By developing strong working relationships with their clients, internal auditors can streamline the audit process and gain a better handle on the risks facing the organization, as they’re more likely to be apprised of issues in the early stages.
Conversely, a “gotcha” approach, in which internal audit focuses solely on its watchdog role, can prompt skepticism and lead audit clients to keep their distance. The result often is a less efficient process that fails to capture all the risks the organization faces.
To be sure, internal audit needs to remain independent. However, auditors can maintain independent while developing stable relationships with audit clients.
Below, we highlight six core areas in which internal auditors can focus to improve their relationships with audit clients.
Start building relationships before the audit
No relationship can be established overnight. Auditors need to begin building their relationships with audit clients long before the audit is scheduled. Before developing the audit plan, Constance Snelling, Interim Audit Director at Jackson National Life Insurance, and her team meet with audit clients to gain an understanding of their perspectives and concerns. She believes transparent; open communication goes a long way in building trust and respect.
You’ll also want to let audit clients know what they can expect during an audit. If they have a realistic grasp of the time commitment required, audit clients are less likely to be blindsided by routine requests for time or information.
In addition to audit clients, helping the executive team understand internal audit’s purpose, operations, and value can prompt them to open doors in other areas of the company.
“Never stop educating the audit committee and C-suite about internal audit,” says Joel Kramer, Managing Director of MISTI’s Internal Audit Division.
Learn the business
It’s imperative to understand that education goes both ways.
Building a knowledge base before you meet with a process owner goes a long way, according to Glenn Sumners, Director of the Center for Internal Auditing at Louisiana State University in Baton Rouge. By failing to do so, internal auditors can quickly lose credibility if they expect the process owner to explain his or her department, he says.
This can start with a simple online search. As Sumner notes, understanding an organization begins with understanding the industry in which it operates. For instance, an internal auditor at a college or university might review demographics to determine if the number of students is increasing or decreasing, the percentage of classes that are moving online, and trends in university budgets. All will shed light on risks facing the institution.
A solid understanding of the industry also helps internal auditors zero in on the risks to target. Conversely, a focus on unnecessary risks can annoy audit clients and leave the impression the auditor isn’t up to the job.
Communicate, act courteously during fieldwork
If audit clients don’t know why their area was included in the audit, they’re apt to assume they’re in trouble or internal audit is out to get them.
It might not occur to them, for instance, that the reason they were chosen was to take the best practices in place at one location and use them in other locations. When possible, internal audit should let the client know why his or her area was included in the audit plan, says Sharon Lindstrom, Managing Director of the Internal Audit and Financial Advisory Practice with consulting firm, Protiviti.
Remember that simple courtesy can go a long way. A starting point is the audit schedule.
Accommodating the audit client’s other workload demands, when possible, can help build rapport and smooth the audit process. For instance, you’d probably want to avoid scheduling the audit when the client is implementing a new software system. Not surprisingly, most audit clients also appreciate having a reasonable amount of time to respond to requests.
During the audit, keep in mind that a functional area may have a different understanding of the concepts of risk and control.
“When working with stakeholders who don’t have a background in risk, the words don’t mean the same,” Snelling says. A department may believe it has comprehensively defined their risks and controls, and yet internal audit finds shortcomings. It becomes an educational process for both sides, she adds.
The audit team may identify additional, material risks or controls, while the operating unit may know of back-end controls the audit team is unaware of.
Use judgment when preparing the audit report
Use discretion when deciding what to include, and how to cover it. Immaterial mistakes that don’t constitute a pattern typically can be discussed with the supervisor and left out of the report, says Barry Lucas, Internal Auditor with Desco Federal Credit Union.
More serious issues, of course, need to be included. Even here, however, the auditor can first check his or her understanding of the issue, and ask about mitigating circumstances that may have been overlooked. Unless fraud is a concern, try to avoid going above the supervisor before talking with him or her, Lucas adds.
Offer actionable recommendations
A common complaint about audit reports is that they don’t tell the business units anything they didn’t already know, Lindstrom says.
In an audit report of a company she previously worked with, there was a section that highlighted issues management identified, up to about one month before field work began. That way, management gets credit for determining the problem, and perhaps help mitigate it.
Generic recommendations also do little to bolster the relationship with audit clients.
“Identify feasible, tactical recommendations,” Lindstrom says, including both short- and long-term fixes. For instance, if a unit needs several months to implement a specific control system, the report can identify a manual intervention to use in the meantime.
The end goal should always be to add value.
“You have to bring something to the table,” Sumner says. “You can’t just find defects and report on noncompliance.”
While identifying these defects and noncompliance remains key to the audit function, auditors can add value by also identifying all risks to which the client is exposed, as well as ways the client can operate more efficiently and effectively in pursuing its objectives.
Any discussion of internal auditors forging stronger relationships with audit clients inevitably prompts questions about independence. Does a strong auditor-client relationship compromise auditors’ independence?
Sumner says the opposite can be true—that an auditor who is a valued, worthwhile business partner enhances his or her independence. “That credibility helps establish independence,” he says.
At the same time, auditors must take steps to protect their independence and objectivity. They can review materials from a control perspective, but can’t design the controls or determine which risks to accept.
“Auditors need to collaborate, not alienate,” Phil Benvenuti, Senior Director of Internal Audit with Pegasystems Inc. says. He notes that his team will incorporate management’s concerns into its test designs, but also applies its own risk assessment in testing.
“I call it auditing with our auditees, rather than auditing at them,” he says.