This is an article originally published in the September/October issue of Thomson Reuters ‘Internal Auditing’ (Volume 37, Number 5). I encourage anyone interested to subscribe.
Authors
Charles D. Schrock, BS, MS, CPA, CIA, CRMA
Jason C. Schrock, BS, MDiv
Overview
Despite what some may think, an auditor’s job is not to create workpapers. And it’s not to write reports.
We, as auditors, are here to help our organization achieve its goals.
We do this by identifying improvement opportunities and then convincing management that these improvements if implemented will help them succeed.
In other words, we are change agents.
One good description of a change agent comes from indeed.com:
A change agent is an action-oriented leader who seeks to improve the logistical, technical and interpersonal functions of an organization by changing policies, systems, processes or operational norms. They can work in many professional settings where they communicate why something is a problem, generate specific ideas for change and identify individuals to implement changes with them.
Sounds like an enlightened internal auditor.
But we have an additional challenge. We can’t simply take the lead, get the budget to make these changes, and then make it happen. We need to convince others that they should do it. This means we must be persuasive.
There are many components to being persuasive. We are going to focus on just one – perhaps the most basic:
To be persuasive, we must be credible.
Credible people are often described as competent, trustworthy, accountable, honest, and principled. In other words, credible people are believable. Credible people have their facts right. And credible people are transparent about their motivations. Credible people influence others.
Our Assumptions
This approach starts with one very basic assumption – that management is motivated to do a good job. This includes valuing transparency and accountability.
While we may occasionally run into individuals who seem particularly unmotivated, that’s rarely an organizational trait.
We can probably feel comfortable assuming these nobler principles exist in most organizations. So, we’ll just accept our assumption that the organization wants to succeed and management values transparency and accountability.
With this as our foundation, let’s start.
A Structured Approach for Building Credibility
Credibility takes time. Relationships must be built. Familiarity and trust are key. If both parties “speak the same language”, this goes a long way toward speeding up that credibility.
You can speed this along by putting some structure around your audit communications. Using familiar words to identify your starting point in any discussion reassures your stakeholders.
A good communication structure allows you to quickly and consistently clarify that you are talking about “this” and not “that”. It helps you avoid any initial confusion. This is how you can demonstrate, consistently, that the two of you are talking about the same thing and that you are, together, working on the same problem.
In short, a communication structure makes it easy for a meeting of the minds.
From our auditor’s point of view, there are certain things we typically do first, second, third, and so-on. This sequence is described below through ten stages. Each of these ten audit stages also aligns with a key management objective.
This allows you to proceed through the different audit stages while being very clear about the business context for your questions and any recommendations that might arise.
This structure helps you consistently translate an audit discussion into a business discussion.
When you speak their language, you build credibility.
For this article, we are going to assume that you have been given the responsibility to audit Accounts Receivable. Bob is the Accounts Receivable Manager. We’ll further assume that you are familiar with the basic activities surrounding Accounts Receivable. For your situation, you can replace the name, department, and role with your circumstance.
Start with a basic building block
Stage 1 – Accountability
Congratulations. You have been assigned an audit of Accounts Receivable.
To execute your audit and start building your credibility, your first step should be to get a clear understanding of this specific department. Not just any Accounts Receivable Department. But Bob’s Accounts Receivable Department.
Clarity is the starting point.
Your technique in Stage 1 is to probe a very basic principle – accountability. Someone (Bob in this case) has certain responsibilities. There are boundaries to those responsibilities. And everything within those boundaries belong to Bob. No one else. Just Bob. That’s fundamental to accountability.
Accordingly, you will focus on Bob.
A less-reliable approach starts by cataloging and analyzing the operations. With that approach, it might be too easy to make assumptions about what we should, or should not, include. We need a clear starting point with well-defined boundaries. That’s why we believe that the individual leader, along with their stated responsibilities, is the best starting point.
An Illustration
Let’s use an example to illustrate this Accountability technique.
Instead of jumping right in to audit “Accounts Receivable”, you can start by simply asking Bob about his responsibilities.
With this approach, Bob won’t be inclined to describe what Accounts Receivable Departments do in general. Instead, he will describe what his department actually does. And here’s what you are looking for at this stage: Clarity. Is his response clear? Is it concrete? Is it supported by metrics? Does Bob describe logical boundaries and hand-offs with other areas like IT, operations, and shipping?
Or is it hazy? Is Bob using words like “mostly”, “sometimes”, or “best efforts”?
Understanding Personal Responsibilities
In other words, if someone else had to step into Bob’s shoes, would they know exactly what they’re expected to do?
Setting this solid foundation is essential for your planning. If information technology, operations, and shipping are outside of Bob’s direct responsibilities, you can draw clear boundaries and scope them out of this particular audit.
Administratively, this will help you focus. And it will help you maintain an agile mindset.
Outcomes from Analyzing Personal Responsibilities
Let’s consider the outcome from this discussion.
Perhaps you’re having difficulty getting clarity around Bob’s responsibilities. That’s a potential Stage 1 discussion point. Your discussion with management should start out by being very clear that it is strictly about governance and accountability. For example:
Good governance requires clear accountability. We noted that some functional boundaries are not well-defined. For example, we noted that …
To achieve this very important governance foundation, we recommend that management clarify responsibilities and boundaries around accounts receivable, focusing on its relationships and hand-offs with information technology, operations, and shipping.
This type of discussion translates your audit planning into a discussion on the design of good corporate governance. It demonstrates your focus on the big picture and the importance of accountability.
Stage 2 – Organizational Efficiency
This stage moves beyond identifying Bob’s responsibilities and starts to consider whether those responsibilities, as defined, make sense.
Let’s say that Bob believes (and his manager agrees) that his responsibility includes disaster recovery testing for his Accounts Receivable system. Is that strategically aligned? Or should this responsibility be better assigned to someone in Information Technology? IT may have greater expertise and a big-picture sense to determine how best to test disaster recovery of this system.
Or, let’s go in a different direction. Maybe Bob identified some things that he is not responsible for. Maybe Bob has accounts receivable responsibilities for only seven of the eight product divisions. Does that make sense? Maybe. Maybe not.
You should view Bob’s responsibility within the bigger context of organizational efficiency and effectiveness. Consider if the responsibilities from Stage 1 are, in fact, strategically aligned.
Take time to analyze both the potential to subtract poorly-aligned responsibilities AND the potential to add responsibilities that seem to logically align. But tread lightly and with sensitivity. Moving and changing responsibilities can often have big, and sometimes unintended, consequences. These should be first documented as private recommendations. Then, as that discussion progresses and likely outcomes start to materialize, you can either include or exclude these items from your current audit scope.
If you have potential organizational changes that might make sense, you have a Stage 2 discussion point. This one is all about organizational (not departmental) efficiency.
We noted that Accounts Receivable conducts annual disaster recovery testing of its ARS system. This is an extremely important activity. We noted that Information Technology conducts a coordinated disaster recovery testing plan for most other systems, but not ARS. Information Technology’s approach allows them to achieve technical confidence of coordinated recoverability while minimizing any testing duplication. We recommend that management consider the potential advantages of transferring disaster recovery testing of the ARS to IT Operations
This type of discussion demonstrates your ability to identify opportunities to introduce efficiencies at an organizational level.
Next, review their intended approach
Stage 3 – Design of the Plan
This stage focuses on Bob’s plan.
How did he design his operations, controls, and monitoring to deliver on his responsibility?
Yes. Any issues from Stages 1 and 2 may change what’s included in Bob’s responsibilities. But at the moment, do not think about what should be; just focus on what is. Of course, if something has changed as a result of recommendations to management from Stages 1 and 2, simply adjust what you review here. In other words: adapt. Be agile.
It’s not about whether Bob’s plan is working. That comes later. To reiterate, this is simply about the design.
Here’s where you compare Bob’s processes with typical best practices for Accounts Receivable. You compare Bob’s control environment with the internal controls that might typically be in place. You look at common threats, including fraud opportunities, to see how Bob has addressed them in his procedures.
Any findings at this Stage will often relate to unmitigated threats or insufficient internal controls. Keep in mind that you are only reviewing the design. That means that you’re considering potential threats. You’re considering what could happen.
If you believe that you have some relevant opportunities to improve the design of the procedures and controls to make them more efficient or to better mitigate threats, that’s your focus for any discussions with management. Perhaps something like:
A common Accounts Receivable practice is to rely on the automated system to identify duplicate submissions of invoices. While this is an available feature within our system, it is not enabled. We recommend that management consider the cost and benefit of using this system feature to improve the control environment over potential fraud.
This type of focused discussion demonstrates your ability to understand the operating objectives of the department and bring a cost/benefit mindset.
Stage 4 – Cultural alignment
In Stage 3, you considered the design of the procedures when compared to Accounts Receivable best practices.
Here, in Stage 4, you are considering whether Bob’s procedures align with this company’s culture.
For example, some organizations may avoid outsourcing whenever possible. Others may emphasize flexibility through outsourcing as a key strategy.
In a different manner, some organizations might have an organizational focus on minimizing expenses. Other organizations may be very open about anticipating rapid growth. They want to be ready even if it means ramping up in a way that’s not cost-justified based on today’s volumes.
As an auditor, you will be uniquely positioned to see how the organization’s culture plays out in process design. You can see if the organization’s cultural imperatives are correctly considered in Bob’s approach.
If you believe that you have identified some procedural design issues that may contradict the organization’s culture, here’s where you’ll discuss them.
We’ve noted a general focus across the organization on careful expense oversight and we saw no improper expenditures within Accounts Receivable. But we did notice an overall approach that seems to emphasize active preparation for growth. While there are certain advantages to this approach, it would be difficult to identify a favorable payback given today’s transactional volumes. We suggest that management consider whether a new system and the associated expenditures are best aligned with anticipated growth.
This type of discussion demonstrate that you’re sensitive to organizational culture and you’re helping spread that culture throughout the organization.
Stage 5 – Procedural documentation and communication
This one’s simple. Are there good written procedures? In some circles these are referred to as “Written standard operating procedures” or written SOPs.
Good written SOPs are typically written at an appropriate level – neither too complex nor too basic. You should ensure all essential steps are documented; but where in doubt, lean toward brevity.
These SOP should encompass all of the operations (as we understand them). And they should consider where flexibility and judgment are allowed and where they are not. And, of course, these procedures should be be on hand and available to actually instruct and guide operations.
If we determine that the documentation should be improved, we might consider a discussion point like:
In our review, the design of the operations appeared to be sound. However, we noted that the documentation or dissemination of these procedures could be improved. We suggest that management consider …
This type of discussion demonstrates our ability to consider the impact of having a well-trained and motivated team.
Now it’s time to review how well everything is actually functioning
Stage 6 – Operational consistency
You’re past the design stage. That’s where you reviewed what they intended to do.
Now you’ll be considering if they are doing what they intended. This starts with the traditional audit “walk-through”.
You will talk with the staff. You will look at records. You will observe activities. You will ask about hypothetical situations to see how they would be handled.
If you notice that operations don’t actually align with the documented procedures, this may typically imply a lack of management oversight. Perhaps a stronger set of controls are warranted to better prevent or identify divergence from approved procedures.
Then, where appropriate, you will expand your walk-through testing to look at enough records to draw conclusions about any failures of procedural compliance.
If you determine that actual operations are not aligned with the documented processes, you may have a discussion point.
Although operations are well-designed and documented, we noted that reconciliations of cash deposits are not performed the following business day as required by procedures. Upon discussion with the staff, they indicated that it’s more efficient to wait until the third business day to allow backdating of missed transactions. This can decrease the number of reconciling items that require needless research. We recommend that management consider the balance between operational controls and operational efficiency. Once the appropriate balance is struck, we further recommend that management assure that the written procedures and the actual practices match.
Management should find it intuitive that their written procedures should align with their actual operations. This can only help with onboarding, cross-training, and control monitoring.
Stage 7 – Management oversight
Management should actively monitor the operational activities that are crucial to success.
This includes the potential for
- inefficiencies
- operating losses
- fraud
It’s not your role as the auditor to actively look for inefficiencies, although that might arise in Stage 3 (design) or Stage 6 (execution). Nor is it your role to identify operating losses or fraud. If these fall within Bob’s responsibility, he needs to be monitoring this.
And that’s the point.
Management should be keeping its finger on the pulse of its own operations. If you discover issues in Stage 6 that indicate activities are not actually matching up with the procedures, as-designed, that could indicate a lack of oversight and monitoring.
Even if you didn’t find any operating issues in Stage 6, you may have learned that issues, if they had occurred, would not have been identified. In that sense, you’re refining your assessment of the overall design based on the results of your walk-throughs and detailed testing.
Additionally, this stage gives an opportunity to review whether the SOPs (analyzed primarily for the sake of the employee’s workflows in stage 5) have any key oversight steps for management, and if not, whether there are any places where they should.
Accordingly, you might have a discussion point like this.
To maximize organizational cash flow, it’s helpful to record all accounts receivable receipts the same day as received. This is required in the written procedures and it usually takes place on the same day. Some receipts, however, are not recorded on the same day. Our review indicated that the recording of receipts, weighted by dollar amount, takes place an average of 1.3 days after receipt. We did not identify any receipts recorded beyond the third business day. The CFO indicated that an average of 1.3 days is not material to our operational cash flow. However, we recommend that management consider monitoring this important metric. Additionally, management should establish parameters to identify when activity falls outside of acceptable ranges. This could be monitored in several ways …
A discussion item of this type demonstrates your alignment with a culture of “no surprises”. If there are problems, they should be identified and addressed quickly before they get too big.
Stage 8 – Governance oversight
Back in Stage 1, you spoke with Bob about his responsibilities and how those responsibilities are measured. Back then, you were concerned with simply assuring that they were reasonably defined.
Now, it’s time to ask how well those metrics are actually acquired and reported.
This might call for some delicacy. Depending on the company and the department, metrics can be a cultural hurdle. Some departments or roles may not have a fully-developed requirement for metrics, so this may call for sensitivity at first. You may need to not only ask the following questions, but you may also need to explain them:
- What metrics are reported?
- Who prepares the metrics?
- Who reviews and monitors these metrics?
- Do they align with the responsibilities?
- Are they based on objective and meaningful data?
- Are they consistently and accurately derived?
- Is there a reasonable segregation of duties between those responsible for results and those accumulating the data?
- Are there clear boundaries that identify when a metric falls outside of acceptable performance?
- Are the boundaries reasonable?
- Was there evidence of follow-up when the metrics fell outside of these boundaries?
If there are concerns about monitoring and oversight, you might consider a discussion point like:
A key governance component is the oversight of operations to assure that they are running smoothly. If an issue arises, management should be notified quickly in order to focus its attention on that area.
Although we did not notice any operational issues, we did note that management oversight should be expanded to provide closer monitoring. The department currently reports metrics “A”, “B” and “C” monthly. While these are useful, management might consider the inclusion of “D” and “E” to provide a simple and more complete picture of the operations.
This discussion item demonstrates a very practical appreciation for good management technique. The right metrics, reported promptly, can head off many types of problems.
The big issue, of course, is effectiveness
Stage 9 – Quality of results
Through prior stages, you have assured that responsibilities are well-defined. You’ve looked at the design of the operations. You’ve looked at the operations in detail to assure that they are actually functioning as intended. And you have assured that there are reasonable metrics that should track if the activities are being executed as intended.
Now it’s time to step back.
Given all that you’ve seen, is it all working smoothly? Is the Accounts Receivable area delivering good results?
This is where you can compare your organization with industry benchmarks. It’s also an opportunity to consider anything else that caught your attention during a prior phase. Maybe, for instance, you had a sense that the staff were overworked. Or bored. Maybe staff attitudes weren’t ideal.
Assuming that there were no discussion points from any prior Stage, you still might have one here.
Although the area’s metrics are all favorable, we noted that its core benchmark of FTE-to-Receivables is 25% higher than industry averages. This may not indicate a problem; it may simply be a function of many other factors. We bring this to your attention so that you can consider it in relation to those other factors.
Perhaps more than other Stages, a discussion from Stage 9 might be subjective and should be handled discreetly in its initial stages. Discussions like this demonstrate that you’re a team player and you are willing to go above and beyond a typical department audit and achieve a real partnership mentality.
And, finally, it’s time to look to the future
Stage 10 – Resilience
Maybe your analysis in the prior stages has come up with meaningful recommendations. Or, perhaps the opposite – everything looks great, and you have no potential findings. Bob’s area could be a model of effectiveness and efficiency.
Either way, It’s now time to consider how the area might perform in the future.
You should now consider any foundational assumptions that are embedded in Bob’s strategies and procedures. Some might be perfectly reasonable today, but might not be so reasonable in the future.
For example, in 2020, operations drastically changed for many organizations. Assumptions about being able to work together, on-site, disappeared with COVID-19 restrictions.
Are there other assumptions that may not be as concrete as everyone had previously thought? For example, many organizations are finding it difficult to staff certain roles. This limitation might have been unthinkable a few years ago.
It may be useful to have a discussion with Bob. What are the limitations that he is starting to see? What trends might be important? Areas you might want to discuss include staffing, remote work, data security, climate change, inclusion, diversity, the regulatory environment, economic trends, and ESG reporting. Obviously, there may be many more that are specific to your industry, operations, or geography.
If there are assumptions that might be trending in the wrong direction, consider a discussion point like:
We’ve noticed that staffing is becoming an increasing challenge across all sectors. This may have an impact upon Accounts Receivable. We recommend that management consider this trend and its potential impact. Additionally, we recommend that management consider a regular, periodic discussion of trends, both positive and negative, that may impact the area.
Any points that arise from this discussion should be documented and forwarded to Risk Management.
This type of discussion demonstrates your strategic sense, your ability to monitor broad trends, and your talent for relating those trends to potential opportunities and challenges.
Summary
To be a change agent, we must be credible in all of our communications.
We often focus on our audit reports as our most important deliverables. And it is very important. But our ability to influence important change comes from all of our communications; both style and substance. Perhaps most important are the one-on-one discussions that take place long before an audit report is drafted. It’s these discussions where our credibility is often won or lost. It’s in these discussions that we can demonstrate our ability to be both factually correct and strategically relevant.
But discussions present challenges. It’s especially important to start off on the right foot. As auditors, it’s very easy to create defensiveness in others. That starts conversations off on shaky ground. And it requires effort to ease away from that initial defensive response so that you can have a productive discussion.
You must make the correct first impressions so that others are not trying to figure out your point of view or your motivation. If others must begin every conversation by simply trying to get on the same page, you’re asking a lot and making the conversation more difficult than it needs to be.
This is how the structure can help. You will have a clear focus for each discussion point. You can readily set the stage and make it easy for the other person to follow your path through the entire process. And each step in the process is simple and narrow.
For instance, by starting the discussion with “This is strictly about documenting clear responsibilities”, or “The procedures are fine; this is about the documentation”, you have allowed the other person to easily slide into the right frame of mind. You’re positioning the discussion in their terms.
A structured approach – and a communication style within that structure that is both direct and discreet – can supply you with the credibility to be more effective. It provides a large-scale organizational context for your abilities. It is both detail-oriented and delivers a human touch to your work and interactions. These are the hallmarks of credibility.
Discussions will be friendlier. More comfortable. Less combative and more collaborative.
You will be developing a reputation for credibility. And that’s how you become a trusted partner and a valuable change agent.
