By Chinmay Kulkarni
One question I hear often is, “Is auditing just about finding mistakes?” It’s a common misconception. From my experience, auditing goes much deeper than fault-finding.
When I worked as an internal auditor for a tech company, the focus was always on improving the organization.
My job was to look at technology systems, identify risks, and suggest ways to strengthen processes.
For example, if I found that certain users had inappropriate access to systems, it wasn’t just about pointing out the issue.
I worked with the team to find solutions, ensuring we aligned with the organization’s goals.
The role was very hands-on, aimed at helping the business get stronger and more secure over time.
Now, as an external auditor, my role has shifted. It’s no longer about helping the organization improve but about providing an independent, unbiased assessment.
My job is to test controls, check if they are designed to address risks, and evaluate their effectiveness. I issue an opinion based on the evidence provided. Unlike internal audit,
I don’t give recommendations or solutions. Staying independent is critical here—giving advice could compromise that independence.
Our main job is to provide assurance, not to guide on improvements.
Here’s the bottom line: Internal audit focuses on supporting the business from within, helping it achieve its goals.
External audit, on the other hand, provides an outside view, ensuring that the organization’s controls are working as intended without crossing the line into consulting.
One Thing I Learned This Week
This week, I had a discussion with my senior about some updates I made to work papers after their review.
While addressing the feedback, I also made a few other changes I thought were necessary.
These updates were correct, but I realized something important.
“How would my senior know about the extra changes if they weren’t part of their original comments?”
Here’s the takeaway: always communicate your updates clearly.
If you make changes that aren’t directly related to the reviewer’s comments, add a note or comment in your work paper explaining what you updated and why.
If you’re using Excel, take advantage of its commenting feature.
It only takes a couple of minutes but can save time and confusion for whoever is reviewing your work.
A small habit like this goes a long way in keeping things transparent and making collaboration smoother.
CISA Question Clarification: Audit Charter vs. Engagement Letter
In a recent poll, 59% of voters correctly selected the Engagement Letter as the document that covers the scope of an audit for a particular exercise. However, 31% of participants mistakenly chose the Audit Charter, so let’s clarify the distinction.
The Correct Answer: Engagement Letter
The Engagement Letter is specific to each audit engagement. It outlines the audit activities, scope, and objectives for a particular audit exercise. This document is akin to a chapter-wise test in school, where the test focuses on questions for a specific chapter. It helps auditors and the audited entity agree on what will be covered in that specific audit.
Why Not the Audit Charter? The Audit Charter is a broader document. It defines the overarching authority, responsibility, and scope of the internal audit function for the organization. This is like your final exam in school, which covers multiple chapters or subjects, detailing the broader scope of your education.
Conclusion For CISA exams and professional audits, always remember that while the Audit Charter gives you the overall mission, the Engagement Letterfocuses on the specifics of a single audit engagement.
This distinction is key in answering this type of question correctly.
This article first appeared on Chinmay’s IT Audit Guide and is published here with permission.