So let me get this straight: You are going to enter a business partner meeting without clearly understanding the process, testing, or data you are about to discuss (and question), and you think you will feel confident in that meeting? You think the business partner is going to believe that the audit team is there to provide guidance to assist them in doing their job (achieving the business objective) in the most efficient and effective manner with less rework? Not a chance. When it comes to the data, the auditor must not only understand the details of what information is being questioned (even when the meeting facilitator did not complete the testing in question), but also the source of where the data originated. Too many times, audit and client meetings get sidetracked because the auditor could not explain where the data in question came from.
One of the critical factors when it comes to mastering the data is to ensure and verify that the data source is pure. The best way to define pure when it comes to the data source is to validate that the data you have received from the client and are using in the testing is the complete, best source of data available. Complete means it contains all of the pertinent fields required to complete the business task. Also, verify the data is the most current and up to date available at that time for testing. Once you have confirmed the data source is pure, you can be confident when discussing the data there is no opportunity for the data to be discounted. Auditors must be aware that experienced business owners will respond to issues of potential exceptions or questionable business personnel actions by casting doubt on where the auditor got the data (the source). Do not be blindsided; make sure you have obtained the purest source of data available. The business owner might try to twist the data itself, but there is no hiding from data.
In every one of the meetings you have with the business owner, prepare effectively by confirming the meeting objective prior to the event and mastering the data. Then remember one additional key to effective meeting facilitation and relationship building with your business partner: Never try to defend the questions you are asking. When asking questions or clarifying potential exceptions with your business partner, always use the data to support (not defend) the specific questions being asked. The data will drive the support for your message and will always give you the confidence as you seek clarification for questions posed.
This book has been created based on the Beyond Audit methodology, which has been developed with communication as the foundation to support the learning and execution of internal audit activities from risk-based engagements through to the communication of results to business partners and committees. There are specific excerpts of the Beyond Audit methodology, techniques, and templates mentioned throughout as well as references to access on-demand videos and interviews (www.beyondaudit.org) illustrating critical concepts, techniques, and templates. As you proceed through the pages, there will be discussions of the skills and techniques to ensure the internal audit team can successfully navigate the ever-changing demands and requirements of remote auditing. Included in this remote environment lesson will be how the focused skillset has changed, marketing your revised audit approach, ensuring your audit team understands the internal audit mission and objective, and review of the methodology keys from objective identification to execution, reporting, and action plan adoption. Also, it includes new techniques to not only evaluate your department's efficiency but track audit's progress when it comes to key deliverables. As always, the book will wrap up with education, training, and development suggestions so you can create a high-performing, world-class audit team.
CHAPTER 2 Understanding the Remote Approach
ANY TIME YOU ARE assigned an audit, the typical steps kick in as you prepare and pull together the planning requirements according to your specific audit methodology. At a minimum, you will establish the audit in your database, select a team (unless you have been assigned one), review previous audit work in the area, and begin the planning phase and all the corresponding requirements. The good news is that all of the standard audit activities you would perform for any audit will remain the same even though you will now be performing this audit remotely. So, what is the big deal? Whether the audit team is executing the audit in the office or within the business unit (the preferred approach) or doing it remotely, the auditor will still have to understand the business process, gather intelligence and data, test the data, and report the results. Simple.
TRADITIONAL VERSUS REMOTE AUDIT
Performing an audit remotely is not as straightforward and simple as you might think. There are thought perspectives that believe remote auditing is actually easier than in-person auditing. Think about that – there are no business disruptions, which are a constant complaint from your client. The audit team can just focus on the job at hand and evaluate the data and process under review. While that may sound like the utopia of audit (no direct client interaction and just review and testing), that is a bad assumption. Take a moment and consider how challenging it is to get someone from the business team to meet with you or give you inquiry access to their system; why no one from the business team has time to take another auditor through the business process; how long you have to wait for documentation you requested; why no one from the business team has time to discuss potential findings. Now there are exceptions where some audit clients are the most accommodating, open, and forthcoming business partners and will provide the time, data, and information needed to complete any audit request. But make no mistake about it, those types of clients are few and far between. Most clients view audits as a disruption to their day-to-day operations and no business personnel has time to waste educating the audit team on the business operations that the process owners believe the audit team should already know. I know it's an unfair assumption, but it is real.
To emphasize and illustrate the remote audit approach concept, let's discuss how we as traditional auditors can effectively and seamlessly switch gears and go from the in-person approach to a remote evaluation of critical business processes. As in every assigned audit, the auditor should begin with an understanding of the audit objective. Unfortunately, most audit teams get assigned an audit and never bother to review the annual risk assessment to determine why this audit was included in the annual plan. The auditors just figure that the annual planning was completed, and it was decided to include this audit in the current year. What the auditors do not realize is that the information compiled in the annual audit plan provides a solid foundation as to what the business process includes, key personnel, systems utilized in the business process, as well as any potential process risks. Also included in the annual planning documentation is the audit history, which details when the area was last reviewed, what the audit rating (opinion) was, and issues identified that required management action. Auditors might not recognize how valuable this information could be, especially when it comes to auditing remotely. I will admit, not reviewing the annual planning documentation is probably less impactful when executing a traditional audit but it is significantly detrimental when performing a remote audit. Why? you may ask.
Compare the two approaches. In the traditional audit, you will get to meet the key players in person during an opening conference and walkthroughs and review the previous audit report (hopefully) as you plan. Conversely, in a remote audit, you will be given the names of the key players, but never meet, and you will not get to sit face to face with a processor during the walkthroughs and have to sort through those details via policies and procedures and follow-up questions. Definitely not as easy as it may sound. Additionally, by reviewing the annual planning documentation, the auditor receives valuable background information on the business process as well as the context in which the review was completed