Just about three weeks ago, I promised that, by the next Monday at the latest, I would have more thoughts on the ideas I had laid out in that post. Well...things happen. None of them important, none of them earth-shattering, none of them of particular import. However, a seminar here, a holiday there, and just a sprinkling of lethargy, levity, and "let's see if there isn't something else I can do" resulted in quite the delay. Well, I'm finally back. And I promise, the remaining portions of this particular discussion will be coming in swifter succession. How do I know? Well, they are all pretty much already written.
Then again, some were partially written last time – and look what happened. Anyway, on with the show.
A while ago (see above) I wrote about the role of agreement
in audit's ability to even think about being successful. The basic thesis was this: If we have agreement up front, we will have fewer challenges throughout the audit process.
Now, such a thesis could be a qualifier for understatement of the year. However, the more important point – the point I was really trying to make – is that part of the reason we struggle so is that we don't always understand the many areas where agreement is needed. We just assume we have agreement (or, perhaps more scarily, don't worry about agreement) and move blithely forward. Then, with shock and chagrin, we feel blindsided when our basic suppositions turn out to be incorrect.
To make the point I started with the easiest and most obvious example – agreement on the criteria used to establish the existence of an error, issue, or finding.
Yes, I was picking low-hanging fruit first.
But we face "No" (the indication that we have not achieved actual agreement) many other times in our audit experiences. Only by understanding where the breakdown occurs can we get the agreement up front, resulting in fewer challenges throughout the audit process.
First stop – the start of the audit. How often, when having the kick-off meeting, do you work to achieve agreement with the auditee? Now, I'm not talking about such basic things as who to talk with or when to conduct the audit or the documents we would like to see or any of the myriad other specific details that represent work to be done. No, these are not areas of actual agreement; these are just logistics. I'm talking about ensuring there is a basic understanding and agreement on why internal audit is there in the first place.
And there is even more to those first meetings. The discussion should include agreement (true agreement, not "just nod your heads to get the auditor out of the room" agreement) on why the process exists in the first place, the fundamental needs of that process, and what might cause the process to fail. In other words, are you getting agreement on the objectives of the process (or unit or department or whatever distinction you are making regarding the scope of review)? Then, is there agreement on the actual risks that might impact those objectives? And, if you really want to be partners with the business, is there agreement on the controls that should exist in order to properly mitigate the identified risks.
Yes, I just put forward the bold statement that we should be reaching agreement with the auditee on the basic concepts underlying how we will conduct the audit. But, if the auditee is not involved in our understanding of why specific controls are necessary, how can we expect them to agree with anything we have to say?
(And as I write this, I realize we've got an even more interesting area where agreement might not exist – an agreement among ourselves about the terms we use. But I'll attack that in a subsequent post. I'm on a roll here and don't want to stop.)
But let's get even more fundamental. Underlying everything I've just said – the agreement on objectives and risks and controls – is another agreement we have to reach. There has to be agreement that it makes sense for internal audit to be looking at this area in the first place.
This is not the agreement of the board or audit committee or C-Suite; this is agreement with the people who actually own and run the process. To be successful (to have fewer challenges), we have to be able to show the process owners why they should want us reviewing their area. If we think we've identified an area worthy of using our resources, shouldn't we be able to articulate that need in such a way that we can reach agreement with all involved? Shouldn't we be able to reach agreement that the use of our and their resources are warranted and of value to the organization? If we can't even get that kind of agreement, then we have to ask ourselves if we should be there in the first place.
And implied in the previous paragraph is an even more fundamental fundamental agreement. When the audit department is first considering the audit plan – when it is looking at categories of risk and concerns within the organization – is there consideration of the risks others have identified? Are those considerations truly used to reach an agreement on where audit's resources should be placed? And then, are those risks used to drive the plan and the schedule?
And, before you answer too quickly, consider that a recent report from Deloitte
indicated that C-Suite executives think reputation risk is the number one risk being faced by their organizations. Have you even talked to your customers about that risk? Have you got any audits that touch that particular area? So, before you tell me you have agreement, consider whether you have been ignoring an area they consider a primary risk.
Looking back at these examples, I think there's a good chance I've hit just about every aspect of the internal audit process. And this follows logically from our initial statement – if we have agreement up front, we will have fewer challenges throughout the audit process.
Here's the challenge you can take away from this particular rant. Take a look at your audit process. Determine the key customer contact areas as well as the key decision points. Then, figure out if you are really talking to the customers at that point with the intent of obtaining agreement.
This doesn't mean telling them what you think. This does not mean you are just providing them information. This does not meaning telling them you will do it this way no matter what. This means a true dialogue with the intent of working as partners on a project.
And, in spite of the fact that it looks like I've covered the entire audit process, there is still more to say on this subject.
Come back next time when I take care of a little aside about the concept of risk, and then a couple more conversations about just how many customers we have to consider.
And, honest, I'll have these done in less than three weeks.