Print Page | Contact Us | Sign In | Become a Member
Quarterly: Fall 2020 - Arnold Perez

Change Happens. Are you Ready for it?


By Arnold Perez

Change happens. Engagements must pivot to respond to change. During our risk management audit, change became a recurring theme that tested our process. In doing so we learned a greater appreciation for their design.

Changes in Auditees

Our risk management audit entrance meeting began, like similar engagements, with discussing the scope and objective with the department representatives. For this review, it was the department head and the risk manager. As the engagement continued, we communicated with the auditees during the phases of the audit. During the fieldwork phase, the risk manager left county service. A few months later, the department head retired and an acting director was appointed a few months after that risk management function was reassigned to an entirely different department. A cascade of change and each time we had to ensure that we established a relationship with the new auditee. How did our process respond to this?

Changes to our Audit Plan

Each audit engagement has a plan that we implement. It has been designed to consider risks such as: the risk that we reach the wrong conclusion, IT related risks, and the risk of fraud. We evaluate the likelihood and design steps in the plan to address each of these.

So, what do you do when your auditee and point of contact change?

The audit plan gets adjusted. For example, the length of the engagements should be adjusted to accommodate the time needed to reassess previously identified risks and look for potential new risks. Some steps may be removed or new steps added based on the revised assessment results. During our engagement, we included additional fraud testing due to the nature of the claims process. Spoiler alert: if you haven’t read the audit, please skip the following sentence. We did not find indicators of fraud in the items tested.

Constants in our Engagements

Criteria: The engagement’s criteria is an elemental factor. The stronger the criteria, the less the chance that doubt may be cast upon it. Given the many changes the risk management audit engagement was conducted under, no new auditee disagreed with the criteria. We believe that the strength of the risk management audit’s criteria came from its grounding in direct local ordinance, departmental policies & procedures, and relevant best practices.

Open communication: Our shop’s operations manual includes many formal communication milestones with the auditee as the engagement unfolds. The informal communications—emails, phone calls or dropping by someone’s office—are just as important. During our risk management engagement, we utilized both formal and informal communications. This approach allowed opportunities to reiterate the entrance conference message and provide an opportunity for the auditee to ask questions about the engagement. As the fieldwork came to an end, we discussed our preliminary findings with the auditee and moved to the reporting phase. Open communication was essential as we developed the written report to ensure we provided context to the reader on management’s efforts to address the issues identified.

 

Effective at Managing Conflict by Design?

Operations manual: Our audit shop’s operations manual provides a roadmap for staff on how to conduct an engagement. Revisiting it during times of change allows you to reflect on how that change affects your engagement. Our shop is small so there isn’t a particular section that covers an auditee change. What it does have is a framework I revisited and re-ran through the process holding for the change presented. By going over it, it reminded me to conduct reassessments, establish new lines of communications with the new auditee, how to document our work, and many other tips to ensure the engagement met standards. 

 

Office Motto: Nobody gets Blindsided.

During the reporting phase, our general process includes a courtesy meeting with each of the associated departments to discuss the relevant report sections. The Auditor-In-Charge (AIC) coordinates a group or individual meeting(s). The balance between creating opportunities for feedback and audit engagement timelines is challenging but the AIC must evaluate for each engagement.

Risk management, as a county process, was anchored out of the risk manager’s office but it was in collaboration with multiple departments of some separately elected officials. Our office approach is to meet with associated departments. For this engagement they were: Human Resources, the Sheriff’s Office, the Prosecuting Attorney’s Office, and Public Works. During scoping, fieldwork, and the report writing phases, our office communicated with the varying departments. As the claims data was analyzed, processes evaluated, and conclusions made, we reached out to the various departments to discuss our work. Each discussion was an opportunity to ensure that our assumptions were accurate and for the departments to provide greater context relating to our conclusions.

Management Support

If I had to pick one influential element of this engagement’s success, I’d choose our management team’s support in allowing for responsive timelines. If a shop is too focused on process, timeframes, and canned communication, they may find it difficult to work with their auditee. Too much flexibility in process, timeframes, communications, and you may find an overextended audit engagement that may not be up to standards.

During the risk management audit, our shop’s manager was very understanding of the challenges for both the staff and auditee. His support was not only evident in providing for a longer process, but for effectively communicating to our own department head about the efforts taken to accommodate the changing engagement.

Where’s the beef?

For the risk management audit, we didn’t have any. Though the risk manager and reporting department changed, there were no objections to the design, criteria, objectives, conclusions, recommendations or final report.

Mind the Fundamentals

As the AIC in the risk management audit, what I believe helped me during the many changes was sticking to the fundamentals. The engagement was based on solid criteria, we maintained open communication throughout the engagement, and when confronted with change, I revisited the operations manual.

So, if you currently find yourself in any phase of an audit, pause and reflect on this, change happens. Are you ready for it?

About the Author

Arnold Pérez is a Performance Auditor in Clark County Washington. He has been practicing auditing for over 7 years and has worked for several other levels of government in many capacities. He is currently a member of the Online Resource Committee and has presented in previous ALGA conferences.