Being audited? Some tips for a better audit experience...

TIPS TO SURVIVE YOUR AUDIT...

"Nothing is certain in life, except death, taxes and audits", a phrase which I added to from a historic Benjamin Franklin quote. Whether it's an External Audit or Internal Audit, whether a Safety or Engineering audit, or even audits by Regulatory and Tax Authorities, all these audits have lots in common. The Auditors are there to verify your process controls, risk mitigations and compliance to rules. They request for data, they do checks, they ask lots of questions, they identify weaknesses and raise suggestions, they write reports, and they give ratings. At the end your Senior Management will look at the outcomes and make their judgement.

In my financial management roles, I've been audited many times. I took the approach to make the Auditors experience a love-hate one. I too wanted to terrorize the Auditors as I was tormented by some clients when I was at a Big 4 audit firm. Spinning to the other side I then took up roles leading Internal Audit functions and the torment returned, against me. I used this time to engage with Stakeholders at all levels of organizations and to listen to the Auditors views, to improve the engagement co-operation and the outcomes without compromising on the quality of the audit. Here are some of my generic tips to help you make your next audit more manageable... (If in hurry, just read the bold headlines)

Before audit starts:

1) Arrange a meeting with the Lead Auditor well in advance. Try to understand their audit process and approach in sufficient detail so you can identify any potential issues or risks to be understood or mitigated. You can share your own time challenges with the Auditors to include in their planning. It may be your first audit or a repeated audit, it remains a good step to achieve mutual understanding consistently throughout the process.

2) Ask the auditors before they arrive for fieldwork, what more can be prepared for them. They usually will send their requests but if you look at your work plan for the coming months, you may need to advise them upfront when best for the data to be requested and when best they could receive it. Such open and clear communication will be appreciated and allow for expectations to be met both ways.

3) Consider delegating the audit coordination role to a responsible staff. This way personal irritations of individuals can be calmed to a workable level. However, this could also serve as a bottleneck depending on the depth of the audit scope. The person allocated this role needs to put in twice the normal effort to ensure information flows fluidly and differences are dealt with appropriately.

4) Provide the data as per request and more, not less. This can be a daunting task when Auditors who may not understand your systems and processes, ask for the world of information. The next two tips will help.

5) Ensure the data request is discussed upfront to understand the specifications and purpose of it. To do this you and your team need to understand your own data capabilities. You may even need to research the data fields and layers available. This is to ensure the data extraction does not crash the operating systems. Consider proposing alternate data options to the Auditors as a compromise.

6) Do not just go and create the data required by mixing and matching databases. Last thing you need is spending over a week creating the data requested and the Auditors do not use it as it does not serve the purpose. Discuss the request with the Auditors and push back citing the immense resource challenge of preparing the data. However, be careful in case a bright Audit Senior steps up and shows you how easy it is to extract the data. So before pushing back ensure you consider all options.

7) In case the data volume is impossible to handle, then consider asking the Auditors to focus their data towards specific months or locations, where the data volume is more manageable. Here it's about providing solutions of compromise. Let the Auditors choose the refined criteria so they remain in control with their random selection and independent verification.

During the audit fieldwork:

8) At the opening meeting on day 1, provide the Auditors a presentation overview of your business operations. This could even take place weeks/months before or during any pre-audit stage. It's a great chance to show-case your department and to hear the Auditor’s first thoughts while building collaborative engagement. A more informed Auditor is able to do a better job and provide more valuable recommendations. Even if it's the same Auditors annually, a refresher will still add value.

9) Have daily close briefing sessions with the Lead Auditor. Here you can get a feel of potential issues which may require early clarification and also get first knowledge of any overdue items from your staff. Auditors may not be too critical of initial delays as they juggle the delays with other tasks. However it's best you probe them to be open even if it's just a light concern so you can take light steps to ensure it does not escalate.

10) For any interim audit issues uncovered, these could be addressed immediately even before the Auditors leave. They may still include it in their audit reports as they did find the issue during their audit. However the fact that it's resolved or implemented leaves a positive impression on the Auditors and your Leadership.

11) Ensure staff commit extra hours to cope with their daily duties and also with the audit requirements. The worst is to think that one question answered and you are done. There will always be more questions. There will also be more data required. So to ensure a smooth audit process the extra hours should be made available.

12) Reschedule low priority tasks and deliverables. If it's not critical it can wait a few hours or days. This applies to the department manager and the team. The aim is to offer the Auditors more of your time to allow them to conclude the audit faster and effectively.

Post audit fieldwork:

13) Actively engage with the Auditors until the audit report is considered final. After the fieldwork there may be questions from the Auditors for clarification. So encourage your staff to respond promptly and also interpret any future potential issues that may arise. Some Auditors leave the site with their final report ready based on the scope and depth chosen. Some may decide to continue with more analysis. Therefore best to adapt to the Auditors approach applicable to your entity.

14) Request a post fieldwork discussion with the Lead Auditor in case new information needs to be shared by you and any newly identified issues to be communicated by the Auditors. If you are expecting an issue raised and somehow you later uncover the facts which makes it a non-issue, then communicate this. It would save the time spent drafting the finding and saves your time in trying to cancel the issue when it is eventually raised.

Tips for Senior Leadership:

15) Encourage your managers and their staff to be complete in their responses to the Auditors. Staff should offer the Auditors opportunities to ask follow up questions and to also provide a bigger picture view for them. This way the Auditors will gain the best possible understanding before they raise any issues. Limited responses could lead to irritations at a later stage. Also the Auditors would engage with so many personnel that there is bound to be a few interactions which creates friction, especially if the deadlines are tight.

16) Leaders should set the tone from the top. They should sit with the process owners or their department heads and reassure them that it's okay to have findings arising from audits. Then remind them that the focus should be on the immediate rectification of the issues raised and through its sustainable implementations. Also lay the expectations that critical findings should be discussed separately and root causes analyzed to avoid in the future. This expectation will provide the audited management have a basic framework to work with.

The intention of the above is not the allocate blame or point fingers as to who is responsible for the poor engagement or poor outcomes. It's for sure not a complete list. The audit journey should be a joint one with both Auditors and Auditees taking the lead and maintaining order. This is not a science but it is an experiment. Some experiments will succeed and some may not. I have had the privilege of witnessing expertly engaged audits with no compromise on quality and yet there was no one person responsible for that successful outcome.


< written by Dipesh Narsai>

Feel free to read my other articles in this "Interesting Thoughts of an Auditor" blog series...

 

Six steps on how to assess a conflict of interest situation in your organisation.

The content of this article is applicable to business leaders and department managers who uncover conflicts of interest, and also to those who are tasked with investigating such situations. Conflict of Interest is receiving greater focus as white collar fraud gains interest.

We start with some conflict of interest examples, which could relate to: a Sales Manager signing on a customer with excessive discounts, or a Procurement Officer buying goods & services from a vendor at very high prices. At the senior company official level a conflict of interest could relate to a Director having inside knowledge of a strategic deal relating to a 3rd party which is partially owned by the same Director. Note that these examples do not imply such cases actually exist for the roles mentioned. Keeping these hypothetical examples in mind, the six steps below offers guidance on how to assess any conflict of interest situation you uncover:

1) Assess the relationship between the parties involved: Firstly you need to consider whether the two conflicted parties have any relations. But that is not enough. How close is that relationship? Are they just friends? Everyone has friends who may do business with their companies so just being friends is not enough. Is the friendship very close where special favors are possible? If the parties are first family members then there is clear conflict existing. If they are relatives then this could be considered close enough relations. However those that collude for the first time, may not be assessed as having close relations, and would lean more towards fraudulent acts.

2) Disclosure of conflict of interest: Now that we can ascertain there is a conflict relationship between the two parties, was this declared to the Line Manager? Either verbally or in writing. If not disclosed then this could be considered a violation of the company's rules. However, being closely related and not disclosing is still not enough to conclude your assessment. There needs to be the act of violation, i.e. the conflict transaction.

3) Acts of violation rising from the conflict: Was there any business transactions taking place between the company and the conflicted parties? A special lower priced sale to a conflicted customer? Or higher priced purchase from a conflicted vendor? Even preferential selection process with no loss on price, is considered a conflict transaction. So it is fair to say that not all conflicts cause losses. The conflict of interest acts could then be evaluated on a basis of unfair advantages.

4) Managing declared conflicts: Assuming the conflict of interest was declared. Did the Line Manager take necessary steps to ensure the conflicted person does not participate in a conflict transaction? If my brother is the Account Manager of a local office cleaning company and I could be the Branch Manager who decides on selecting a cleaning company, then my Line Manager should be the decision maker to ensure I do not participate in a transaction where I have a conflict of interest. Also evaluate, whether the conflicted person incorrectly declare their interest so as to mislead the Line Manager? Undeclared conflicts could raise suspicion but just being undeclared is not conclusive. The most you could conclude is that a company rule was violated. Therefore all points of this article need to be considered especially the role of the conflicted person.

5) Assessing the role of a conflicted party: There could be a close relationship existing, possibly a non-declared conflict but it is still possible that the conflicted party has nothing to do with the highlighted business transaction. Using the earlier example, but my brother runs a national cleaning service and my company is selecting a national service provider through a panel which I am not part of and my branch is too small in relation to the deal. Then there is no concern at all even if there is conflict relationship. Without the conflicted persons direct involvement therein, it could just be normal sale or purchase under normal business processes. So then there is no conflict transaction existing. The role of the conflicted person in being directly or indirectly involved needs to be assessed. Influence on the business transaction is also an aspect to consider as indirect involvement may be common for those who want to cover their tracks or those who are not the decision makers.

6) Possible consequences: After applying the above, you will be in a good position to conclude your assessment or investigation regarding the conflict of interest situation. If the company rules exist, the conflicted person was aware of the rules, they had not declared the conflict, they were directly involved in the transaction, and there could even be unfair benefits, then this is a full house conflict of interest scenario for the toughest consequence to be considered. The most common internal consequence would then be dismissal depending on your company’s rules and any significant loss of trust in the conflicted person. If some aspects of the above (1)-(6) were inconclusive then a lower consequence of warnings or coaching should be considered. These consequences should be followed up with implementing improvements to the internal controls of the company for all process weaknesses identified.

In closing, it is intended that the above serves to guide Business Leaders, Managers and Investigators on how to reach a conclusion regarding a conflict of interest case in a constructive and clear manner. It will also assist in shaping your case report with a convincing structure. The guidance is not limited to the above as fixed steps but you should take into consideration the details of the conflict to decide on which final steps are required to conclude your case.

< Written by Dipesh Narsai>






 

Risk Management: the missing culture and behavior?

Most of us are aware of the ISO31000 principles for Risk Management. The creation of a framework, risk assessment workshops, risk categories and registers, mitigating actions, monitoring and reporting. This is an over summarization of an excellent set of guidelines which is globally respected.

Ultimately such principles and approaches should result in a change to behavior in managing risks at the executive top tier of an organization. It should further result in behavioral changes to middle management and supervisor personnel. And in a risk management matured company, the resulting behavioral change should be observed at the broadest workforce levels. Such an entity is considered to have a strong risk management culture.

Safety for many “nuts and bolts” companies is considered a top priority risk. It has taken companies many decades to develop a safety risk behavioral culture and most are still trying to find that reasonable "managed level of risk". The safety mitigation initiatives generally have high investment of time and money which continues towards infinity as there may never really be an end.

It may not always be possible for other top risks (Market share, Fraud, Cyber-attacks, Compliance. etc) to reach such integrated and embedded risk culture status like safety. This is probably due to the high cost and time requirements as individual risks.  However, should generic risk management culture and behaviors be achieved, this would encompass all those risks and thereby deliver a broader, more sustainable solution to managing risks.

Imagine an organization where everyone, and I mean every employee from the Production plant to CEO, who constantly thinks about risks in their area of work, thinks about mitigation steps and takes the required action. Now imagine all employees who consider risks outside of their focus area of work, and raise their views which result in actions. Imagine this taking place seamlessly as an organizational or an individual behavior where risk management is owned by everyone. Now that is the reasonable "managed level of risk" that Shareholders and Board Directors should want to achieve for a sustainable future.

How many business leaders can say, "This is what we work towards and achieving embedded risk culture is no longer a risk" in their organization? Or is your company still just operating a risk management system? Managing risks should be a cultural and behavioral journey for everyone in an organization, and should also require higher investment to progress through this change cycle.

< Written by Dipesh Narsai>




 

A mechanism to uncover critical non-compliances...

One mechanism to uncover critical non-compliances in your organisations: Whistle-blowing !!! Some interesting reading follows...

Non compliances can lead to major reputational damage to any company's sustainability, impacting its shareholders and its employees. There will be investigations by authorities and disruptions to business. Then there will surely be penalties from regulators which could cripple the company.  Even with good corporate governance in place, the risks remain if there is no effective whistle-blowing mechanism in place.

It just takes one person who knows of a major non compliance to say something. Even with the collusion and discretion that accompanies a fraud, somehow someone will witness it. And they need to have an option to report the matter with the required anonymity in case they fear victimization.

Here are some common concerns around the whistle-blowing tool:
How many false reports needs to be entertained? Why should petty issues be investigated? Should financial impact filtering be followed?

Some points of view (but not limited to): Not only will there always be unsubstantiated allegations, there will be many minor finger pointing complaints which should have been solved with a short talk between the parties involved. Therefore something is missing, for example, better dialogue between manager and employee at the first time the root causes takes place. So there is a solution to implement. One could even estimate that for every 10 minor complaints there will be one of greater interest. And possibly after 100 complaints, the one significant one may be uncovered which has a high impact on the company. What is the ratio in your organisation? There is also no science as to which complaint to investigate and which not to. It's a judgement that needs to be made and defended by the responsible governors of risk management.

There are for sure other concerns. However here is just a few more to note:
Why does no one use the Hotline and the anonymous reporting options provided? Why did the company leadership not know this major non compliance was taking place?

Some points of view (but not limited to): To technically have a Hotline as a tickmark is not enough. It should be promoted actively. Posters should be placed in key locations where employees congregate. Links should be visible on company internal websites. The whistle-blowing tool should form part of basic Code of Ethics training. Management should encourage its use as a final option should a person have no other alternative. Investigation outcomes may require consequences. And finally the tone needs to be set by the top leader of the organization that critical non-compliances should always be reported and victimization will not be tolerated for those reporting in good faith.

Whistle-blowing can infact serve as a good corporate governance tool to uncover critical issues in an organisation. It would require great investment from all to make it a sustainable success to mitigate compliance risks.

<written by Dipesh Narsai>