A kinder, gentler audit: successful audit reports don't pull any punches, or blindside recipients. A tactful approach can lead to a satisfying, constructive outcome for all parties involved.IN 1513, NICCOLO MACHIAVELLI WROTE in The Prince, "There is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than the creation of a new system. For the initiator has the enmity of all who would profit by the preservation of the old institution and merely lukewarm luke·warm adj. 1. Mildly warm; tepid. 2. Lacking conviction or enthusiasm; indifferent: gave only lukewarm support to the incumbent candidate. defenders in those who would gain by the new one." In a very real sense, changes proposed by an internal auditor Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. are viewed in the same way as a new system. [ILLUSTRATION OMITTED] Most organizations are not staffed and managed by Machiavellian conspirators CONSPIRATORS. Persons guilty of a conspiracy. See 3 Bl. Com. 126-71 Wils. Rep. 210-11. See Conspiracy. . Instead, they are typically composed of intelligent, well-intentioned individuals who are committed to seeing the organization succeed. So how do internal auditors get these good people to embrace changes recommended in the audit report? Suppose you've put some effort into landscaping your front yard and take pride in its appearance. Your neighbor, a representative from the homeowners association, comes to your door and says the yard falls below neighborhood standards. He also says he has put together a fertilizing, watering, and maintenance schedule that, along with other suggested modifications, will bring the yard up to standard. Like most people in this situation, you would likely resist the recommendations or perhaps implement them grudgingly grudg·ing adj. Reluctant; unwilling. grudg  ing·ly adv.Adv. 1. and do the bare minimum required to meet association guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. . [ILLUSTRATION OMITTED] By contrast, suppose this neighbor never knocks on your door to discuss the landscaping but instead invites you to his house for a barbecue one weekend. While at the event, you compliment the neighbor on his yard and say you wish yours were as lush as his. He tells you that his lawn grass variety is the same as yours; the secret is in the fertilizer fertilizer, organic or inorganic material containing one or more of the nutrients—mainly nitrogen, phosphorus, and potassium, and other essential elements required for plant growth. and watering schedule, which he happily shares with you. In this scenario, would you be more inclined to follow his suggestions? The success of audit reporting is determined largely by the attitude and specific approach with which internal auditors carry out their duties. When handled appropriately, and with sufficient tact, the reporting process can proceed as smoothly as a backyard barbecue. Five rules, in particular, can help auditors not only achieve greater reporting effectiveness, but also bring about positive organizational change. RULE 1: TREAT CLIENTS WITH RESPECT During a recent fraud investigation I conducted, the perpetrator A term commonly used by law enforcement officers to designate a person who actually commits a crime. thanked me at the final interrogation interrogation In criminal law, process of formally and systematically questioning a suspect in order to elicit incriminating responses. The process is largely outside the governance of law, though in the U.S. for the respect with which I treated him. He was extremely grateful, even though the company had just terminated him and subjected him to fairly draconian dra·co·ni·an adj. Exceedingly harsh; very severe: a draconian legal code; draconian budget cuts. [After Draco. restitution In the context of Criminal Law, state programs under which an offender is required, as a condition of his or her sentence, to repay money or donate services to the victim or society; with respect to maritime law, the restoration of articles lost by jettison, done when the obligations. [ILLUSTRATION OMITTED] Even people who knowingly and deliberately commit wrongdoing wrong·do·er n. One who does wrong, especially morally or ethically. wrong do deserve to be treated respectfully re·spect·ful adj. Showing or marked by proper respect. re·spect ful·ly adv. . These individuals may be fighting
personal demons DemonsSee also devil; evil; ghosts; hell; spirits and spiritualism. ademonist one who denies the existence of the devil or demons. bogyism, bogeyism recognition of the existence of demons and goblins. , and internal auditors should look upon them with no less humanity than they would anyone else. Moreover, suspected fraudsters may still have extensive social networks in the organization, and the way auditors treat them could impact morale as well as the auditor's ability to function effectively even on routine assignments. If the auditors have done their job well, they will have the necessary facts to conduct their work--there is no need to denigrate den·i·grate tr.v. den·i·grat·ed, den·i·grat·ing, den·i·grates 1. To attack the character or reputation of; speak ill of; defame. 2. anyone in the process. Auditors who follow this first rule ensure their clients are well-prepared for the audit report. They share results with clients as the engagement progresses, noting issues along the way. They discuss items that might represent control concerns or efficiency issues directly with those responsible for the areas involved. Before issuing their report, these practitioners already know if the client will agree with the findings, and they've provided their thoughts for mitigating control risks or crafting more effective processes. RULE 2: GIVE CLIENTS THE BENEFIT OF THE DOUBT When auditors disagree with Verb 1. disagree with - not be very easily digestible; "Spicy food disagrees with some people" hurt - give trouble or pain to; "This exercise will hurt your back" clients' work processes, they should never assume the clients arrived at their approach out of ignorance or incompetence in·com·pe·tence or in·com·pe·ten·cy n. 1. The quality of being incompetent or incapable of performing a function, as the failure of the cardiac valves to close properly. 2. . Staff and management perform their jobs day in and day out Adv. 1. day in and day out - without respite; "he plays chess day in and day out" all the time ; it is their life. Auditors look at client processes as outsiders, and the limited time allotted al·lot tr.v. al·lot·ted, al·lot·ting, al·lots 1. To parcel out; distribute or apportion: allotting land to homesteaders; allot blame. 2. to individual assignments may preclude them from correctly placing all pieces of the puzzle. Thus, while client methods may seem unusual or wrong at first glance, valid reasons may exist for their decisions. Auditors need to maintain humility Humility See also Modesty. Humorousness (See WITTINESS.) Bernadette Soubirous, St. humble girl to whom Virgin Mary appeared. [Christian Hagiog.: Attwater, 65–66] Bonaventura, St. washes dishes even though a cardinal. , recognize their own fallibility fal·li·ble adj. 1. Capable of making an error: Humans are only fallible. 2. Tending or likely to be erroneous: fallible hypotheses. , and give clients the benefit of the doubt. Internal auditors should give clients credit for doing what they believe is right, even if their actions eventually prove wrong or misguided. For example, auditors can remove significant barriers to change by saying, "I understand your approach, and it makes sense in the context of what you've learned or what you've previously been trained to do on this job." This type of acknowledgement can help disarm clients and make them more receptive to constructive feedback. The auditors can then say something like, "We'd like to share with you some new information that has bearing on this issue." When auditors later follow up by seeking client input on practical solutions, the client will be more inclined to feel part of the solution and more likely to implement recommended changes. Clients have a greater tendency to buy into the process and take ownership of the recommendations when their input is solicited. At my organization, clients often implement changes well before the audit report is issued because they want to move forward with identified processes or control improvements as quickly as possible. [ILLUSTRATION OMITTED] RULE 3: PICK YOUR BATTLES CAREFULLY Not all audit issues are worth pursuing. Effective auditors know when to persist with their findings and when to back away. Audit comments usually fall into two broad categories: control-related comments and those related to effectiveness or efficiency. Each of these categories generally breaks into two subcategories: minor or serious. Internal auditors need to recognize these important distinctions. If the auditors find a serious control weakness without any mitigation in place, they must report it and ensure the client understands that internal auditing has no choice but to do so. Auditors do have a choice, however, in determining how reporting issues are framed. When auditors find a significant effectiveness or efficiency issue, they must obtain agreement and buy-in from the individuals who would implement recommended changes. Effectiveness issues are not black or white. They pit the auditor's opinion of effectiveness against that of the client who does the job day in and day out. If the auditors do not reach an agreement with the client but still want to make a recommendation, they are forced to butt heads with personnel who are intimately involved with the processes in question. Pursuing effectiveness and efficiency issues aggressively with upper management typically results in one of two possible outcomes. In the first scenario, the auditor accomplishes nothing because the personnel doing the job every day possess more credibility on judgment calls than the auditor. From then on, clients will likely be discouraged from cooperating with the internal auditors--a side effect that may well spread to other areas of the organization. In the second scenario, the auditor wins the battle but loses the war. Although the auditor may be able to convince management that a change is necessary for the good of the company, the clients forced to implement this change may become hostile toward members of the audit department. Clients will likely seek ways to prove the system change is unnecessary, unworkable, and counterproductive coun·ter·pro·duc·tive adj. Tending to hinder rather than serve one's purpose: "Violation of the court order would be counterproductive" Philip H. Lee. . In the end, there is a strong likelihood they will return to their old methods and procedures. To avoid unnecessary, relationship-damaging conflict, internal auditors need to choose their battles carefully. They must try to convince clients to recognize the wisdom of fixing problems identified during the engagement. If these efforts fail, and the problems represent a serious control issue, the auditors need to apologize for the stalemate stale·mate n. 1. A situation in which further action is blocked; a deadlock. 2. A drawing position in chess in which the king, although not in check, can move only into check and no other piece can move. tr.v. and explain that they are obliged o·blige v. o·bliged, o·blig·ing, o·blig·es v.tr. 1. To constrain by physical, legal, social, or moral means. 2. to report the problem and the risk associated with it. If the issue is not control related, the auditors should let it go--there is no point in creating ill will when little upside potential Upside potential The amount by which analysts or investors expect the price of a security may increase. upside potential The potential price or gain that may be expected in a security or in a security average, generally stated as the dollar exists. Internal auditing can still mention the issue informally to management and discuss the benefits of making a change, but this discussion should not be placed in the report. If managers see value in the idea, they will address it on their own. When auditors report a control weakness without reaching agreement with the client, they must handle the report with care. They need to explain why the control is not in place and why those running the process believe they should not implement the control. In many instances, resource constraints prevent clients from responding to control needs. The auditor's job is to ensure that management is aware of the deficiency and the risk associated with it, and explain both the severity and likelihood of the risk as clearly as possible. Controls cost money, and management must decide if it wants to spend that money or simply treat the risk as a cost of doing business. RULE 4: ACCENTUATE ac·cen·tu·ate tr.v. ac·cen·tu·at·ed, ac·cen·tu·at·ing, ac·cen·tu·ates 1. To stress or emphasize; intensify: THE POSITIVE Although following the first three rules should result in a constructive, professional audit report, internal auditors must still be mindful mind·ful adj. Attentive; heedful: always mindful of family responsibilities. See Synonyms at careful. mind of the overall need to maintain a positive approach to the reporting process. Regardless of the assignment, auditors must always be able to communicate results and recommendations without using negative or accusatory language. Even in areas where significant deficiencies exist, there is no need to say something like, "Department personnel are not doing what they are being paid for, and they need to start pulling their weight." Instead, auditors can use a more constructive approach: "This department has significant challenges, and we have identified several areas where improvements can be made. We have agreed with department management on appropriate changes to address the concerns identified." When significant findings must be reported, such as during a fraud investigation, auditors can get their message across by simply stating the facts and avoiding editorial comments. Emotionally charged, subjective language can be tempting to use when the auditor feels strongly about a situation, but it is ultimately counterproductive. Auditors need to avoid this temptation by remaining objective and keeping their work on a professional plane. Moreover, they must be sure to give clients credit for their positive achievements, rather than only discussing problems or weaknesses. The old homespun expression many of us learned from our mothers remains valid: "You catch more flies with honey than with vinegar vinegar, sour liquid consisting mainly of acetic acid and water, produced by the action of bacteria on dilute solutions of ethyl alcohol derived from previous yeast fermentation. ." A positive approach and positive language draw people into dialogue; a negative approach usually results in walls erected to keep auditors and their new ideas "New Ideas" is the debut single by Scottish New Wave/Indie Rock act The Dykeenies. It was first released as a Double A-side with "Will It Happen Tonight?" on July 17, 2006. The band also recorded a video for the track. at a distance. RULE 5: BE INFORMATIVE To ensure clients read and clearly understand report content, internal auditors must pay close attention to the document's substantive content and structure. Reportable issues need to be developed fully and presented in a cogent COGENT - COmpiler and GENeralized Translator manner. Moreover, audit reports need to be persuasive, especially to readers who have not received any prior exposure to the audit. The most effective, best-crafted audit reports are based on well-developed, detailed comments. To ensure comments are informative and useful, internal auditors can follow the development criteria found in Sawyer's Internal Auditing, 5th Edition, which cites five audit-comment elements: * The criteria are the rules, principles, or guides that lead the auditor to believe a problem may exist. Auditors must have a clear understanding of criteria to articulate them to others. * The condition explains what's being done (i.e., the client's process), focusing only on the facts. The description should be communicated clearly, without judgmental language Judgmental language is a subset of Style over substance fallacy and Red herring fallacies. It employs insultive, compromettant or pejorative language to influence the recipient's judgement. Examples
* The cause helps explain any deviations from the criteria and account for why these deviations exist. * The effect answers the question, "So what?" That is, what are the potential consequences of the condition? Without a cogent effect, the auditor has not established that a problem exists and does not have a valid audit comment. * The recommendation describes the actions for management to consider. The internal auditors' job is not just to "throw rocks" but to help find solutions. They must find an agreeable solution to the condition, or an approach to finding a solution, to which all are parties are willing to commit and follow. Auditors should also consider a sixth element not covered not covered Health care adjective Referring to a procedure, test or other health service to which a policy holder or insurance beneficiary is not entitled under the terms of the policy or payment system–eg, Medicare. Cf Covered. in the Sawyer text--the response. Management needs to be comfortable with not only the ideas discussed but also with how those ideas have been presented in the report. Responses give management an opportunity to provide feedback on the report findings. Moreover, that feedback helps auditors gauge the effectiveness of their work. Each of these elements is essential to effective detailed audit comments--neglecting to incorporate any one of them will leave readers wondering why reported issues require change or whether the changes suggested would lead to improvement. Detailed comments are the foundation for the summary report to senior management and the audit committee, and internal auditors must keep this audience in mind when drafting them. The summary should contain the auditor's conclusions and opinion and convey the essence of the detailed comments. Auditors should keep the summary brief, ensure the content is accurate, and focus on presenting solutions, not problems. AGENTS OF POSITIVE CHANGE During his presentations to company employees, my boss often uses a cartoon to illustrate a point about teamwork. The image shows a rowboat with a small group at each end of the craft--one end is in the air and the other is resting deep in the water. The partially submerged group is shown bailing out water. The group on the high end, safe for the time being, says something like, "It's a good thing we're not on that end of the boat." When conducting their work, internal auditors need to remember that they are part of the organizational team. Practitioners should approach each engagement with a cooperative mindset mind·set or mind-set n. 1. A fixed mental attitude or disposition that predetermines a person's responses to and interpretations of situations. 2. An inclination or a habit. and continually seek ways to help other employees and make their jobs easier. They should remember that, for many clients, auditing can be seen as an intrusive, disruptive process. After all, internal audit work essentially boils down to walking into employees' personal workspace, looking over their shoulder, and making value judgments on their performance. Any engagement can be an intimating proposition for the audited group, and the power wielded by internal auditors should be handled responsibly. To obtain optimal results, auditors must conduct themselves in a way that encourages clients to see them as a trusted counselor. As agents of positive change in the organization, auditors need to become valued insiders--not outsiders who cause others to put up their guard and resist constructive change. To comment on this article, e-mail the author at lawrence.deberry@theiia.org. LAWRENCE DE BERRY, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , CISA (Certified Information Systems Auditor) The award for successful completion of an examination in information systems audit, control and security from the Information Security Audit and Control Association. See ISACA. DIRECTOR, INTERNAL AUDIT BASIC AMERICAN INC inc - /ink/ increment, i.e. increase by one. Especially used by assembly programmers, as many assembly languages have an "inc" mnemonic. Antonym: dec. . ILLUSTRATIONS BY GARY HOVLAND |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion