A word about EVIDENCE

I’ve been thinking do we really need all of the evidence we collect and document? I often feel we have convinced ourselves we are prosecutors building a case to prove something beyond reasonable doubt. Many times I have found a control deficiency and been asked to “go back and find some more examples of this” or told “we can’t report this deficiency until we find some actual errors it has caused.” Worse still is when the deficiency is know and yet we still complete detailed documentation to show how we found it and record step by step every specific aspect.

If someone has stopped breathing do people first start doing tests and x-rays to prove beyond all doubt that they are not breathing and that they need CPR? Does the fire brigade require you to send them a photo of your house on fire before they act? If something is obviously wrong, sometimes the evidence is right in front of your face, why delay taking action by collecting more examples and documenting how we found those examples?

In my career, often the most impactful insights I have provided are based on things where risks are not controlled at all, or controls are fundamentally inadequate this type of finding is often evident on day one of a project. If we are reviewing an area and find a control deficiency or an area of improvement that management agrees with and wants to take action on, what more evidence do we need? Sure, if management don’t agree with your assessment go away and get more evidence to persuade them. But our first step should to talk to your stakeholder and say ‘hey we have found this potential problem’ , they may say yes we knew, or oh we suspected but weren’t sure.

In some cases you may agree to help the organisation by collecting more evidence to identify actual loss events as a result of the deficiency or further quantify the scale of the problem across the organisation. But this is something you should challenge, is it the best use of Internal audit time to be analysing transactions to find errors as a result of a control failure or should the experts in the business do it themselves and let audit move on to find the next deficiency.

In my opinion, evidence is more important when there is no issue. We need sufficient evidence to support the accuracy of a positive opinion we may be giving. Ask yourself how much scrutiny is there in you department over positive reports as opposed to negative reports? in my experience negative reports always get the most scrutiny. When you really think about it though, the biggest risk is not telling management something is a bit bad when it is really bad or vice versa it is telling management everything is fine when it is actually a disaster.

Norman Marks has a great line in his book Auditing That Matters that sums up a good rule of thumb to keep in mind about evidence and documentation.

Every hour spent on documentation has a cost: that hour could be spent on another Audit.

My problem is not with basing our conclusions on evidence of course wild speculation and unfounded assertions do nothing to help our stakeholders. It is more a challenge to think about what evidence do we really need, how much of it do we need and how much time needs to be spent in writing down how we found it after the fact.