Audit Transparency in Action
Professional trainers have many opportunities to speak to companies and organizations about leading practices in the internal/IT audit industries. Trainers have the luxury of opining on internal matters while remaining outsiders, which enables them to stay removed from inter-company politics and corporate culture.
Many trainers believe, within any environment, certain foundational aspects of internal/IT audit are necessary for success. One of these key pillars is the general concept of audit transparency. The general perception is that, whenever possible (and it should be possible in all audits except for fraud investigations), internal/IT audit should pride itself on 100 percent transparency. This is foreign to many auditors and is not ingrained in the thought process of departments.
Why is transparency a key pillar of audit success? There is an inherent lack of trust of internal auditors in many organizations because of the negative connotation that is inherent in the word “audit.” It leads to the client’s perception that auditors are “out to get them.” The best way to combat this attitude is to have ultimate transparency throughout the audit process. Here are some audit process milestones where transparency is key:
- Kickoff meeting
- End of planning (discussion of objectives and sharing of audit work program)
- Throughout fieldwork (vetting observations)
- Reporting (writing observations and action plans)
Setting the appropriate tone with clients is key to establishing a strong foundation and relationship. In many cases, clients do not perceive themselves as having any control over the audit results when, in fact, in most audits (compliance/regulatory, operational) clients do have control over the audit results. If clients are doing what they are supposed to be doing, they have control.
The auditor has to make sure clients are well aware of this fact and share as much knowledge as possible. One way to do this is by focusing new relationships on the definition of internal audit. The Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF) defines internal audit as:
An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”1 (emphasis is added.)
The key point of internal audit according to the definition is helping an organization accomplish its objectives. If audit focuses on the business objectives of the clients, it is able to connect with the clients on a key monetary aspect: If objectives are met, in many cases, the clients get more money. This helps to alleviate the proverbial wall of defense that is initially put up.
End of Planning
The goal of audit planning is to finalize the audit objectives and create the audit work program, which will guide the team step-by-step through the audit testing (fieldwork). These are two very important milestones of the audit process and ones that are not routinely shared/discussed with clients.
Once the audit objectives are finalized, these should be discussed with the clients and vetted. It might be difficult to gain full agreement, but the goal is to gain the clients’ understanding of why the objectives are defined as they are. This is easier than it sounds if the auditors are focusing the discussion on meeting the business objectives; the outcomes should be appropriately aligned.
In an effort to be fully transparent, auditors should share the audit work program with the clients prior to fieldwork at the end of planning. This step tends to shock many auditors, but, in most cases, the clients already know what this looks like because the work program is based on their internal processes/procedures. This is not the auditors’ perspective at times, so this step helps the audit to refocus on the business objectives.
Some may think, “If clients have the work program in advance, they can clean up all of the issues before the audit.” An appropriate response is “Good!” However, cleaning up and falsifying records are two very different things, and falsification can never be tolerated. It is worth keeping in mind that clients will not know the sample that will be tested, so cleaning up their records would take a Herculean effort in a very short amount of time. Frankly, if clients have time to do that, then they are vastly overstaffed, and that just does not happen.
As auditors, focusing on the business objectives helps maintain the ultimate objective of acting as a change agent inside the organization. Even if clients clean up their records, they will not be able to clean up systemic issues, which are the focus of audits.
Throughout fieldwork, the audit team should share the audit observations with the clients to vet and confirm each observation as it is identified. This shows the clients that the audit team is not “out to get them” and focuses on an end result that is known by the audit team and the clients prior to the finalization of the audit.
To forge strong rapport and relationships and, in turn, transparency, audit reporting must be a two- way street (with ultimate decision making about and ownership of the report lying with audit). If goodwill and trust have been built throughout the audit process, it should be an easy and natural step to partner with management to finalize the observations/recommendations/action plans.
Taking it a step further, in cases where the auditor has a good working relationship with the clients, having the clients create the first draft of the observation will enable them to take ownership of what is written. Obviously, if the clients’ version of the observation is inadequately stated, then audit will alter the wording and make sure the point comes across appropriately. The sharing of these responsibilities creates a team environment that is, ultimately, created through transparency.
Transparency in Action
The North Dakota (USA) Workforce Safety and Insurance Agency (WSI), which functions in a manner similar to a private insurance company, is the sole provider of workers’ compensation insurance in that state. In North Dakota, state law mandates that every business with employees must carry insurance through WSI. Eight years ago, the WSI internal audit department started anew, after internal ethics scandals and questionable management decisions caused 100 percent turnover in the audit department.
A new director was appointed by the governor in March 2009. Due to the turmoil surrounding several of the previous directors, there were many issues that ran from top to bottom in the organization. There was little or no employee loyalty, no confidence in management, low morale and each department tried to protect itself. This caused an employee turnover rate of 16 percent—high for US government positions.
When the new director started, the need for significant change in the organization was obvious. To that end, the director instituted a four-pronged strategic plan that addressed:
1.Creating a strategy to change the culture, which included a balanced scorecard (BSC) initiative
2.Adopting servant leadership principles
3.Simplifying management’s message and what it wanted to accomplish
4.Focusing on core values, communicating them,over-communicating them and reinforcing them
The management team stressed the importance of audit and its purpose to help the organization. Transparency was key and management support was necessary throughout the process; in fact, the management team still attends audit update meetings throughout the year to stress the importance of internal audit throughout the organization.
The audit department was vacant for several months until a new team was hired. With the department’s reputation in tatters and fear of audit running rampant throughout the organization, the audit team had to start from scratch—not just from a methodology standpoint, but from a reputation- building and marketing standpoint.
Based on the audit committee’s requests, the audit team started by following up on and validating all audit observations that were made by both internal and external audits over the past few years. This nearly two-year effort resulted in more than 100 recommendations from these audits.
The follow-up work was a perfect place to begin to rebuild relationships since it was not a deep dive, just high-level discussion and audit work on past observations. The approach was simple and extremely considerate of the client’s schedule— follow-up did not impede the client’s workload and recommendations were spread out so as not to overload the client.
Many of the clients were hesitant to work with internal audit at first, but that attitude changed significantly because of audit’s approach. The audit team focused on marketing audit and essentially humanizing the profession. The auditors spent time educating the business on the purpose of internal audit within the organization and establishing strong rapport and personal relationships. The team also began to draw the line between external and internal audit, highlighting the significant benefits of being internal.
Over the first year, the response to internal audit was positive. Client interest was generated because of the 180-degree change in approach and attitude. The main client questions were “Will this be different?” and “Will this team actually be helpful?” Internal audit’s approach continued to be completely transparent, starting with the development of the annual audit plan. Clients who might potentially be on the upcoming audit plan met with the team to clarify the positions of both the clients and the audit team and the rules of the audit engagement.
Throughout the audit process, internal audit placed an emphasis on transparency. The team focused on the control aspects of everything being vetted and discussed throughout the audit.
Now, there is a true open-door policy with clients, whether during the audit or outside of the audit cycle. The team environment has refurbished the reputation of the department, as noted by the incoming calls the team fields for assistance and the on-average 10- to 20-minute exit conferences.
WSI is the perfect example of how audit transparency can drive trust and long-term audit success. By applying the principles of transparency whenever possible, constant and continuous communication, and a focus on business objectives, WSI mended a fragile relationship with clients and is a true asset to the organization.
The Institute of Internal Auditors, Definition of Internal Auditing, https://na.theiia.org/standards- guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx