Building a Better Auditor: Transparent and Collaborative Auditing
Blogs Chifundo Biliwita, CIA, CISA, CFE, CICA Jan 03, 2023
Internal audit projects are supposed to bring a sense of satisfaction to audit clients. That may seem counterintuitive, especially for audit clients who see auditors as only looking for problems, but think about it. It is an opportunity to understand what teams are doing well and what needs to improve and to influence changes that support the business's ability and certainty to achieve its objectives.
But this is not usually the case. For some audit clients, auditing is synonymous with catching a mistake. When they hear that they have been selected for an audit, emotions of fear, often of the unknown, kick in. What wrong has my team done? Am I being suspected of fraud?
Audit fears are among the inhibitors to successful audit projects. But how did we get here? Most auditors understand how we got these notorious stereotypes among audit clients: not being strategic, not engaging auditees well, not showing them that we truly care about their success as they do, assuming that something is wrong (beyond professional skepticism), and just not being transparent. The profession has invested much effort in trying to change this negative perception and position internal auditors as trusted business partners. However, not so many auditors have intentionally taken steps to earn their clients' trust. How can we become the trusted partners that we aspire to be if we can't trust our partners?
I engage audit clients in a very transparent and collaborative auditing process. The concept of transparent auditing is not often spoken about. In fact, it is divisive among purist internal auditors. Just the thought of internal auditors sharing their risk and control matrices and audit test plans with clients can cause such a stir among auditor circles. But applying this concept is one of the easiest ways to ease audit fears, eradicate stonewalling, disarm defensive audit clients, and make an audit an enjoyable process for clients.
So what are the key aspects of transparent auditing? In its purest form, auditors share RCMs and test plans with audit clients during audits, seek audit clients' input or feedback on these tools, and explain to them the details of the tests and why some of the tests must be performed — even if the audit clients feel differently. Here are a few scenarios that I encountered and how transparent auditing helped me:
In one of my audits, I set expectations that I would need a specified time to complete the project with the audit clients. We held two meetings: a one-hour kickoff meeting and later a two-hour process discussions session. I took samples, performed tests, and requested an additional two hours to perform high-level tests requiring observation and the audit clients' participation. To my surprise, the frontline direct audit clients asked to know the nature of the tests. I obliged and shared my tests, about 30 high-level key controls tests. The audit clients then escalated to their manager that they were going through a lot of stress, they could not execute their other day-to-day work, and I planned to test too many things.
The manager reached out to flag the issues his team raised. For instance, they felt that I had a lot of audit tests and that my sample was too large. Understandable! I scheduled a one-on-one meeting with the manager, walked him through the details of the test, and explained how his team would only need about two hours to complete the audit testing. As I did this, the manager raised additional issues. He explained that:
- The team had not directly been audited or interacted with an internal auditor before.
- Previous internal auditors had simply sent them five risk assessment questions and never sampled them for an audit.
- The team already responds to over 20 questions and requests for information per year from external auditors.
At the end of the meeting, the manager realized that the audit tests were not so burdensome, and he requested that I share my tests with him. I did so, and he responded the next day with an affirmation to let me conduct the tests, and just like that, we completed the testing. In this case, I was dealing with a new audit client. These audit clients needed detailed and dedicated care and transparency. Sometimes baby steps can be the difference.
In another audit, I needed to review the details of testing that users and data custodians performed before signing off user acceptance testing and getting things migrated to production. Considering the criticality of the system to the business, I needed to observe the test. Surprisingly, I learned that one of the business leaders asked his reports not to schedule the observation test that would allow me to observe his direct reports performing this key control. Shocking, right? When I asked the business leader why he felt that way, he mentioned he had been audited before, but no one had ever asked him to observe a control being performed. To him, observation created unease among his team. I took time to help him understand why I could not provide reasonable assurance without observing the control in practice, a tactic that allowed him to yield to the audit test.
Lastly, in another audit, the audit client simply did not respond to my requests for meetings and information. I engaged the audit client and discovered that she was overwhelmed. Her department coordinated the external audit process and the external auditors spent close to 10 months on the ground each year. She also mentioned that internal and external auditors were reviewing the same things. I asked her to share the external auditors' engagement letter, testing strategy, and request for information. I took a step further to engage the external auditors to understand their audit tests and the samples they took and to assess their coverage. By working with the external auditors, we established rules of engagement that allowed us to rely on each other's work, avoid testing the same things, and reduce the samples taken if one of us had already tested the controls. Internally, I engaged the audit client to refocus the audit on areas that the external auditors had not reviewed and reduced the samples as necessary. In the end, the transparency of the intent to make the audit better for the audit client increased their engagement in the audit.
If you are not auditing for behavioral attributes, wrongdoings, fraud, or investigations, I would encourage you to build more transparency in your audits. Audit clients are not your adversaries; they should know the details of the tests and why you are doing them. RCMs and audit test plans are not gold codes. Audit clients cannot recreate processes, systems, data, and documents overnight. They cannot hide the process from you. You have the final say on what risks to test, what to test, and how you perform the audit tests. You would be surprised that by sharing your RCMs and test plans, the process owners may adopt and use them to self-audit: a huge win. After all, we do not audit to raise internal audit findings but to provide assurance and advice. Transparency in auditing goes a long way in making the audit process a joy for clients, by making the audit an easier process for them, easing their fears, calming their resistance, and improving transparency in conversations and communications, and overall engagement.