In business, auditors are often portrayed as the bad guys. From an external audit perspective, auditors enter an organization with no true relationship with, or connection to, the auditee. The auditor may be viewed as an outsider whose mere purpose is to highlight wrongdoings. Yet, while internal auditors can also be on the receiving end of negative preconceived notions, they have a much better chance of developing relationship with the auditees’ enterprise if they have not established one previously.
Regardless of whether one is an external or internal auditor, they can use the same approach to kickstart audits. Auditors spend most of their time in conference rooms drafting the planning memo, audit procedures and other important artifacts. While those activities are essential to audit kickoff, the most overlooked—yet most important—activity is building a relationship with the stakeholder. The manner in which the auditor partners with the organization or team being audited is critical to successful audits. There are 3 main areas to consider for an effective audit.
Establish Trust
In both society and the workplace, communicating with people that one has never met can be difficult. In a workplace environment, the auditor has the upper hand. The auditor and the auditee have at least 1 thing in common: each support the organization's mission. This commonality creates a starting point for developing a trusted relationship with the auditee. One of an auditor’s many jobs is to help the auditee understand the objective of the audit, explain how the auditee is an important factor in meeting that objective and being transparent about the steps it will take to perform the audit and, ultimately, satisfy the objective.
If building trust is not a priority, there is a risk of substantially increasing the amount of time needed to complete the audit, as low trust tends to be time consuming and drives up cost.1 When there is a lack of trust, auditees are hesitant to share information about control processes and procedures. Thus, initial meetings are spent producing very little information and can result in the need for additional follow-up meetings or communication. As such, the organization may see an increase in hours in scenarios where a third-party consulting team has been brought in to conduct the audit. This can be prevented by investing more time up-front.
Taking the time to read materials and conduct research on the auditee’s role and activities prior to meeting with them shows that the auditor values their time. Listening to concerns the auditee may have with timelines and adapting to scheduling conflicts demonstrates that the auditor is flexible and understands the auditee might have other priorities. When trust is established, the auditor’s team will experience long-term benefits of being viewed as a partner within the organization, not an enemy.
Leverage Tools
Most mature audit functions have a set of tools or applications they use when conducting an audit. Such tools are great ways to create repetitive processes and outputs throughout the audit life cycle. The auditee is also likely to have their own tools. It is important to identify tools early in the audit and determine ways to employ them in audit testing. Using the auditees’ tools to complete the audit becomes a win-win for both parties, as it creates an opportunity for the auditor to operate independently and frees time for the auditee to spend on other projects or tasks.
What does this look like in practice? If the auditee uses a ticketing system to track access approvals rather than manually pulling all the samples the auditor has selected, the auditor can request read-only access to obtain the evidence for themself. If the auditee uses a work management platform to develop process workflows, the auditor can request a readout directly from the tool rather than creating a workflow based on the information they gathered from walkthroughs. Finding ways to employ the auditee’s tools in daily audit work will not only please the auditee, but it will also show the auditor’s willingness to be flexible and further build trust.
Avoid Surprises
A final point in conducting an effective audit is for the auditor to do their best to ensure that throughout the audit life cycle, the auditee is aware of how things are progressing and is at no point taken by surprise. This can be accomplished by building trust, constantly communicating and being transparent. From planning to post-audit, the auditee should be a passenger on the audit train, receiving information at each stop of the journey.
From planning to post-audit, the auditee should be a passenger on the audit train, receiving information at each stop of the journey.
What does this look like in practice? During planning, auditors should communicate the audit scope and objectives with the auditee. Auditors should also inform them of the walkthroughs the audit team plans to schedule and conduct and the time commitment expected from their team. During fieldwork, auditors should forewarn auditees of possible issues the audit team could encounter, thus granting the auditee the opportunity early on to address potential miscommunications or discrepancies in audit testing. Throughout fieldwork, the audit team should also continuously communicate the status of audit testing (i.e., what has been tested, what remains). Once the close of the audit approaches and the auditor communicates findings (if any), the end of the audit should consist of a seamless discussion and audit report issuance. As an auditor, keeping the auditee informed throughout the entire audit life cycle provides yet another opportunity to build trust and partnership.
Conclusion
Auditors have a wide breadth of technical skills that are essential to conducting effective audits. It is those technical skills that often give the auditee assurance that the auditor knows what they are doing and can provide true value to their organization. Yet soft skills continue to be ignored, undervalued and deemed irrelevant. Trust-building, business collaboration and adequate communication are soft skills that are immensely important for conducting effective audits. It is extremely beneficial to an auditor to value these skills because, ultimately, an auditor needs a strong relationship with the enterprise to be viewed as a trusted advisor, keeping the door open for new opportunities to partner with the organization and continuously help identify and mitigate risk.2
Endnotes
1 Trust Edge, 2022 Trust Outlook, USA, 2022
2 Datt, S.; “A Rise in Collaboration Between Internal Audit and IT Is a Welcome Trend,” @ISACA, 11 May 2020
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Auditee Buy-In—A Key Component of Effective Audits” episode of the ISACA® Podcast.
Steve Jackson, CISA
Is a technology audit manager at Airbnb where he primarily leads the execution of technology-based audits and special projects. He has more than 10 years of professional experience in IT audit and compliance. He has performed external audits of various government agencies and led internal audit teams for public and private enterprises.