Occasionally, it helps to take a light-hearted look at a serious topic. I have been speaking and writing about the imperative of internal audit timeliness for more than two decades. I even dedicated three chapters of my book, Lessons Learned on the Audit Trail, to this enduring challenge. As I often note, even the most carefully planned and meticulously conducted audit will serve no value if the results are delivered too late to make a difference. At the same time, I have been cautioning about audit processes that result in untimely audit results, I have also cautioned about the dangers of auditing too quickly. I have referred to these as “drive-by audits.”

While carefully crafted internal audit policies can mitigate the risks of audits that are undertaken too slowly or audits that are conducted at a reckless pace, there is another variable that often circumvents the best crafted policies — the tendencies and personal characteristics of some internal auditors. Those who are overly cautious and meticulous to a fault will often deliver internal audit results that take too long. Those who are impatient and have a difficult time focusing are often the ones who rush to judgment. I call these personality types the snails and the rabbits, respectively.

If you have been an internal auditor long enough, you are bound to have teamed up with a snail along the way. As the team leader, you have assigned key portions of the internal audit plan to members of the team, only to discover that the rest of the team is waiting at the finish line while the last piece of the audit is being polished off by the team’s slowest member. Conversely, a CAE’s worst nightmares can often be the rabbits on your staff. They will cheerfully bring you a draft internal audit report in record time. However, the problem will often be that insufficient evidence was gathered to support the results.

The dangers of snail-paced internal auditing can extend well beyond completion of the engagement. Because they can slow down the entire audit process, it may be necessary to reduce, postpone, or cancel other planned engagements. Client satisfaction plummets as audits stretch on without visible results.

By contrast, the dangers of rabbit-paced internal audits are the risks they present to internal audit’s credibility. Audit’s that are conducted at the speed of sound run a greater risk of containing inaccurate results, or missing something that presents an ongoing risk. The rabbits often rely on canned programs or checklists to perform quick audits, which can fail to get to the heart of the most significant risks within the processes under review. These internal auditors may get their reports out early, but they are more likely to contain errors or serious omissions than those issued by the snails.

Fast or slow, the impact on quality can be significant. That’s why every internal audit department needs to have control mechanisms in place to mitigate the potential dangers of snails and rabbits. These include sound internal audit policies and minimum documentation standards required for all engagements. But even the best policies and procedures may not be enough.

Supervisory reviews of audit plans can help to keep processes in check, assuming those reviews take place before any damage is done. Unfortunately, supervisory reviews too often take place after the fact. For example, we all know of instances in which audit programs were not approved until after fieldwork was underway. And if supervisory reviews are not completed until the end of an engagement, errors or omissions made by a mistake-prone rabbit might necessitate extending the engagement or sending in a new engagement team.

Supervisory reviews also are important on the other end of the spectrum. Slower, more deliberative internal auditors may need feedback to ensure valuable time is not spent on unimportant issues.

It’s a dilemma worth of our attention. Internal auditors must be capable of auditing at the speed of risk; in the current environment, that speed is sometimes very fast. We also must be capable of providing reliable assurance about risks and controls. It’s a balancing act that can be difficult at times. But only by avoiding the dangers related to speed — too fast or too slow — can we ensure that our work is accurate, complete, and timely.