On the Merits of Subtraction, a Discussion of Audit Documentation
Time spent on one task is time we cannot spend on other tasks; this is the law of opportunity cost. As internal auditors with limited time and an almost infinite supply of things that demand our attention, it is imperative that we prioritize efficient time management practices. Audit documentation practices may often be overlooked but can account for a significant amount of time spent on each engagement. Excessive audit documentation does not add value to the engagement and expends valuable time that could alternatively be used to expand audit coverage and increase effectiveness. This article encourages auditors to review their current practices and look for ways to reduce excessive audit documentation.
First Horse, Then Cart
Before diving into a project to get rid of unnecessary audit documentation, it is important first to understand the primary purpose of audit documentation, along with the documentation requirements stipulated in the IIA’s Global Internal Audit Standards. Fortunately, the section addressing audit documentation in the most-recent Standards (released on January 9, 2024) is a relatively brief two pages, and the language is not overly prescriptive, which should allow internal audit shops flexibility when implementing their individual documentation practices. The Standards provide the primary purpose of audit documentation and define the target audience with Standard 14.6:
“Internal auditors must document information and evidence to support the engagement results. The analyses, evaluations, and supporting information relevant to an engagement must be documented such that an informed, prudent internal auditor, or similarly informed and competent person, could repeat the work and derive the same engagement results.”
The key takeaways here are that documentation should always focus on supporting the conclusions of the engagement, and that documentation can be structured in a way that assumes a large degree of competence on the individuals who rely on the documentation (e.g., workpaper reviewers). If documentation does not support the engagement results, then it likely is not necessary and should be omitted from the workpapers. The Standards make it clear that the documentation can be tailored to a highly competent audience. Since a highly competent audience can be expected to more easily read between the lines, auditors may be able to significantly reduce the amount of detail included in the workpapers and thereby save lots of time for both the preparer and reviewer.
For those who comply with the IIA’s Standards, it is mandatory that their audit documentation practices meet or exceed the requirements. However, any additional time auditors spend on exceeding the Standards’ requirements is time that cannot be spent addressing other important audit priorities. While it may make sense for audit documentation to occasionally be more robust than that prescribed by the Standards, auditors would be wise to periodically assess their documentation procedures and determine where the fat can be trimmed.
The remainder of this article provides concrete examples for auditors to consider when examining their audit documentation protocols.
Just Say No to Redundancies
Documenting something on more than one workpaper at least doubles the work for both the preparer and reviewer. Therefore, much time and effort can be reduced by simply looking for redundancies in workpapers.
A good place to start is audit findings, since these may often be documented in multiple locations, including supporting source documentation, testing workpapers, audit programs, audit software widgets, etc. It may be sufficient to document audit findings in only one location, such as in an audit program or findings summary document. Remember that auditors should only include enough documentation so that a competent auditor could replicate their results. For a simpler finding or one that occurs frequently in many audits, a competent auditor might easily be able to reach the same conclusion with merely a brief reference to the finding in the audit program. Limiting redundant finding references will also make things go much more smoothly if the review process results in the modification, consolidation, or elimination of audit findings, as fewer workpapers will need to be modified.
Listing the full names and titles of individuals in multiple workpapers also adds extra time. While it does not take long to type out an individual’s full name and title, the time will really add up if names and titles of multiple individuals are listed on multiple workpapers. A simple hack is to use a name and titles index workpaper or organizational chart. This will allow the reviewer to reference a single workpaper to determine relevant employee titles, and preparers will not have to wonder whether they have already defined an employee’s title in documents where employees are mentioned multiple times, such as in process narratives.
Use Process Narratives Strategically – and Sparingly!
Usage of narrative structure has many benefits. In a recent interview with popular podcaster Lex Fridman, former Amazon CEO Jeff Bezos recounted how Amazon meetings often begin with executives reading a six-page, narratively structured memo on the topic at hand, in contrast to the conventional meeting structured around the ubiquitous PowerPoint presentation. Bezos points out a significant drawback of using tools like PowerPoint when discussing complex topics:
“[A] problem with PowerPoint[s], they’re often just bullet points. And you can hide a lot of sloppy thinking behind bullet points. When you have to write in complete sentences with narrative structure, it’s really hard to hide sloppy thinking. So…it forces the author to be at their best, and so you’re getting…their best thinking and then you don’t have to spend a lot of time trying to tease that thinking out of the person.”
Many of us can relate to Bezos’ mention of hiding sloppy thinking when broadly summarizing a topic. In contrast, having to elaborate our thoughts using a narrative format often blatantly reveals this sloppy thinking and prompts us to dig further and ask additional questions. Often the result is a much more solid understanding of the subject area than we would have otherwise had if we had not been writing with a narrative structure. In internal audit where auditors must quickly get up to speed on a multitude of complex topics, using narrative memos can clearly be a beneficial tool to help them better understand the audit area and increase the effectiveness of audits. This may especially be the case when dealing with more complex topics that demand extremely lucid analysis, so auditors should not necessarily shy away from using narrative memos when it is appropriate.
That said, it is important to consider the downsides of using narrative memos so that they do not become a drag on productivity and efficiency. While the benefits of narrative memos are vast, there is no such thing as a free lunch, and the substantial time it takes to prepare and review narrative memos must be weighed against these benefits. In that same interview, Bezos was quick to point out the significant costs of preparing the six-page narrative memos:
“It’s hard to write a six-page memo. A good six-page memo might take two weeks to write. You have to write it, you have to rewrite it, you have to edit it, you have to talk to people about it.”
Bezos’ description of the challenges of writing a good narrative memo will not come as a surprise to anyone who has had to write a memo on a complex audit topic. With that in mind, auditors should carefully weigh the pros of using the narrative format with the fact that using it may add substantial time to the audit. Consideration should be given to both the complexity of the topic or process to be covered, along with its importance as support for the overall audit conclusions. If the topic or process scores low on both criteria — that is, if it is a relatively simple topic or process and is not critical for support of important audit conclusions — then consider whether it can be more efficiently summarized via another medium, such as covering it in an audit program step or with a basic process map.
If the narrative format ultimately is used, though, reviewers should not hesitate to give constructive feedback to audit staff who include too much irrelevant information. This feedback will ensure that audit staff always have management’s priority for conciseness at top of mind.
An Audit is Not a Criminal Trial
To be convicted of a crime in the U.S., one must be proven guilty beyond a reasonable doubt. Not so for audit findings, especially in internal audit. While audit documentation should clearly demonstrate how conclusions were determined, it is not always necessary to consider all possible alternatives and defenses to identified issues. This is especially the case when issues have been discussed with management as they have been uncovered and everyone agrees with the findings. It is also important to remember that internal auditors typically prioritize a proactive focus in their engagements. Auditors need to identify which processes and controls are broken so that they can be fixed, not because they want to point fingers and demonize employees for their past mistakes. Often, more time should be spent working with management to ensure they implement audit recommendations that mitigate risks identified during the audit than on documenting evidence for audit findings.
The Little Things
Be on the lookout for small inefficiencies that may add up. For instance, if multiple auditors rely on the same procedures, consider developing a standard tick mark legend that can be copied and pasted into each audit, rather than having auditors manually create one for each individual audit. Watch for over-referencing or over-ticking, considering whether a prudent auditor could follow the workpapers without the extra work. Consider annotating the first document in a large sample as a guide for finding the information in the rest of the sample. Ensure auditors are not spending too much time on PDFs with excessive highlighting, boxing, and linking that does not actually make it easier for that competent reviewer to understand the work performed. While it may be tempting for reviewers to ignore the little things to avoid seeming pedantic, keep in mind that these things add up. This is especially true if internal audit shops are in the habit of always adding rather than subtracting.
Addition by Subtraction
In his 2021 book, “Subtract: The Untapped Science of Less,” author Leidy Klotz points out the human tendency to add things rather than subtract. While addition is often necessary and useful, we often fail to consider subtraction as an option, even in cases when it may be more apt. Klotz makes it clear that he is not prioritizing one over the other, but notes that since we so often fail to consider subtraction as an option, there is much “untapped potential” to be gained by simplifying. If auditors only focus on what they can add to enhance their documentation, they might be missing easy improvements. Do not ignore that low hanging fruit! Consider which audit documentation can be subtracted to make audits more efficient and effective.
