Are You Sampling or Gambling

It’s getting to the end of May – Internal Audit Month. The month in which internal auditors are expected to spread awareness about their profession to others. You were meeting some people for the first time and have to tell them what you do. “I provide assurance on the working of controls and processes to ensure that they adequately manage risks. I advise management on how to manage existing and emerging risks effectively.”

The smug smile on your face vanished when you were asked, “That must be a hell of a job. Events are happening in the business every second and each of these has some risk, big or small, built in. How can you look at everything?”

“We sample transactions at random,” you replied. The unconvinced nod says it all and the person walked away wondering how on earth you still manage to cover all the risks with your random samples. No wonder, every time there is news about frauds and errors, a finger is pointed at the auditors – both internal and statutory. Behind each of these is most likely a case of random sampling gone awfully wrong.

Internal Audit is known as the third line of defence while the operations personnel and the risk and control specialists form the first and second lines respectively. You are right to choose random sampling to evaluate controls. You cannot be expected to review every transaction, that too in real-time, before the damage is done.

In the past we had concurrent auditing, where all-powerful internal auditors ruled the roost. Putting their stamp of approval on every transaction in the business. But except for a few bureaucratic backwaters this has now vanished. Because businesses cannot stop for internal auditors and audit is not something that should be done in a hurry. So, we are back  to random sampling. How can internal auditors maximise the value and minimise the risk from their fieldwork? How can they do this ithout spending all day reviewing transactions?