclusion that a finding is material without comment, frequently a rebuttal questioning the auditor's methods and conclusions. However, Arthur Anderson's auditing of Enron did not disclose material findings that Enron is being sued for almost a decade later, and it is unlikely that the Sarbanes-Oxley Act of 2002 eliminated all forms of collusion between publicly-held companies and their auditors. The low incidence of these types of findings is not evidence that material findings are not occurring, only that they are not being detected or reported.

      For this reason, most professional auditors establish a practice of reporting all problems identified during an audit, whether they have been corrected, and for which no further action is required, or not, at the time an audit report is issued.

    • Some organizations question finding severity.

      Once informed that a finding will be reported, some organizations question the use of number words or sampling that support the report's conclusions, and attempt to reduce the perceived severity of the finding.

      For this reason, most professional auditors establish a practice of neither requesting, nor requiring, agreement on reported finding severity.

    • Some organizations attempt to dictate what will, or will not, be reported.

      Some organizations attempt to dictate what will be reported by deciding that failure to comply with management's requirements does not constitute a lack of compliance, and therefore should not be reported as a finding.

      For this reason, most professional auditors establish a practice of auditing to requirements established by management, and documented by an audit plan agreed to by management prior to conduct of the audit.

    • Some organizations assign greater severity to reported findings.

      Some organizations assign greater severity to reported findings, i.e., they act, react, or respond as if a minor finding is a major finding.

      Because auditors have no control over how other organizations perceive reported findings, auditors ensure the organization understands how the finding will be reported, what actions will be requested, and when. This eliminates a potential problem: organizations which take corrective action management later considers excessive, which causes management to question the auditor's contribution to the perceived severity of the finding and question the cost of corrective action, specifically if it was justified by the severity of the finding.

  9. The Law of Diminishing Returns also affects audit.

    For audit purposes, the Law of Diminishing Returns is a recognition that increased investigation or effort on the part of the auditor may result in an increase in the number of facts supporting reported findings, but the identification of fewer and fewer findings within the scope of the audit. At this point, it is not worth investing additional audit resources to continue to investigate the problem, and auditors generally request responsible management take over the investigation, effectively bound the problem, and identify the root cause(s).

So what is an auditor?

Broadly, an auditor is a pattern recognition specialist who evaluates compliance with requirements he or she did not establish (generally, so as to avoid conflict of interest) using a state map, documents findings, forms conclusions based on findings, and is frequently forced to overcome considerable adversity to report both findings and conclusions to management.

The diversity of job titles is a consequence of the specific subject matter expertise required to develop a state map. With this exception, and reporting requirements in specific domains, all auditors have the same basic skill set: they are professional skeptics.

Last updated: Saturday, 14 May, 2011