Author Archive for


The benefits of properly planning an audit

I found a few jars of jam recently in my freezer. These jars came from my good friends and neighbors who had moved to Africa two years ago. They were cleaning out their freezer prior to their move and gave us the jam.

I am not a big fan of jams but my family is, especially for peanut butter and jelly sandwiches so I have been using these jams alot. This week I was down to my last jar of jam and was pondering the planning and process that went into preparing and preserving these jams. It dawned on me that a process that had happened at least two to three years ago was still benefiting my family. By investing her time in food preservation (i.e. canning jams), my neighbor saved my family time and money. She delayed our need to go to the store to buy a jar of jam.

This example made realize that the value of good planning translates into all facets of life including work. In my case, work involves planning an audit. I go through this process at least three times a year for my audits.

If you are in doubt that good planning pays off, here are some of the benefits, amongst many:

1. Good planning saves time

-helps you prioritize audit procedures to focus on the important things

-frees up time to respond to emergencies or unanticipated events during the audit

-frees up time to help others

-frees up time for value add opportunities

2. Good planning helps you stay organized

-helps you organize the deluge of data that is always part of an audit

-helps you document audit work in a linear framework consistent with auditing standards

3. Good planning helps you keep the client happy

-helps you meet expectations on timeframes and deadlines

-respects the client’s time

  • by getting on their calendar early before it gets filled up with other meetings
  • by giving them enough time to prepare the items requested for the audit
  • by being strategic about the number of necessary meeting times (Less vs. more is always best. This can be    accomplished by methodically gathering questions and open items and possibly meeting fewer times with the client but maybe for longer periods)

4. Good planning reduces the overall stress of the audit

In a future post, I will talk about some of the ways to plan well for an audit. Hopefully you can share some of your tips with me as well.


Revenue: A ‘means’ or an ‘ends’ for Nonprofits?

In for-profit corporations, the ultimate goal of the company is clear – maximize bottom line profits. This is what the shareholders want and expect, and there are laws that protect and prioritize the goal of profit.

As a young auditor in the for-profit environment, I was taught to be wary of the quest for the bottom line and potentially damaging behaviors if the bottom line was pursued ‘at all costs’. These behaviors included the potential for financial statement manipulation through the use of aggressive estimates, off-balance sheet accounts, and manipulating the timing of accounting entries.

In the nonprofit world, the ultimate goal is not the pursuit of bottom line profits. The goal or mission of the nonprofit is communicated through its mission statement and this is the ‘end’ reason why the nonprofit exists. For World Vision, our mission is to provide the opportunity for life in all its fullness for the children we serve. Our secondary mission is to create an environment where our donors have and act upon the desire to give children the opportunity for life in all its fullness. For nonprofits, bottom line excess (we don’t call it profit because nonprofits by their nature and name are not in pursuit of profits) is a means to fulfilling the mission, not the end mission itself.

However, in nonprofits, the risk of prioritizing the bottom line over the mission can exist. Although nonprofits might not intentionally be acting in this way, decision making can favor the bottom line over mission if clear decision making criteria have not been established. When there are multiple priorities and multiple ‘good things’ to pursue, it is possible to favor decisions that increase the bottom line because this goal is very tangible and quantitative. A mission or program impact goal is often not very tangible or quantitative. Additionally, mission and impact goals are long term goals that might not show markable progress in the short term.

Here are some scenarios that can create the danger of sacrificing the mission for the sake of the bottom line:

-Cash revenue when accepted too fast for programs to absorb,

-Cash revenue when accepted for a purpose different than the assistance truly needed by programs,

-Acceptance of gifts of property when there is more cost than benefit (e.g. property with high hidden liabilities, property that is difficult to liquidate, etc) to the gift,

-In Kind Gifts that cannot be well integrated with programs, and

-Cost cutting of necessary infrastructure to preserve net income in the short run.

I read an excellent article in the January/February 2013 HBR issue. This article highlighted Jeff Bezos as one of the top CEOs in the world. In the article, Mr. Bezos was questioned about Amazon’s strategy specific to maintaining shareholder value and having a long term perspective. This was his answer.

“If you’re long-term oriented, customer interests and shareholder interests are aligned. In the short-term, that’s not always the case. We have other stakeholders, too – our employees, our vendors. We take it as an article of faith that if we put customers first, other stakeholders will also benefitas long as they’re willing to take the long-term view. And a long-term view is essential for invention, because you’re going to have a lot of failures along the way”

His answer reflects Amazon’s philosophy of basing decision making on the long term goal and of keeping their main stakeholder – their customer – as their primary focus. To Mr. Bezos, this mentality was in the best interests of all their stakeholders, including their shareholders over the long term.

What of our nonprofits? Are we maintaining focus on our key stakeholder and are we keeping the long term in view?

How are we balancing short term and long term goals? Management lives under the reality that they are measured by that which is measurable, which typically is financial results. How do we balance the goals that are measurable with the more important goals which are often hard to measure?

World Vision has taken a good step in the direction of measuring ‘mission’ or impact. See this related post.

If nonprofits are honest about wanting to focus on keeping the main thing the main thing, we need to make visible our progress towards the big goals of mission impact alongside financial and revenue results. When our goals are balanced, we are able to more clearly see the trade-offs between goals when critical decisions are on the table and need to be made.


auditing informal controls

Happy New Year everyone!

To commemorate the new year, I decided to do some light reading on control self-assessments 🙂

In my research of control self- assessments (CSAs), I came across a paper titled ‘Control Self-Assessment: A tool for organizational improvement’ The authors of the paper imply that audits can only audit formal controls.

“Audits confirm the degree of compliance with formal controls and mandates. They (informal controls) are not tangible and, therefore, are not subject to the verification standards demanded by traditional audit.”

Another resource implied the same thing –

“CSA is an audit technique within the broad framework of internal audit that measures areas that traditional audit techniques are not designed to measure, such as trust, morale and corporate culture”

However, the paper notes (as is also true in my experience) that it is really informal controls that are more influential in an organization.

“One of COSO’s core conclusions was that “official policies” (formal controls) specify what management wishes to happen. However, the “culture of the organization” (informal controls) determines what actually happens – which rules are obeyed, ignored or bent. Without a clear assessment of informal internal controls, any organization runs the risk of the loss of opportunities and of potentially serious problems going undetected.”

Is it true that audits can only validate and measure formal controls? If informal controls are more effective than formal controls and audits are limited to validation of formal controls, does this call into question the effectiveness of auditing and imply that the value of auditing is limited to a validation of formal controls?

Widely accepted international standards have defined internal controls in the following ways:

  • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories, (i) Effectiveness and efficiency of operations, (ii) Reliability of financial reporting, (iii) Compliance with applicable laws and regulations – COSO
  • Actions that foster the best result for an organization – COCO (Canada)
  • A company’s system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives – Turnbull Committee (UK)
  • All major factors that, taken together, support people in the achievement of their own work objectives and those of the organization – USAID paper

See this related post for deciding on which internal control framework to implement.

Although the various internal control frameworks use very broad definitions, when most people think about internal controls in the traditional sense, they think primarily about financial reporting controls (e.g. Sarbanes Oxley requirements) and secondarily about other formal non-financial controls such as policies and procedures, authorizations and review processes.

The COSO model has the following components:


For an auditor, the control activities area is typically a primary area of focus to audit. The characteristics of control activities such as policies, authorizations and reconciliations are formal controls and are tangible and repeatable. These controls are typically part of transactions and processes. Monitoring activities are also another component that is typically audited. However, the other COSO components of control environment, information and communication, and risk assessment, are also controls but are typically known as informal controls and are either one-time or non-repetitive controls.

What is the role of an audit as it relates to informal controls – i.e. most of the COSO cube except for control activities? How does audit validate these ‘controls’?

A known method for audit validation is through sample testing of transactions. How do you validate an informal control when it is not directly related to a transaction and non-repetitive? Do you merely validate the existence, use of and importance of the informal control in the organization? Would an audit recommendation be within the realms of if the controls exists, is consistently used and known throughout the organization? The idea that informal controls are an audit issue if it is absent or if there is a very clear exception is supported by the following source:

“Soft   (informal) controls include ethics, commitment to competence, and management   operating style. Such controls have traditionally been overlooked in audits   because documented evidence of the audit condition is difficult to obtain and   test…..on the other hand, proper behavior is assumed for soft controls. An   unfavorable audit conclusion is reached only if improper behavior is   observed. A satisfactory rating wouldn’t be ruled out if the auditor finds no   direct evidence that the “soft controls” are in place. Only if instances of   unethical, incompetent, or improper management behavior are discovered should   the auditor consider an unsatisfactory rating. The level of assurance   provided by the auditor for soft controls is , therefore much less than normally   rendered. As techniques for testing soft controls improve, rating criteria   may be revised to render more positive assurance.”

Informal controls are also typically very people oriented and therefore potentially highly subjective. It is possible to use CSA-type tools such as surveys and questionnaires to provide data and observations of informal controls.

It does make sense that formal controls and the auditing of formal controls is important in industries and processes that have high compliance requirements such as financial reporting (adherence to GAAP or similar accounting standards), banking, oil and gas, investments, etc. However, for areas that are not highly regulated and that are more relational, formal controls are not always as evident or important. In the nonprofit industry, there are many activities that are relational and qualitative where informal controls hold much more sway than formal controls.

In my reading so far on CSAs, it appears that CSAs are the preferred tool to provide a more in-depth evaluation of informal controls. In a future post, I will explore the differences between traditional auditing and CSAs.

By nature of IIA’s adoption of the COSO internal control framework as a standard, it is our responsibility as auditors to not just validate formal controls, but also informal controls. It might not be very straightforward or intuitive to audit informal controls, but it is imperative. From my personal experience, the recommendations that have been most valuable to management and that have been part of much needed change in the organization most often relate to informal controls.

I welcome your comments and observations.


2012 in review

The stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

4,329 films were submitted to the 2012 Cannes Film Festival. This blog had 23,000 views in 2012. If each view were a film, this blog would power 5 Film Festivals

Click here to see the complete report.


Effectiveness and Efficiency – a personal observation on value creation

There is much talk about creating value. In a time of economic scarcity, this question of value is at the forefront of many conversations in business.

The idea of using all the raw materials at your disposal and converting these into something useful, functional and beautiful creates value. Gathering raw materials and combining, converting or improving these materials is an age-old concept for value creation. This concept is evident in the acts of sewing, cooking, dressing and styling, use of gifts and skills at work, manufacturing, agriculture and many more activities.

In cooking, multiple ingredients are combined to make a wonderful meal. Using the skill of sewing, a thread, needle and some fabric can make a beautiful dress. In style, multiple layers and accessory pieces make an outfit standout from among the crowd. When two or three or four ideas are combined, they often result in an outcome more powerful than one single idea.

It is always nice to have more resource but to have more resource is not always the constraint. We often do not have control over our ability to generate more resource. We do have the ability to control how we use what we already have. Are we maximizing the use of what we already have?

Sitting in on a session recently about our economic development work, I was amazed listening to stories of entrepreneurs we work with. In places where resources are the scarcest, these entrepreneurs and the locals know how to squeeze every use out of what they have. Often, their very survival is dependent on their ability to be resourceful. As they say scarcity is the mother of invention (and I would add innovation). A mango is not a fruit to just eat raw, but it is also the raw material for jams, juice and candy. Nothing is wasted. In the country of Malaysia where I grew up, the banana plant is used for fruit, for food storage, as a plate and a vegetable. In other cultures, the banana plant is a source for textiles, paper and shelter.

The people that survive, succeed and thrive in life have the ability to use what is on hand to make something great or to be something great. They create value.

I am not proposing that greatness is the end goal. The end goal is the biblical mandate that to whom much is given, much is required – the idea of stewardship.

What do we have on hand today the we have not used to it’s maximum benefit? Whom do we have access to whom we can further partner with and benefit from their skills? What are we wasting or throwing away at a high opportunity cost?

Let’s go and be great and be value-creators. And in the assessment work we do as auditors, let’s find opportunities to encourage those we serve to be resourceful, to maximize use of what they already have and to work together to leverage all strengths and skills to achieve something great.


What do I tell people I do?

I confess lately I have been feeling a little insecure about my job as an auditor. Maybe it is an identity crisis. Maybe it is a yearning for popularity. A few recent encounters have left me wondering if this is the right profession for me. I was recently at a fund raising event for work and started a conversation with one of the attendees. This ‘unnamed’ lady initially seemed excited to find I worked for World Vision. She was obviously a supporter and advocate, hence her presence at the event. “What do you do there?” she asked. “I am an auditor”. “Oh…” she muttered almost with a tinge of disdain and then proceeded to roll her eyes. We continued on with a pleasant conversation but walking away from the encounter, I couldn’t seem to shake the emotion welling up in me because of her reaction. I have been fortunate (I guess) to not have received this reaction very often. However, I know behind closed doors, behind the niceties and pleasantries of clients, there is often a desire for audit to just ‘go away’ and not be a bother. 

My fellow auditors out there, have you ever felt this way? Have you wondered why this job you have been given to do matters? 

Another recent experience left me thinking more deeply about what I do. I was at a fund raising and nonprofit industry conference and was probably the only auditor in attendance. During many of the networking opportunities, I struck up conversations with the likes of fund raising directors, consultants and capacity building professionals. A common question when they found out I was an auditor was, “What does that mean? What do you do?” A few years ago I would have used typical audit-type language and say I assessed risk and evaluated controls and understood process. However, in thinking more deeply about the ‘why’ I do what I do, I came up with a layman’s version I believe really gets to the heart of what I do. I said to almost all of them in separate conversation, “I represent stakeholders external to management, including the board of directors, donors and beneficiaries. As an independent and objective professional, I help them understand if the organization is set up for success.” The light bulbs immediately went on and I found I didn’t have to further explain myself or justify my role in the organization. 

I work for an organization that aims to provide life in all its fullness to the children we serve. We work in relief and development settings all around the world with a goal of helping communities become self-sustaining and thrive. Often, we choose to work in the toughest contexts with the poorest of the poor. The work we do is a matter of life and death. When we make wrong decisions resulting in loss of resources or when there is waste, children’s lives are at stake. 

As an organization, we need to be great at what we do because it matters. We are stewards of a tremendous amount of resources from those who are generous to give it to us for those who need it the most. Trust is a key element in what we do. The trust does not come easily. We have to earn it every day by the decisions we make and how we choose to act as an organization. 

We are not a perfect organization. There is no perfect organization. But we need to strive to be the best we can be. Mediocrity is death.

As an auditor, I have a role to play in helping the organization become more effective, efficient and compliant. 

For my fellow auditors out there, take heart and be encouraged. We are not going to win any popularity contests, but there is much good we can do.


Internal audit tips and tricks

I keep a running list of helpful audit practices or perspectives to keep in mind as a reminder to repeat these for future audits. Also, we have a guest auditor program (where staff from other departments participate in the audit process) and I am always looking for good tips to pass along to them. 

Here is my list so far in no particular order: 


  • Audit Participation – Ask for a copy of relevant auditee calendars or viewing rights to their calendars to see if there are meetings it might make sense to participate in as an observer.
  • Audit requests – If possible, ask for access to client internal drives to minimize providing the auditee with a long list of audit requests and to have immediate access to the information.
  • Incarnate, incarnate, incarnate! – Try as much as possible to participate in the auditee’s environment (e.g. management meetings, etc) to understand how they operate and how they spend their time.
  • Auditee Objectives – Some good questions to ask: (i) Are goals clear? (ii) What are you aiming for? (iii) Are the goals always in sight? (iv) How do we know that goals are always in sight? (v) Are there regular reports that show progress towards goals and accountability?
  • Monitoring – Always ask and understand if there are reports for monitoring.
  • Audit Report – Always keep the results of audit and communication of the results in mind while auditing. Don’t let the audit report be an afterthought.
  • Audit Environment and Maturity of Processes – Can you audit when there is no process or non-recurring processes? Yes, because it starts with the control environment (what is the tone from the top), then flows to risk assessment and information and communication, then control activities and monitoring. Governance is always a factor whether it is good governance or the absence of governance.
  • Audit Scope – If you start with auditee objectives and keep your focus on their objectives, you will not go wrong or be distracted.
  • Audit Fatigue – Remember that the workpapers and documentation is part of the ‘systematic’ and ‘disciplined’ approach of auditing and it is what sets us apart in terms of standards. Do not let the tediousness of documenting your work wear you down and make you lose sight of the end goal, which is the audit report
  • Time Management – Use the majority of time on end deliverables – audit testing wpapers, concluding documents, audit report.


  • Audit management deliverables – Organize your writing (especially for management deliverables such as issue logs, audit reports, presentations) and always remember your audience.
  • Audit Report – Write, re-write, re-write, and re-write again until you feel like you have adequately captured the context and framed the issue in a way that is fair, balanced and accurate.
  • Audit Report – Always start with an outline for the audit report. remember to write in context (with the context in mind) and to be direct about the issue.
  • Audit Report – Don’t sermonize. say what you mean. 
  • Audit Report – Put one thought in each sentence. 

I have titled this post ‘part 1’ because I will continually be adding to the list. Maybe I should also keep a list of what not to do because I have many of those. Oh well, I will be an optimist today 🙂

I would like to hear your tips and tricks. Will you share them with me?


July 2018
« May    



Online Accounting Degree blog feature