You are on page 1of 6

A kinder, gentler audit: successful audit reports don't pull any punches, or blindside recipients.

A tactful approach can lead to a satisfying, constructive outcome for all parties involved
By Lawrence De Berry

IN 1513, NICCOLO MACHIAVELLI WROTE in The Prince, "There is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than the creation of a new system. For the initiator has the enmity of all who would profit by the preservation of the old institution and merely lukewarm defenders in those who would gain by the new one." In a very real sense, changes proposed by an internal auditor are viewed in the same way as a new system. Most organizations are not staffed and managed by Machiavellian conspirators. Instead, they are typically composed of intelligent, well-intentioned individuals who are committed to seeing the organization succeed. So how do internal auditors get these good people to embrace changes recommended in the audit report? Suppose you've put some effort into landscaping your front yard and take pride in its appearance. Your neighbor, a representative from the homeowners association, comes to your door and says the yard falls below neighborhood standards. He also says he has put together a fertilizing, watering, and maintenance schedule that, along with other suggested modifications, will bring the yard up to standard. Like most people in this situation, you would likely resist the recommendations or perhaps implement them grudgingly and do the bare minimum required to meet association guidelines. By contrast, suppose this neighbor never knocks on your door to discuss the landscaping but instead invites you to his house for a barbecue one weekend. While at the event, you compliment the neighbor on his yard and say you wish yours were as lush as his. He tells you that his lawn grass variety is the same as yours; the secret is in the fertilizer and watering schedule, which he happily shares with you. In this scenario, would you be more inclined to follow his suggestions? The success of audit reporting is determined largely by the attitude and specific approach with which internal auditors carry out their duties. When handled appropriately, and with sufficient tact, the reporting process can proceed as smoothly as a backyard barbecue. Five rules, in particular, can help auditors not only achieve greater reporting effectiveness, but also bring about positive organizational change.

RULE 1: TREAT CLIENTS WITH RESPECT During a recent fraud investigation I conducted, the perpetrator thanked me at the final interrogation for the respect with which I treated him. He was extremely grateful, even though the company had just terminated him and subjected him to fairly draconian restitution obligations. Even people who knowingly and deliberately commit wrongdoing deserve to be treated respectfully. These individuals may be fighting personal demons, and internal auditors should look upon them with no less humanity than they would anyone else. Moreover, suspected fraudsters may still have extensive social networks in the organization, and the way auditors treat them could impact morale as well as the auditor's ability to function effectively even on routine assignments. If the auditors have done their job well, they will have the necessary facts to conduct their work--there is no need to denigrate anyone in the process. Auditors who follow this first rule ensure their clients are well-prepared for the audit report. They share results with clients as the engagement progresses, noting issues along the way. They discuss items that might represent control concerns or efficiency issues directly with those responsible for the areas involved. Before issuing their report, these practitioners already know if the client will agree with the findings, and they've provided their thoughts for mitigating control risks or crafting more effective processes. RULE 2: GIVE CLIENTS THE BENEFIT OF THE DOUBT When auditors disagree with clients' work processes, they should never assume the clients arrived at their approach out of ignorance or incompetence. Staff and management perform their jobs day in and day out; it is their life. Auditors look at client processes as outsiders, and the limited time allotted to individual assignments may preclude them from correctly placing all pieces of the puzzle. Thus, while client methods may seem unusual or wrong at first glance, valid reasons may exist for their decisions. Auditors need to maintain humility, recognize their own fallibility, and give clients the benefit of the doubt. Internal auditors should give clients credit for doing what they believe is right, even if their actions eventually prove wrong or misguided. For example, auditors can remove significant barriers to change by saying, "I understand your approach, and it makes sense in the context of what you've learned or what you've previously been trained to do on this job." This type of acknowledgement can help disarm clients and make them more receptive to constructive feedback. The auditors can then say something like, "We'd like to share with you some new

information that has bearing on this issue." When auditors later follow up by seeking client input on practical solutions, the client will be more inclined to feel part of the solution and more likely to implement recommended changes. Clients have a greater tendency to buy into the process and take ownership of the recommendations when their input is solicited. At my organization, clients often implement changes well before the audit report is issued because they want to move forward with identified processes or control improvements as quickly as possible. RULE 3: PICK YOUR BATTLES CAREFULLY Not all audit issues are worth pursuing. Effective auditors know when to persist with their findings and when to back away. Audit comments usually fall into two broad categories: control-related comments and those related to effectiveness or efficiency. Each of these categories generally breaks into two subcategories: minor or serious. Internal auditors need to recognize these important distinctions. If the auditors find a serious control weakness without any mitigation in place, they must report it and ensure the client understands that internal auditing has no choice but to do so. Auditors do have a choice, however, in determining how reporting issues are framed. When auditors find a significant effectiveness or efficiency issue, they must obtain agreement and buy-in from the individuals who would implement recommended changes. Effectiveness issues are not black or white. They pit the auditor's opinion of effectiveness against that of the client who does the job day in and day out. If the auditors do not reach an agreement with the client but still want to make a recommendation, they are forced to butt heads with personnel who are intimately involved with the processes in question. Pursuing effectiveness and efficiency issues aggressively with upper management typically results in one of two possible outcomes. In the first scenario, the auditor accomplishes nothing because the personnel doing the job every day possess more credibility on judgment calls than the auditor. From then on, clients will likely be discouraged from cooperating with the internal auditors-a side effect that may well spread to other areas of the organization. In the second scenario, the auditor wins the battle but loses the war. Although the auditor may be able to convince management that a change is necessary for the good of the company, the clients forced to implement this change may become hostile toward members of the audit department. Clients will likely seek ways to prove the system change is unnecessary, unworkable, and counterproductive. In

the end, there is a strong likelihood they will return to their old methods and procedures. To avoid unnecessary, relationship-damaging conflict, internal auditors need to choose their battles carefully. They must try to convince clients to recognize the wisdom of fixing problems identified during the engagement. If these efforts fail, and the problems represent a serious control issue, the auditors need to apologize for the stalemate and explain that they are obliged to report the problem and the risk associated with it. If the issue is not control related, the auditors should let it go--there is no point in creating ill will when little upside potential exists. Internal auditing can still mention the issue informally to management and discuss the benefits of making a change, but this discussion should not be placed in the report. If managers see value in the idea, they will address it on their own. When auditors report a control weakness without reaching agreement with the client, they must handle the report with care. They need to explain why the control is not in place and why those running the process believe they should not implement the control. In many instances, resource constraints prevent clients from responding to control needs. The auditor's job is to ensure that management is aware of the deficiency and the risk associated with it, and explain both the severity and likelihood of the risk as clearly as possible. Controls cost money, and management must decide if it wants to spend that money or simply treat the risk as a cost of doing business.

RULE 4: ACCENTUATE THE POSITIVE Although following the first three rules should result in a constructive, professional audit report, internal auditors must still be mindful of the overall need to maintain a positive approach to the reporting process. Regardless of the assignment, auditors must always be able to communicate results and recommendations without using negative or accusatory language. Even in areas where significant deficiencies exist, there is no need to say something like, "Department personnel are not doing what they are being paid for, and they need to start pulling their weight." Instead, auditors can use a more constructive approach: "This department has significant challenges, and we have identified several areas where improvements can be made. We have agreed with department management on appropriate changes to address the concerns identified."

When significant findings must be reported, such as during a fraud investigation, auditors can get their message across by simply stating the facts and avoiding editorial comments. Emotionally charged, subjective language can be tempting to use when the auditor feels strongly about a situation, but it is ultimately counterproductive. Auditors need to avoid this temptation by remaining objective and keeping their work on a professional plane. Moreover, they must be sure to give clients credit for their positive achievements, rather than only discussing problems or weaknesses. The old homespun expression many of us learned from our mothers remains valid: "You catch more flies with honey than with vinegar." A positive approach and positive language draw people into dialogue; a negative approach usually results in walls erected to keep auditors and their new ideas at a distance. RULE 5: BE INFORMATIVE To ensure clients read and clearly understand report content, internal auditors must pay close attention to the document's substantive content and structure. Reportable issues need to be developed fully and presented in a cogent manner. Moreover, audit reports need to be persuasive, especially to readers who have not received any prior exposure to the audit. The most effective, best-crafted audit reports are based on well-developed, detailed comments. To ensure comments are informative and useful, internal auditors can follow the development criteria found in Sawyer's Internal Auditing, 5th Edition, which cites five audit-comment elements: * The criteria are the rules, principles, or guides that lead the auditor to believe a problem may exist. Auditors must have a clear understanding of criteria to articulate them to others. * The condition explains what's being done (i.e., the client's process), focusing only on the facts. The description should be communicated clearly, without judgmental language. * The cause helps explain any deviations from the criteria and account for why these deviations exist. * The effect answers the question, "So what?" That is, what are the potential consequences of the condition? Without a cogent effect, the auditor has not established that a problem exists and does not have a valid audit comment. * The recommendation describes the actions for management to consider. The internal auditors' job is not just to "throw rocks" but to help find solutions. They

must find an agreeable solution to the condition, or an approach to finding a solution, to which all are parties are willing to commit and follow. Auditors should also consider a sixth element not covered in the Sawyer text--the response. Management needs to be comfortable with not only the ideas discussed but also with how those ideas have been presented in the report. Responses give management an opportunity to provide feedback on the report findings. Moreover, that feedback helps auditors gauge the effectiveness of their work. Each of these elements is essential to effective detailed audit comments-neglecting to incorporate any one of them will leave readers wondering why reported issues require change or whether the changes suggested would lead to improvement. Detailed comments are the foundation for the summary report to senior management and the audit committee, and internal auditors must keep this audience in mind when drafting them. The summary should contain the auditor's conclusions and opinion and convey the essence of the detailed comments. Auditors should keep the summary brief, ensure the content is accurate, and focus on presenting solutions, not problems. AGENTS OF POSITIVE CHANGE During his presentations to company employees, my boss often uses a cartoon to illustrate a point about teamwork. The image shows a rowboat with a small group at each end of the craft--one end is in the air and the other is resting deep in the water. The partially submerged group is shown bailing out water. The group on the high end, safe for the time being, says something like, "It's a good thing we're not on that end of the boat." When conducting their work, internal auditors need to remember that they are part of the organizational team. Practitioners should approach each engagement with a cooperative mindset and continually seek ways to help other employees and make their jobs easier. They should remember that, for many clients, auditing can be seen as an intrusive, disruptive process. After all, internal audit work essentially boils down to walking into employees' personal workspace, looking over their shoulder, and making value judgments on their performance. Any engagement can be an intimating proposition for the audited group, and the power wielded by internal auditors should be handled responsibly. To obtain optimal results, auditors must conduct themselves in a way that encourages clients to see them as a trusted counselor. As agents of positive change in the organization, auditors need to become valued insiders--not outsiders who cause others to put up their guard and resist constructive change.