Internal Auditing in Context

Internal auditing received a giant boost with the passage of the Sarbanes-Oxly Act in 2002, which requires company officers signing SEC reports to attest they have implemented the necessary internal controls to ensure they are informed of any material impact over financial reporting. SOX made it mandatory for many companies to determine financial reporting risks, design ways to manage risks, fix problems creating such risks, analyze the effectiveness of control measures taken, re-test and re-document.  Internal auditing got another boost with the financial crisis of 2008. Now, internal auditors could be ready to step up to the plate, becoming the board’s skeptical counselor and trusted advisor.  Swanson on Internal Auditing: Raising the Bar by Dan Swanson can help guide them in that critical role.

After ten years as an auditor, I turned my focus to what I felt were the broader issues of corporate governance. Swanson shares that interest but remains focused on auditing. Much of his writings for Compliance Week, EDPACS, and the Institute of Internal Auditors have been at the forefront of issues like enterprise risk management, overall governance and board interface, compliance and ethics, as well as what is known as IT governance. Swanson covers these and many other topics here in a way that few can with a writing style far more engaging than any of the auditors I ever had the personal pleasure to work with. (see contents)

Key for most auditors are the work papers, especially the point sheets, which reference every finding to the criteria or standard used in evaluation. While Swanson is no rogue auditor, neither is he wearing the blinders I found all too common when I was practicing in the profession. Perhaps one factor is his familiarity with so many auditing models and standards, which can provide conflicting guidance and which he discusses liberally but not to the point of confusion.

While others have called the book a road map, I see it as a key or legend, helping readers interpret the many symbols found on a plethora of maps – tying them together or pointing out their eccentricities. He tells you where to find the most common standards (with ample reference to website addresses) but the book’s real strength lies in his tips. For example, build into the internal audit charter a statement “about the auditor’s open and free access to all information across the organization.”

While many other audit books offer good advice regarding the provision of objective assessment, those who read Swanson could well become catalysts for change – advocating for improvements in an organization’s governance structures and practices. That’s where I used to get into trouble.

While working for the State Controller of California, one of my audit trails led to the Department of Finance. They threw up procedural barriers and got into the Constitutional issues of one branch of government auditing another. I took a vacation day and used the Public Records Act to obtain documents that clearly showed Finance had been making a mistake that cost the State a small fortune in lost federal revenue because of the way they were counting claims processed electronically. Auditors unaware of the big picture would have missed it.

Swanson will help you see the big picture and many of the small details. Twenty years on, I hope there are more auditors interested in viewing auditing in the larger context.

Buzz: Other reviewers, familiar to many readers of CorpGov.net, have also praised the book. Here’s just a small sample:

“In Swanson’s hands… internal audit becomes the lantern of Diogenes, illuminating accountability, responsibility and control.” Jon Lukomnik, Sinclair Capital LLC

“…provides concise commentary on strategic issues regarding the way internal audit is established, planned and performed.” Scott Mitchell, CEO of OCEG

“Internal auditing and information security are inextricably intertwined. Dan Swanson is highly qualified to write on the first and uniquely credentialed to write on the second.” Alexandra R. Lajoux, NACD