- The Quarterly
- Audit Excellence
|Quarterly: Fall 2020 - Arnold Perez|
Change Happens. Are you Ready for it?
Change happens. Engagements must pivot to respond to change. During our risk management audit, change became a recurring theme that tested our process. In doing so we learned a greater appreciation for their design.
Changes in Auditees
Our risk management audit entrance meeting began, like similar engagements, with discussing the scope and objective with the department representatives. For this review, it was the department head and the risk manager. As the engagement continued, we communicated with the auditees during the phases of the audit. During the fieldwork phase, the risk manager left county service. A few months later, the department head retired and an acting director was appointed a few months after that risk management function was reassigned to an entirely different department. A cascade of change and each time we had to ensure that we established a relationship with the new auditee. How did our process respond to this?
Changes to our Audit Plan
Each audit engagement has a plan that we implement. It has been designed to consider risks such as: the risk that we reach the wrong conclusion, IT related risks, and the risk of fraud. We evaluate the likelihood and design steps in the plan to address each of these.
So, what do you do when your auditee and point of contact change?
The audit plan gets adjusted. For example, the length of the engagements should be adjusted to accommodate the time needed to reassess previously identified risks and look for potential new risks. Some steps may be removed or new steps added based on the revised assessment results. During our engagement, we included additional fraud testing due to the nature of the claims process. Spoiler alert: if you haven’t read the audit, please skip the following sentence. We did not find indicators of fraud in the items tested.
Constants in our Engagements
Criteria: The engagement’s criteria is an elemental factor. The stronger the criteria, the less the chance that doubt may be cast upon it. Given the many changes the risk management audit engagement was conducted under, no new auditee disagreed with the criteria. We believe that the strength of the risk management audit’s criteria came from its grounding in direct local ordinance, departmental policies & procedures, and relevant best practices.
Open communication: Our shop’s operations manual includes many formal communication milestones with the auditee as the engagement unfolds. The informal communications—emails, phone calls or dropping by someone’s office—are just as important. During our risk management engagement, we utilized both formal and informal communications. This approach allowed opportunities to reiterate the entrance conference message and provide an opportunity for the auditee to ask questions about the engagement. As the fieldwork came to an end, we discussed our preliminary findings with the auditee and moved to the reporting phase. Open communication was essential as we developed the written report to ensure we provided context to the reader on management’s efforts to address the issues identified.
Effective at Managing Conflict by Design?
Operations manual: Our audit shop’s operations manual provides a roadmap for staff on how to conduct an engagement. Revisiting it during times of change allows you to reflect on how that change affects your engagement. Our shop is small so there isn’t a particular section that covers an auditee change. What it does have is a framework I revisited and re-ran through the process holding for the change presented. By going over it, it reminded me to conduct reassessments, establish new lines of communications with the new auditee, how to document our work, and many other tips to ensure the engagement met standards.
Office Motto: Nobody gets Blindsided.
During the reporting phase, our general process includes a courtesy meeting with each of the associated departments to discuss the relevant report sections. The Auditor-In-Charge (AIC) coordinates a group or individual meeting(s). The balance between creating opportunities for feedback and audit engagement timelines is challenging but the AIC must evaluate for each engagement.
If I had to pick one influential element of this engagement’s success, I’d choose our management team’s support in allowing for responsive timelines. If a shop is too focused on process, timeframes, and canned communication, they may find it difficult to work with their auditee. Too much flexibility in process, timeframes, communications, and you may find an overextended audit engagement that may not be up to standards.
Where’s the beef?
For the risk management audit, we didn’t have any. Though the risk manager and reporting department changed, there were no objections to the design, criteria, objectives, conclusions, recommendations or final report.
Mind the Fundamentals
As the AIC in the risk management audit, what I believe helped me during the many changes was sticking to the fundamentals. The engagement was based on solid criteria, we maintained open communication throughout the engagement, and when confronted with change, I revisited the operations manual.
About the Author
Arnold Pérez is a Performance Auditor in Clark County Washington. He has been practicing auditing for over 7 years and has worked for several other levels of government in many capacities. He is currently a member of the Online Resource Committee and has presented in previous ALGA conferences.