Ali Dada

Internal Audit
10 Lessons Learnt over 20 Years
 Ali Dada

I. Be a Business Partner and Trusted Advisor, not the Police

Traditional Internal Audit functions were meant to be feared. It was the in-house Police that only showed up
to catch everyone out. I don’t believe there is an appetite for that anymore.

‘Internal’ means we are all part of the same organisation, and in essence working towards the same goal. And
the best way to achieve that is through collaboration. The most effective audit is when the business team is
prepared to collaborate with the audit team to share their knowledge and problems without fear of
repercussion.

For that to happen there must be Trust and Respect between all. Become a Trusted Advisor and Business
Partner who does not just identify problems but also provides solutions.

Aspire to be an Internal Audit function that the business managers feel comfortable approaching for a
discussion. When that happens, you will have achieved the above.
 Ali Dada

II. Stay Relevant by Adding Measurable Value and Being

Commercially Focused
In a competitive business environment, there is no room for non-contributing cost centres. And Internal Audit
is incredibly positioned to contribute. The term ‘Commercially Focused’ is now being used a lot as one of the
requirements for Internal Audit, and rightly so.

Not many departments have the knowledge and comprehensive oversight of the business like an Internal
Audit function does. And if that knowledge can be blended with skill that also focuses on business
improvement, then you have a function that can add measurable value.

I was always taught to ‘pay for myself’ since I started Internal Audit and I maintain a self imposed KPI to add
measurable value more that Audit function’s Cost to Company.

Challenge yourself to do more. Don’t be a Cost Centre when you can be a Profit Centre!
 Ali Dada

III. Effective Communication is the Greatest Skill

Technical skills are the fundamentals you need to do your job, but it is your soft skills (the skills beyond) that
will determine how successfully to do your job.

This is what I have always considered to be Internal Audit’s Achilles Heel, based on what I have experienced.
And I am yet to see a successful leader who did not have an understanding and mastery of soft skills.

Soft skills covers communication, critical thinking, emotional intelligence, diplomacy and decision making to
name a few. Generally, it means adapting your style to what best suits the circumstances you face.

These are important in all circumstances but more so in Internal Audit given the nature of when we do –
intrude and critique. Therefore, the onus is on us to address any nervousness. Be firm and hold your ground
to achieve what you want but be polite and courteous as well.

Recognise the critically of effective communication as a critical audit skill. Then keep learning, adapting. And
improving.
 Ali Dada

IV. Push (but not Break!) Independence to the Limit to Maximise

Internal Audit’s Impact
Independence is crucial for Internal Audit to be able to provide objective assurance. However, it should not be
used as an excuse to limit how effectively an Internal Audit function can benefit the business.

One of the more common complaints I have heard from business managers being audited is that audit only
identifies problems but does not support solutions. The Audit team on the other hand states it must maintain
its independence so they cannot help solve them. Both may be right, but it is a disconnect. Audit can (and
should) step forward in an advisory capacity and support the business with solutions.

I respect Independence but do not use it as an excuse to avoid helping the business. I will push it to its
absolute limit to support the business that I am also a part of. Supporting the organisation I work for to
improve is my first priority.
 Ali Dada

V. High Quality Audit Observations should have Practical

Recommendations to Resolve them
Audit recommendations should be as close as possible to a practical solution That is where effort and value
lies. Audit should also take an advisory and supporting role in helping the business teams solve the problems.
That is how you win trust and appreciation.

A pet peeve across my career has been reviewing audit observations in a report that highlight a valuable
observation but do not really provide a credible or practical recommendation.

I take a very simple stance towards this. An audit observation for which there is no solution or a practical
recommendation is just a risk. Work with the business to determine an agreed practical solution and then
report it. That will be appreciated a lot more than just walking away by reporting an observation.

I prefer to be a problem solver not just a problem finder.

 Ali Dada

VI. Audit is not an Investigation

Let’s be honest about this upfront, no one really likes Internal Audit as audit by its very nature is an intrusive
exercise. However, the business does not mind being helped by someone prepared to provide them solutions
to their problems…..as long as its not Internal Audit.

In my experience, an Internal Audit project works best when the business owners are prepared to share their
knowledge of business with the audit team (so the audit team can understand how the business thinks and
operates, along with their objectives). The audit team can bring in their expertise and test the identified
processes for weaknesses and unmitigated risk.

The business will not be comfortable sharing this information if they feel they are being investigated, and it is
the auditor’s responsibility to assure the business that an audit is not an investigation. This must be done not
just in word but spirit by creating an environment of transparency and trust through the entire project.

While you have to investigate when absolutely required, that should not be a default approach. When
auditing be less of an investigator and more of a consultant.
 Ali Dada

VII. Ad hoc Requests from the Business are a Sign of Trust in

Audit
Audit functions are assessed by their ability to deliver the approved audit plan on time. Resources are
stretched and deadlines are always tight. But what happens when the business approaches you for support?

While an audit plan should always be there, agile auditing demands flexibility and we should always be
responsive to adapt the plan and resources available to reflect changed circumstances. If you do the job well,
the business may even start asking audit to support them. To me that is the ultimate indicator that the Audit
Function has achieved its goal of being a Trusted Advisor and Business Partner.

Build a flexible plan to allow for spare capacity for relevant ad hoc projects when requested. Agree this with
the Audit Committee so that the audit team can be deployed to planned audits or ad hoc projects.

I plan for the year identifying audits that must be done (based on priority and risk), audits that can be
deferred in case of urgent and relevant ad hoc requests, and then I just keep some spare team capacity for ad
hoc projects that I know will inevitably arise – All in the name of keeping the audit function agile and
responsive to business needs.
 Ali Dada

VIII.Audit Report should Represent the Business Team – Give

Them a Say in it as well as Credit
The Audit Report is the most valuable tool for communication of Internal Audit work. But how you write it
matters a lot.

The tone should be neutral and without any sensationalism. State the facts of the observation, define a root
cause and its impact to business, along with a credible recommendation as discussed earlier.

Remember the Audit Report reflects work done in collaboration with the business team. The tone must be
constructive, and it should also represent the business management’s perspective. I prefer to consult the
business on developing recommendation and record an Agreed Action Plan in their words. Ideally the
recommendation should mirror the agreed action plan.

If there is a disagreement, record your view and their view, and then explain both points of view to the
stakeholders fairly. And don’t just be a critic, be comfortable giving credit to the business where credit is due.
 Ali Dada

IX. Report Ratings can be a Major Distraction from what Really

Matters
There are times when closing an audit and issuing the report can take longer than actually conducting the
audit itself, and one of the biggest pain points can be how the report is presented and rated. The debate
moves away from the actual observation and the action required to resolve it, and it becomes more of a
negotiation over the way it is rated and might be perceived by the stakeholders.

At that point, the audit starts to lose its objective, which is resolving risk that needs to be mitigated with
required action. Audit is about identifying risk and resolving it, and anything that takes focus from that is a
waste of time and effort.

The way I see it, report ratings are an unnecessary distraction and should not be used. Focus on resolution of
audit observations and assign priority to agreed actions. I no longer use audit ratings and have removed audit
ratings in the past when restructuring audit departments to ensure the audit and business teams remain
focused on what matters most.
 Ali Dada

X. Learn to Explain Everything in 30 Seconds and as Simply as

Possible
In my experience, those who feel the need to overcomplicate their explanation with jargon and very complex
terminology may perhaps not entirely understand the subject themselves. Meanwhile a person who can
explain a topic simply in terms that can be understood by a layman is an expert in that area.

I live and die by the following rules:

• Learn to explain everything simply and in 30 seconds.

• Say it in a way a five-year old can understand it.
• Everything can fit in one slide.
• When you want to explain something to an executive in writing, summarise it. Then summarise the
summary!

To quote Mark Twain “If I had more time, I would have written a shorter letter”.