Auditor Bugs


This is an article which appeared in VISTA, published by American Society for Quality Control, Quality Audit Division, August 1996. A (poor) copy of the whole newsletter can be obtained from the ASQ, Quality Audit Division Vista archive at (Note that the electronic version is not up to the standards of the paper version). It was later reprinted in SHARE – The newsletter of the Queensland Branch, Institute of Internal Auditors – Australia, November, 1996.

A Customer Focused View of Auditing or

“Why are all these people bugging me!”

And in the beginning there was the financial auditor. And lo, his interest was in interest and other matters financial. And his bible was GAAP and taxation and business was good. And his masters looked down from the ivory towers and the halls of money and were pleased. And they said go forth and audit, and while you’re at it check how well so-and-so and who’s- his-face are doing running their department. And so they went and looked and checked controls and all were happy and prosperous-except the auditee, of course!

But lo, in time, there arose from the muck and mire a lonely voice crying, “But what about me? I’m the customer!” And the financial auditors looked down and sniffed their noses and said “So?” And lo, there arose from the bedrock of the plant, a strange creature called a Quality Auditor. And their interest was that of the customer and the service user, and not that of the creditor and the shareholder. And they did use the tools of the financial auditor in strange and unique ways. And the financial auditors looked down and realized how much audit business was being lost to these upstarts. And great gnashing of teeth and scratching of heads was heard in the halls of the mighty. And from the office of the auditee was heard a great moan and the crash of desks breaking under the weight of the paperwork. And the gods of perversity looked on and giggled ….

Okay, so you’ve just had your fifth audit in as many days. You are sick and tired of answering questions. You now know more about exactly what you do in a day then you ever wanted or needed to know. In fact, maybe now would be a good time to go see your boss about that raise …

Well, while you’re thinking about your opening line you might want to ask why there are so many auditors. Let’s see, all in all you’ve been audited by:

  • An External Financial Auditor,
  • An Internal Financial Auditor,
  • An Operational Auditor,
  • An External Quality Auditor, and
  • An Internal Quality Auditor.

And right about now you’re beginning to worry that the Government is going to send in a safety inspector and your largest customer is going to send in…

Who are these people and why don’t they just talk to each other and leave you alone? They all seem to do exactly the same thing. They all ask more or less the same questions. They all look at the same paperwork.

Well, let’s start by getting Internal and External out of the way. Obviously, the simple answer is that Internal Auditors are employees and External Auditors are not. Actually, the differences are not quite so simple. But when are they ever? Because Internal Auditors are employed by the organization, audit rules consider them to be influenced by their organization. External Auditors are third party auditors hired by the organization to provide independent assurance to those outside the organization. This definition leads us to a third type of auditor. Not all outsiders can (e.g., Defense Contracts) or will (e.g., Income Tax audits) rely on the External Auditors. They require their own specific types of audits which are often performed by their own Internal Auditors. These are often called Specific or Second Party Audits since they are performed by the “customer” or “vendor.”

But if no one can trust the Internal Auditors’ opinions, why have them? The simple answer is that other auditors can. Traditionally, Internal Auditors have appeared because of cost. Employees cost less than contractors. Once an organization becomes large enough to keep an auditor busy all year, an internal auditor function begins to appear. Internal Auditors can check larger portions of the organization economically, and can do it in greater depth. Outside auditors (both External and Specific) can then review the worksheets and reports prepared by the Internal Auditors. In essence, outside auditors can express their opinion based on auditing the auditors and by checking “key areas.” The result is that the External (and to a lesser extent Specific) Auditors can restrict the scope of their work. Aren’t you glad you were a “key area” to the auditors this year?

That still leaves us with three different types of audits: financial, operational and quality. So what’s the difference between them? They all seemed the same.

A fast answer would be that the financial auditors audit figures and quality auditors audit quality and operational auditors audit operations. In fact, if you ask all three auditors they’ll say that’s someone else’s job. Financial Auditors say Government (Tax) Auditors do that. Quality Auditors say Inspectors and Product Certification Organizations do that. Operations Auditors just hide and pretend they didn’t hear. Which leads to a third model of types of auditors: Auditors and Inspectors. In simple terms, Auditors check the process and Inspectors check the output. However, auditors use the outputs to verify the process. So sometimes it’s difficult to tell the difference.

But we still haven’t answered the question of the difference between financial, operational and quality audits. From a technical viewpoint they are all similar. In all three cases they audit systems. In all three cases they rely on statistical sampling of “paperwork” and interviews to verify the process. Many of the audit techniques now used by quality auditors were provided by financial auditors. Of course, at the time, the financial auditors didn’t know how profitable quality auditing would be!

Well, if what they audit and how they audit is the same, maybe the difference lies in what standards they use! At first glance, there is a great deal of difference. GAAP (Generally Accepted Accounting Principles) is described in several VERY large volumes. And if the financial audit is provided for the tax department then the number of volumes increase even more! The Quality Auditor, on the other hand, uses a very small set of very thin volumes of less than 50 pages each. And an Operational Auditor doesn’t use a manual at all. But if we look a little closer, we find something very interesting. All three auditors rely on experience and common sense far more than they rely on the standard. And while a portion of the audit consists of checking against the standard, most of the audit consists of confirming what it is you do. So the answer isn’t there.

Since that’s not the answer, let’s try their product. All three produce audit reports, audit worksheets and an opinion. No difference there! And their audit reports and audit worksheets look similar. The opinion is different though. A Quality Auditor expresses an opinion on the system. An Operational Auditor also expresses an opinion on the system. A Financial Auditor expresses an opinion on the figures-the output of the system. Maybe they aren’t that different.

Well, maybe the answer is in who does the audit. Financial and Operational Auditors are both accountants. Quality Auditors may be accountants but more often come from the production floor. We’re getting closer but still …

Let’s look at it from a slightly different view. Who uses the audit opinion? Who are the “real” customers? In the case of a Financial Auditor, the customers are primarily external creditors, banks and shareholders. Internally, management and others concerned with fiscal responsibility are the primary users. An Operational Auditor is in many ways a management consultant. The customers are upper management and those concerned with control and profitability. A Quality Auditor’s customers are the company’s customers, internal customers and sometimes vendors. The concerns revolve around ability to deliver and physically meet agreements. Each of the stakeholders for an organization has their own concerns and different types of audits have arisen to address those concerns.

With Audit Customer as a prime component of the mental model, the differences and similarities begin to make sense and can be predicted. If we then add the components of process audit and product inspection even the erroneous opinions begin to make sense. We can begin to understand what elements are important to each, and why the three audit types coexist.

A Quality Auditor’s opinion is used by the company’s customer as an assurance of the product quality. This would tend to indicate that the audit concentrates on the product. Historically, this is correct. Quality Audit began as a product inspection process. While the inspection process continues, a Quality Auditor now concentrates on the process that creates the product. Verification, and audit tests concentrate on elements of the process which ensure that quality variances in the product are controlled. The definition of customer can be quite wide and the standards the product must meet can cover many different elements. Delivery times, fitness for use, color, and even friendliness can be included in the definition of quality.

An Operational Auditor’s opinion is used by the company’s management as an assurance of adequate control and efficiency. This would indicate that audit concentrates on spending, efficient use of resources, profitability and other financial affairs. And again this is correct. Traditionally, this has been the responsibility of management, who continue to have the responsibility for inspection. However, for many organizations Internal Financial Auditors are used to supplement management’s ongoing inspection by auditing the Operation. Verification and audit tests concentrate on elements which affect the short and long term profitability (efficiency) of the department. Unlike the Quality Audit, the definition of quality in an Operational Audit is quite focused on control and function efficiency. However, as quality and TQM become a greater and greater force, a type of Operational Audit is appearing from the Quality Audit path. In fact, many Internal Quality Audits now fit into the Operational Audit group more than they do into the Quality Audit group. The continued survival of Quality Auditor credibility will depend on recognizing the shift from customer focus to management focus.

A Financial Auditor’s opinion is used by the company’s creditors, investors and others who are interested in dollar matters. This use suggests that the focus would be on fiscal responsibility and accuracy of the financial statements. And again, prediction agrees with history. While “ticking and bopping” (checking the figures) continues to be done, Financial Auditors concentrate on the process. The inspection process has been transferred to special types of audits (e.g. tax or fraud audits) and to the process holders. Verification and audit tests concentrate on proving that adequate control of loss and accuracy of the information is in place. The definition of quality has become focused on generally accepted principles for financial reporting (GAAP) and on control.

Is it possible that a Quality Audit can include the other two audits? We’ve all heard of Quality Audits that have digressed into checking financial figures and market estimates or personnel issues. To a certain extent it is possible that both or all will check a certain element. Credit and Collections is important to all stakeholders for a Credit Department. But the focus is different for each of the stakeholders. For the department’s customers (Quality Audit) speed and friendliness are important. For the company’s creditors (Financial Audit), preventing lost income from bad credit and exposure to risk are important. For the company’s management (Operational Audit) a balance between the two is most important. Asking a single audit to comment and act on all three conflicting desires is not practical.

So now you know why all these auditors have parked themselves on your door. Each is performing the audit function concentrating on the areas and concerns which are important to their driving stakeholder. The result is a balanced and more complete coverage of issues. And if you “plug in” then they can help you to achieve a balance among the people you have to please.

In a way, you should feel lucky! There could have been as many as eighteen auditors on your doorstep:

Source of Auditor: Level of Focus: Stakeholder Interests:
1. Internal: representing the organization 1. Audit: focused on process 1. Financial: on behalf of Shareholders and Creditors
2. Specific: representing a specific group, e.g. some customers or a government department 2. Inspection: focused on output 2. Quality: on behalf of Users of the output
3. External: independent, third-party representing all groups 3. Operational: on behalf of Management

Just pick one from Column A, one from Column B, and one from Column C, and Voila!-you have an audit.

Oh, and by the way, that conversation with your boss… You might try opening with the “good news/bad news” line. The good news is you’ve figured out how to keep all your stakeholders happy by talking to the auditors. The bad news is that you’ve realized just how much you do in a day and you may need some help!
Glen Ford has spent more than 20 years (he won’t admit to more) in General Management, Accounting and Information Services. He developed an interest in quality standards in a previous life at the Canadian Standards Association. Glen currently works in the IS field and can be reached at .

© 1996 Glen D. Ford, all rights reserved. Permission is granted for unlimited reproduction as long as no charge or profit is made directly or indirectly from the use. The author is to be informed of all uses of this article regardless of the previous granting of permission.

used with permission.

Posted in Reference Materials, Articles