Credibility – Charles D. Schrock

Credibility Tips

These are the Credibility Tips that I’m posting as a result of my article “The Credibility Component“.

Internal Auditor Credibility Tip #1 – Having a predictable approach to your communication is helpful. When starting any discussion, make it a habit to help others slide into the proper frame of reference. Here’s a quick example. If you are intending to discuss the “design” of a process, make sure you’re very explicit. Conspicuously begin the discussion by telling others that you’re only talking about “design”, not “documentation” or “execution”.

By establishing the context right at the start, it’s easier for others to follow along and participate. When you make it easy to communicate, you are building credibility.

Internal Auditor Credibility Tip #2 – Accountability matters. Often, a helpful initial step when planning an audit is to inquire into the “ownership” of the area you’re going to review. This may sound obvious, but a clear understanding of responsibilities is important.

So rather than simply start with a mindset to audit, say, “Inventory Management”, it may be helpful as a first step to talk with whoever is in charge of this activity (e.g., “Susan”) and establish a more definite understanding of exactly what Susan includes (and excludes) regarding her responsibilities as the Inventory Manager. This discussion will almost surely help you develop a more focused audit plan. And if Susan’s description of her responsibilities seems to be vague, overlapping, or poorly documented you might have your first audit discussion point long before you start the fieldwork.

It’s not an audit finding, of course. It’s just a point for further discussion at the very beginning of your audit planning. You might consider meeting with Susan (and her manager) to get clarity around responsibilities and build face-to-face relationships. It can be a private teaching moment to share the importance of clear accountability as it relates to a strong governance environment. When you help others see the big picture, you are building credibility.

Internal Auditor Credibility Tip #3 – Audit planning is very important. And it’s where a lot of audit communication takes place. So, it’s a critical opportunity for you to build credibility.

In our prior Credibility Tip, we suggested that you consider whether your auditee has clearly defined their goals and responsibilities. In other words, are they clear about what they are trying to accomplish? The next step, then, is to consider whether those goals and responsibilities make sense. Are there areas where they claim responsibility, but maybe should reside elsewhere? And, conversely, are there responsibilities that they are choosing to exclude, but shouldn’t? It’s a good idea to consider these questions while you’re gaining an overview of the area. It should take place as part of your planning process.

What you’re addressing is organizational (not departmental) efficiency – is there a better way to organize this function? Consideration of departmental efficiency comes later.

Don’t be afraid to consider and question organizational design. When you identify opportunities to introduce efficiencies at an organizational level, you are building credibility.

Internal Auditor Credibility Tip #4 – In prior credibility tips, we talked about the importance of having a clear understanding of accountability; who is the manager in charge of what you’re reviewing, and what are they including or excluding from their accountability?

Once that’s understood, the next step is often to consider how well that person has designed the operations, controls, and monitoring activities to deliver on their specific responsibility. This is the point where you might compare your understanding of the operations, controls, and monitoring (as designed) with any applicable standards or, perhaps, typical approaches that you’ve seen elsewhere.

Include consideration of potential threats. What might happen to derail the processes, as designed? And are there reasonable and appropriate controls and monitoring in place?

If you have recommendations to improve the design of the processes, controls, and monitoring, this is the time to discuss them with management. Since you have not yet actually started to review detailed records or data, be clear that this discussion is solely about the design of the process, not the results. Any discussions about outcomes or results will surface later in your review.

When you can share a focused discussion with a manager and demonstrate that you understand their operating objectives with a cost/benefit mindset, you’re building credibility.

To add value, you must be credible. Here’s my Internal Audit Credibility Tip #5.

In prior credibility tips, we talked about several stages of converting “audit-speak” into “manager-speak” to be more credible. The most recent tip reminded us how important it is for the auditor to be able to frame a discussion around real-world operating objectives with a cost/benefit mindset.

This particular tip is about cultural alignment.

As you’re reviewing the approach that a particular department is taking in pursuit of its responsibilities, it’s good to consider the style and alignment with your organization’s culture. Here are a few simple examples.

Maybe the area under review habitually experiences very high turnover, while the overall culture conspicuously values long-term commitment and the wisdom that flows from long-term employee relationships. What practices are causing this unusual turnover?

Or, perhaps you notice that the area under review maintains its process documentation in physical printed binders, while the rest of the organization is in the middle of a major project to get all documentation online. This department’s approach impacts its employees’ self-image relative to other areas of the organization.

If, during an audit review, you see ways that the approach or associated processes may contradict the organization’s culture, either formally or informally, you should discuss them with the manager. Maybe there are good reasons. Or maybe they just didn’t know.

When you can demonstrate that you are sensitive to organizational culture and you are helping to spread that culture throughout the organization, you’re building credibility.

To add value, you must be credible – so here’s my Internal Audit Credibility Tip #6.

In earlier credibility tips, we talked about how we can communicate effectively during our planning – when we are interviewing and gaining an understanding of our audit clients’ operations.

This current tip relates to our evaluation of how well their procedures and activities are documented and communicated.

If we determine that the documentation can be improved, we might suggest options. But most importantly, we should be very clear that we are solely talking about documentation and communication at this point. At an earlier phase of our planning, we might have identified and suggested potential improvements to their processes. But we’re past that now.

Even great processes may not be communicated well. Poor communications impact their team’s ability to work effectively.

So help them out. Their ability to communicate expectations is very important to their success. And be very clear that you’re only talking about documentation for this particular discussion point.

When you can demonstrate that you’re interested in helping them communicate and create a well-trained and motivated team, you’re building credibility.

To add value, auditors must be credible – Internal Audit Credibility Tip #7.

In earlier credibility tips, we talked about how we can communicate effectively during our planning – when we were gaining a broad understanding of how things should be working.

This current tip relates to our evaluation of how well operations are actually functioning. More specifically, it relates to our assessment of operational consistency.

Imagine that you’re now finished looking at the design of their operations. That’s where you reviewed and discussed what they intended to do. But are they actually doing it?

As you start transactional walk-throughs and detailed testing you may notice that what you’re seeing doesn’t exactly align with what you were told. That, alone, doesn’t imply anything from a control standpoint. Actual operations could be better (or worse) than what you had been told. The point is – it doesn’t align with their documented processes.

Maybe things veered off course due to poor monitoring by management. Or maybe management is fully aware and hasn’t updated their procedures to reflect reality. Either way, you have something you need to discuss. Documented procedures should match up with what they are actually doing. A disconnect like that can have unknown consequences down the road.

When you demonstrate that you are interested in assuring that staff and management are on the same page, as well as management’s ability to onboard and train new staff, you’re building credibility.

Internal Auditors must be credible before they can be influential. So here’s this week’s Credibility Tip. It’s #8 in the series.

The prior tip was about demonstrating that you are interested in assuring that staff and management are on the same page regarding their operations. If management thinks one thing is happening (through their written procedures) – and that’s not what’s actually happening (even though everything seems to be going smoothly) – management has a disconnect that they need to know about.

And that brings us to this week’s tip. It relates to management’s ability to effectively monitor their operations. Good monitoring is far more than assuring compliance with procedures. It also includes keeping an eye out for ways to do things better, avoiding operating losses, and looking at areas where fraud might be occurring. If they aren’t monitoring the right things, or they’re doing it the wrong way, sooner or later they are going to get blindsided by … something.

And no one likes bad surprises.

So here’s an opportunity where you can help.

When you talk with management about how their monitoring might be improved (and why it’s in their interest) you’re demonstrating your alignment with a culture of “no surprises”. You’re also showing that you care about their success. And you’re building credibility.

Internal Auditors must be credible before they can be influential. So here’s this week’s Credibility Tip. It’s #9 in the series.

The prior tip was about helping management create a good environment for monitoring their operations. No one likes unfortunate surprises.

This week’s tip moves from management’s day-to-day monitoring to governance oversight. This one is not so much about management’s ability to avoid bad surprises, it’s about leadership’s ability to set and adjust strategy.

Most departments report metrics of some type. They go up the chain and may even end up in a board report. The metrics that a department chooses to report must be accurate, of course. But even if they are accurate they may not give a complete picture to someone who’s not involved day-to-day. So it’s important that the metrics are not only accurate but that they tell the right story.

As you’re performing your review pay attention to the metrics that get reported. Of course, you’ll test if they are objective and accurate. But also put yourself in the position of someone who is not involved. Do these metrics paint the complete picture? What would help you if you were an executive relying on metrics?

If you feel like something should be added (or removed) to present a more complete and accurate view, you should discuss it with management. You’re never looking for more, you’re looking for better.

When you demonstrate your alignment with good governance and the need for executives to have an accurate picture of activities and results, you’re building credibility.

Internal Auditors must be credible before they can be influential. Here’s this week’s Credibility Tip. We’re up to #10 in the series.

The prior tip was about assuring that executives get the right data to help them fulfill their governance responsibilities. You build credibility when you help them see a complete and accurate picture of … everything.

This week’s tip involves the importance of stepping back and looking at the big picture before you’re done with an audit.

Throughout your audit, you have probably been looking at details. Maybe you have seen that processes are well-designed and are working perfectly. Maybe every control is in place. Data is tightly controlled. In short, you’re pleased to say that you have no recommendations whatsoever.

But … is the department delivering the results it should? How do they compare to industry benchmarks? Are their customers satisfied? Are expenses over (or under) budget? Maybe staff members seem short-tempered with each other. Maybe you have other observations that seem a little off – even though there’s nothing that would show up in a formal audit communication. These are things that might not be visibly harmful today but could be damaging down the road.

You should discuss these things with management. It’s in their best interest to hear your observations. You are providing them with a valuable outsider’s perspective of their area. While this discussion may be more subjective than some of the others we’ve discussed, it highlights your ability to see the big-picture.

If you handle this discussion discretely, you’re creating a partnering relationship focused on their success. And you’re building credibility.

Internal Auditors must be credible before they can be influential. We’re up to #11 in the series. And we’re nearing the end.

The prior tip was about providing management with helpful feedback with soft observations – things that would never be in a formal audit communication. If you see something that might help, why not share it?

This week’s tip involves the importance of looking into the future.

You are wrapping up your audit. No problems. Or maybe you have a few things to discuss with the manager.

Before you’re done, stop for a moment. Think about any fundamental assumptions that may not be as concrete as everyone thought. If we learned anything during the COVID era, it’s that we cannot count on even basic assumptions. Like being able to work on-site.

So what assumptions are important for this area? What trends might be impactful? What about staffing, remote work, data security, climate change, inclusion, the economy, regulations, etc.?

It’s important for management to regularly consider (or, perhaps, re-consider) the assumptions that drive their strategies and operations.

If they aren’t already discussing them from time to time, maybe you should facilitate that discussion before you wrap up the audit. This type of discussion demonstrates your strategic sense, your ability to monitor broad trends, and your talent for relating these trends to potential opportunities and challenges. And when you do this, you’re building credibility.

Internal Auditors must be credible before they can be influential. This is Credibility Tip #12 and the last in the series.

When you are predictable and consistent, you’re more credible. And that’s important.

We, as auditors, need credibility. So, when you’re communicating with management – in any context – be predictable and consistent. Start every discussion with a clear frame of reference. Help them confidently ease into the conversation.

If, for example, you have a suggestion for improving the design of internal controls be very clear right from the start that you’re only talking about “design”. Don’t allow the other person to mistakenly believe that you found an issue with “execution”. Even a momentary misunderstanding causes friction. And you both must go through the effort of getting back on the same page before the conversation can continue. And even small miscommunications harm the delicate process of building mutual trust.

So, avoid misunderstandings. Be very clear in every communication (whether written or verbal) about what you’re talking about (and what you’re not talking about). Don’t allow the other person to misunderstand you … even for a moment.

Because when the other person knows that they won’t have to first figure out your purpose, you’ve made it a lot easier for them. And they will know that conversations with you (now and in the future) will be useful and to the point.

This is the last credibility tip. If you haven’t read the others, I encourage you to read them. Actually, I encourage you to read the entire article. The ability to clearly communicate is the fuel that drives your influence. So, always make it easier for the other person to understand your message. Keep it simple. Be clear. Be accurate. Be credible.

The Credibility Component

This is an article originally published in the September/October issue of Thomson Reuters ‘Internal Auditing’ (Volume 37, Number 5). I encourage anyone interested to subscribe.

Authors

Charles D. Schrock, BS, MS, CPA, CIA, CRMA

Jason C. Schrock, BS, MDiv

Overview

Despite what some may think, an auditor’s job is not to create workpapers. And it’s not to write reports.

We, as auditors, are here to help our organization achieve its goals.

We do this by identifying improvement opportunities and then convincing management that these improvements if implemented will help them succeed.

In other words, we are change agents.

One good description of a change agent comes from indeed.com:

A change agent is an action-oriented leader who seeks to improve the logistical, technical and interpersonal functions of an organization by changing policies, systems, processes or operational norms. They can work in many professional settings where they communicate why something is a problem, generate specific ideas for change and identify individuals to implement changes with them.

Sounds like an enlightened internal auditor.

But we have an additional challenge. We can’t simply take the lead, get the budget to make these changes, and then make it happen. We need to convince others that they should do it. This means we must be persuasive.

There are many components to being persuasive. We are going to focus on just one – perhaps the most basic:

To be persuasive, we must be credible.

Credible people are often described as competent, trustworthy, accountable, honest, and principled. In other words, credible people are believable. Credible people have their facts right. And credible people are transparent about their motivations. Credible people influence others.

Our Assumptions

This approach starts with one very basic assumption – that management is motivated to do a good job. This includes valuing transparency and accountability.

While we may occasionally run into individuals who seem particularly unmotivated, that’s rarely an organizational trait.

We can probably feel comfortable assuming these nobler principles exist in most organizations. So, we’ll just accept our assumption that the organization wants to succeed and management values transparency and accountability.

With this as our foundation, let’s start.

A Structured Approach for Building Credibility

Credibility takes time. Relationships must be built. Familiarity and trust are key. If both parties “speak the same language”, this goes a long way toward speeding up that credibility.

You can speed this along by putting some structure around your audit communications. Using familiar words to identify your starting point in any discussion reassures your stakeholders.

A good communication structure allows you to quickly and consistently clarify that you are talking about “this” and not “that”. It helps you avoid any initial confusion. This is how you can demonstrate, consistently, that the two of you are talking about the same thing and that you are, together, working on the same problem.

In short, a communication structure makes it easy for a meeting of the minds.

From our auditor’s point of view, there are certain things we typically do first, second, third, and so-on. This sequence is described below through ten stages. Each of these ten audit stages also aligns with a key management objective.

This allows you to proceed through the different audit stages while being very clear about the business context for your questions and any recommendations that might arise.

This structure helps you consistently translate an audit discussion into a business discussion.

When you speak their language, you build credibility.

For this article, we are going to assume that you have been given the responsibility to audit Accounts Receivable. Bob is the Accounts Receivable Manager. We’ll further assume that you are familiar with the basic activities surrounding Accounts Receivable. For your situation, you can replace the name, department, and role with your circumstance.

Start with a basic building block

Stage 1 – Accountability

Congratulations. You have been assigned an audit of Accounts Receivable.

To execute your audit and start building your credibility, your first step should be to get a clear understanding of this specific department. Not just any Accounts Receivable Department. But Bob’s Accounts Receivable Department.

Clarity is the starting point.

Your technique in Stage 1 is to probe a very basic principle – accountability. Someone (Bob in this case) has certain responsibilities. There are boundaries to those responsibilities. And everything within those boundaries belong to Bob. No one else. Just Bob. That’s fundamental to accountability.

Accordingly, you will focus on Bob.

A less-reliable approach starts by cataloging and analyzing the operations. With that approach, it might be too easy to make assumptions about what we should, or should not, include. We need a clear starting point with well-defined boundaries. That’s why we believe that the individual leader, along with their stated responsibilities, is the best starting point.

An Illustration

Let’s use an example to illustrate this Accountability technique.

Instead of jumping right in to audit “Accounts Receivable”, you can start by simply asking Bob about his responsibilities.

With this approach, Bob won’t be inclined to describe what Accounts Receivable Departments do in general. Instead, he will describe what his department actually does. And here’s what you are looking for at this stage: Clarity. Is his response clear? Is it concrete? Is it supported by metrics? Does Bob describe logical boundaries and hand-offs with other areas like IT, operations, and shipping?

Or is it hazy? Is Bob using words like “mostly”, “sometimes”, or “best efforts”?

Understanding Personal Responsibilities

In other words, if someone else had to step into Bob’s shoes, would they know exactly what they’re expected to do?

Setting this solid foundation is essential for your planning. If information technology, operations, and shipping are outside of Bob’s direct responsibilities, you can draw clear boundaries and scope them out of this particular audit.

Administratively, this will help you focus. And it will help you maintain an agile mindset.

Outcomes from Analyzing Personal Responsibilities

Let’s consider the outcome from this discussion.

Perhaps you’re having difficulty getting clarity around Bob’s responsibilities. That’s a potential Stage 1 discussion point. Your discussion with management should start out by being very clear that it is strictly about governance and accountability. For example:

Good governance requires clear accountability. We noted that some functional boundaries are not well-defined. For example, we noted that …

To achieve this very important governance foundation, we recommend that management clarify responsibilities and boundaries around accounts receivable, focusing on its relationships and hand-offs with information technology, operations, and shipping.

This type of discussion translates your audit planning into a discussion on the design of good corporate governance. It demonstrates your focus on the big picture and the importance of accountability.

Stage 2 – Organizational Efficiency

This stage moves beyond identifying Bob’s responsibilities and starts to consider whether those responsibilities, as defined, make sense.

Let’s say that Bob believes (and his manager agrees) that his responsibility includes disaster recovery testing for his Accounts Receivable system. Is that strategically aligned? Or should this responsibility be better assigned to someone in Information Technology? IT may have greater expertise and a big-picture sense to determine how best to test disaster recovery of this system.

Or, let’s go in a different direction. Maybe Bob identified some things that he is not responsible for. Maybe Bob has accounts receivable responsibilities for only seven of the eight product divisions. Does that make sense? Maybe. Maybe not.

You should view Bob’s responsibility within the bigger context of organizational efficiency and effectiveness. Consider if the responsibilities from Stage 1 are, in fact, strategically aligned.

Take time to analyze both the potential to subtract poorly-aligned responsibilities AND the potential to add responsibilities that seem to logically align. But tread lightly and with sensitivity. Moving and changing responsibilities can often have big, and sometimes unintended, consequences. These should be first documented as private recommendations. Then, as that discussion progresses and likely outcomes start to materialize, you can either include or exclude these items from your current audit scope.

If you have potential organizational changes that might make sense, you have a Stage 2 discussion point. This one is all about organizational (not departmental) efficiency.

We noted that Accounts Receivable conducts annual disaster recovery testing of its ARS system. This is an extremely important activity. We noted that Information Technology conducts a coordinated disaster recovery testing plan for most other systems, but not ARS. Information Technology’s approach allows them to achieve technical confidence of coordinated recoverability while minimizing any testing duplication. We recommend that management consider the potential advantages of transferring disaster recovery testing of the ARS to IT Operations

This type of discussion demonstrates your ability to identify opportunities to introduce efficiencies at an organizational level.

Next, review their intended approach

Stage 3 – Design of the Plan

This stage focuses on Bob’s plan.

How did he design his operations, controls, and monitoring to deliver on his responsibility?

Yes. Any issues from Stages 1 and 2 may change what’s included in Bob’s responsibilities. But at the moment, do not think about what should be; just focus on what is. Of course, if something has changed as a result of recommendations to management from Stages 1 and 2, simply adjust what you review here. In other words: adapt. Be agile.

It’s not about whether Bob’s plan is working. That comes later. To reiterate, this is simply about the design.

Here’s where you compare Bob’s processes with typical best practices for Accounts Receivable. You compare Bob’s control environment with the internal controls that might typically be in place. You look at common threats, including fraud opportunities, to see how Bob has addressed them in his procedures.

Any findings at this Stage will often relate to unmitigated threats or insufficient internal controls. Keep in mind that you are only reviewing the design. That means that you’re considering potential threats. You’re considering what could happen.

If you believe that you have some relevant opportunities to improve the design of the procedures and controls to make them more efficient or to better mitigate threats, that’s your focus for any discussions with management. Perhaps something like:

A common Accounts Receivable practice is to rely on the automated system to identify duplicate submissions of invoices. While this is an available feature within our system, it is not enabled. We recommend that management consider the cost and benefit of using this system feature to improve the control environment over potential fraud.

This type of focused discussion demonstrates your ability to understand the operating objectives of the department and bring a cost/benefit mindset.

Stage 4 – Cultural alignment

In Stage 3, you considered the design of the procedures when compared to Accounts Receivable best practices.

Here, in Stage 4, you are considering whether Bob’s procedures align with this company’s culture.

For example, some organizations may avoid outsourcing whenever possible. Others may emphasize flexibility through outsourcing as a key strategy.

In a different manner, some organizations might have an organizational focus on minimizing expenses. Other organizations may be very open about anticipating rapid growth. They want to be ready even if it means ramping up in a way that’s not cost-justified based on today’s volumes.

As an auditor, you will be uniquely positioned to see how the organization’s culture plays out in process design. You can see if the organization’s cultural imperatives are correctly considered in Bob’s approach.

If you believe that you have identified some procedural design issues that may contradict the organization’s culture, here’s where you’ll discuss them.

We’ve noted a general focus across the organization on careful expense oversight and we saw no improper expenditures within Accounts Receivable. But we did notice an overall approach that seems to emphasize active preparation for growth. While there are certain advantages to this approach, it would be difficult to identify a favorable payback given today’s transactional volumes. We suggest that management consider whether a new system and the associated expenditures are best aligned with anticipated growth.

This type of discussion demonstrate that you’re sensitive to organizational culture and you’re helping spread that culture throughout the organization.

Stage 5 – Procedural documentation and communication

This one’s simple. Are there good written procedures? In some circles these are referred to as “Written standard operating procedures” or written SOPs.

Good written SOPs are typically written at an appropriate level – neither too complex nor too basic. You should ensure all essential steps are documented; but where in doubt, lean toward brevity.

These SOP should encompass all of the operations (as we understand them). And they should consider where flexibility and judgment are allowed and where they are not. And, of course, these procedures should be be on hand and available to actually instruct and guide operations.

If we determine that the documentation should be improved, we might consider a discussion point like:

In our review, the design of the operations appeared to be sound. However, we noted that the documentation or dissemination of these procedures could be improved. We suggest that management consider …

This type of discussion demonstrates our ability to consider the impact of having a well-trained and motivated team.

Now it’s time to review how well everything is actually functioning

Stage 6 – Operational consistency

You’re past the design stage. That’s where you reviewed what they intended to do.

Now you’ll be considering if they are doing what they intended. This starts with the traditional audit “walk-through”.

You will talk with the staff. You will look at records. You will observe activities. You will ask about hypothetical situations to see how they would be handled.

If you notice that operations don’t actually align with the documented procedures, this may typically imply a lack of management oversight. Perhaps a stronger set of controls are warranted to better prevent or identify divergence from approved procedures.

Then, where appropriate, you will expand your walk-through testing to look at enough records to draw conclusions about any failures of procedural compliance.

If you determine that actual operations are not aligned with the documented processes, you may have a discussion point.

Although operations are well-designed and documented, we noted that reconciliations of cash deposits are not performed the following business day as required by procedures. Upon discussion with the staff, they indicated that it’s more efficient to wait until the third business day to allow backdating of missed transactions. This can decrease the number of reconciling items that require needless research. We recommend that management consider the balance between operational controls and operational efficiency. Once the appropriate balance is struck, we further recommend that management assure that the written procedures and the actual practices match.

Management should find it intuitive that their written procedures should align with their actual operations. This can only help with onboarding, cross-training, and control monitoring.

Stage 7 – Management oversight

Management should actively monitor the operational activities that are crucial to success.

This includes the potential for

inefficiencies
operating losses
fraud

It’s not your role as the auditor to actively look for inefficiencies, although that might arise in Stage 3 (design) or Stage 6 (execution). Nor is it your role to identify operating losses or fraud. If these fall within Bob’s responsibility, he needs to be monitoring this.

And that’s the point.

Management should be keeping its finger on the pulse of its own operations. If you discover issues in Stage 6 that indicate activities are not actually matching up with the procedures, as-designed, that could indicate a lack of oversight and monitoring.

Even if you didn’t find any operating issues in Stage 6, you may have learned that issues, if they had occurred, would not have been identified. In that sense, you’re refining your assessment of the overall design based on the results of your walk-throughs and detailed testing.

Additionally, this stage gives an opportunity to review whether the SOPs (analyzed primarily for the sake of the employee’s workflows in stage 5) have any key oversight steps for management, and if not, whether there are any places where they should.

Accordingly, you might have a discussion point like this.

To maximize organizational cash flow, it’s helpful to record all accounts receivable receipts the same day as received. This is required in the written procedures and it usually takes place on the same day. Some receipts, however, are not recorded on the same day. Our review indicated that the recording of receipts, weighted by dollar amount, takes place an average of 1.3 days after receipt. We did not identify any receipts recorded beyond the third business day. The CFO indicated that an average of 1.3 days is not material to our operational cash flow. However, we recommend that management consider monitoring this important metric. Additionally, management should establish parameters to identify when activity falls outside of acceptable ranges. This could be monitored in several ways …

A discussion item of this type demonstrates your alignment with a culture of “no surprises”. If there are problems, they should be identified and addressed quickly before they get too big.

Stage 8 – Governance oversight

Back in Stage 1, you spoke with Bob about his responsibilities and how those responsibilities are measured. Back then, you were concerned with simply assuring that they were reasonably defined.

Now, it’s time to ask how well those metrics are actually acquired and reported.

This might call for some delicacy. Depending on the company and the department, metrics can be a cultural hurdle. Some departments or roles may not have a fully-developed requirement for metrics, so this may call for sensitivity at first. You may need to not only ask the following questions, but you may also need to explain them:

What metrics are reported?
Who prepares the metrics?
Who reviews and monitors these metrics?
Do they align with the responsibilities?

Are they based on objective and meaningful data?
Are they consistently and accurately derived?
Is there a reasonable segregation of duties between those responsible for results and those accumulating the data?
Are there clear boundaries that identify when a metric falls outside of acceptable performance?
Are the boundaries reasonable?
Was there evidence of follow-up when the metrics fell outside of these boundaries?

If there are concerns about monitoring and oversight, you might consider a discussion point like:

A key governance component is the oversight of operations to assure that they are running smoothly. If an issue arises, management should be notified quickly in order to focus its attention on that area.

Although we did not notice any operational issues, we did note that management oversight should be expanded to provide closer monitoring. The department currently reports metrics “A”, “B” and “C” monthly. While these are useful, management might consider the inclusion of “D” and “E” to provide a simple and more complete picture of the operations.

This discussion item demonstrates a very practical appreciation for good management technique. The right metrics, reported promptly, can head off many types of problems.

The big issue, of course, is effectiveness

Stage 9 – Quality of results

Through prior stages, you have assured that responsibilities are well-defined. You’ve looked at the design of the operations. You’ve looked at the operations in detail to assure that they are actually functioning as intended. And you have assured that there are reasonable metrics that should track if the activities are being executed as intended.

Now it’s time to step back.

Given all that you’ve seen, is it all working smoothly? Is the Accounts Receivable area delivering good results?

This is where you can compare your organization with industry benchmarks. It’s also an opportunity to consider anything else that caught your attention during a prior phase. Maybe, for instance, you had a sense that the staff were overworked. Or bored. Maybe staff attitudes weren’t ideal.

Assuming that there were no discussion points from any prior Stage, you still might have one here.

Although the area’s metrics are all favorable, we noted that its core benchmark of FTE-to-Receivables is 25% higher than industry averages. This may not indicate a problem; it may simply be a function of many other factors. We bring this to your attention so that you can consider it in relation to those other factors.

Perhaps more than other Stages, a discussion from Stage 9 might be subjective and should be handled discreetly in its initial stages. Discussions like this demonstrate that you’re a team player and you are willing to go above and beyond a typical department audit and achieve a real partnership mentality.

And, finally, it’s time to look to the future

Stage 10 – Resilience

Maybe your analysis in the prior stages has come up with meaningful recommendations. Or, perhaps the opposite – everything looks great, and you have no potential findings. Bob’s area could be a model of effectiveness and efficiency.

Either way, It’s now time to consider how the area might perform in the future.

You should now consider any foundational assumptions that are embedded in Bob’s strategies and procedures. Some might be perfectly reasonable today, but might not be so reasonable in the future.

For example, in 2020, operations drastically changed for many organizations. Assumptions about being able to work together, on-site, disappeared with COVID-19 restrictions.

Are there other assumptions that may not be as concrete as everyone had previously thought? For example, many organizations are finding it difficult to staff certain roles. This limitation might have been unthinkable a few years ago.

It may be useful to have a discussion with Bob. What are the limitations that he is starting to see? What trends might be important? Areas you might want to discuss include staffing, remote work, data security, climate change, inclusion, diversity, the regulatory environment, economic trends, and ESG reporting. Obviously, there may be many more that are specific to your industry, operations, or geography.

If there are assumptions that might be trending in the wrong direction, consider a discussion point like:

We’ve noticed that staffing is becoming an increasing challenge across all sectors. This may have an impact upon Accounts Receivable. We recommend that management consider this trend and its potential impact. Additionally, we recommend that management consider a regular, periodic discussion of trends, both positive and negative, that may impact the area.

Any points that arise from this discussion should be documented and forwarded to Risk Management.

This type of discussion demonstrates your strategic sense, your ability to monitor broad trends, and your talent for relating those trends to potential opportunities and challenges.

Summary

To be a change agent, we must be credible in all of our communications.

We often focus on our audit reports as our most important deliverables. And it is very important. But our ability to influence important change comes from all of our communications; both style and substance. Perhaps most important are the one-on-one discussions that take place long before an audit report is drafted. It’s these discussions where our credibility is often won or lost. It’s in these discussions that we can demonstrate our ability to be both factually correct and strategically relevant.

But discussions present challenges. It’s especially important to start off on the right foot. As auditors, it’s very easy to create defensiveness in others. That starts conversations off on shaky ground. And it requires effort to ease away from that initial defensive response so that you can have a productive discussion.

You must make the correct first impressions so that others are not trying to figure out your point of view or your motivation. If others must begin every conversation by simply trying to get on the same page, you’re asking a lot and making the conversation more difficult than it needs to be.

This is how the structure can help. You will have a clear focus for each discussion point. You can readily set the stage and make it easy for the other person to follow your path through the entire process. And each step in the process is simple and narrow.

For instance, by starting the discussion with “This is strictly about documenting clear responsibilities”, or “The procedures are fine; this is about the documentation”, you have allowed the other person to easily slide into the right frame of mind. You’re positioning the discussion in their terms.

A structured approach – and a communication style within that structure that is both direct and discreet – can supply you with the credibility to be more effective. It provides a large-scale organizational context for your abilities. It is both detail-oriented and delivers a human touch to your work and interactions. These are the hallmarks of credibility.

Discussions will be friendlier. More comfortable. Less combative and more collaborative.

You will be developing a reputation for credibility. And that’s how you become a trusted partner and a valuable change agent.