Richard Brett CQP MCQI, Vice Chair of the Audit SIG, recently retired after a long career with GSK, which included almost 20 years working as an auditor. Here, he reviews how auditing practice has changed, and what he learned during his career, and offers some advice for the next generation of auditors.
When I started my career as an auditor, internal and external audits were conducted in a similar way. Information had to be teased out and there was an element of ‘If you don’t ask, I’m not going to tell’. Consequently, audits could sometimes be confrontational, leading to a more aggressive and challenging approach – on both sides!
This way could be effective in identifying issues, but less so at getting to the root cause(s). It often resulted in auditors telling management what they already knew, leading to questions about the value and effectiveness of the audit process. Internal auditors at the time were often similarly mistrusted, and seen as the ‘internal police – a group to be wary of, or even feared.
There was a step change in the effectiveness of internal audits after the adoption of a ‘total disclosure’ approach. This is where the auditees inform the auditors of the risks and issues they are dealing with, and what they are doing about them. The auditors could then assess how well those risks and issues are being managed, and focus on looking for unknown risks and potential issues that could have an adverse impact on the business.
This more collaborative approach enables auditors to provide greater insight into the management of risks and issues, and the state of internal controls. The audit team, therefore, fulfils its role of providing independent, objective assurance to key stakeholders, such as the board of directors and senior management.
What works well, and what should auditors do more of?
Auditees are likely to be nervous and concerned about the audit process and the possible results. The lead auditor should open an early dialogue with the auditees, and be as transparent as possible.
Tell them where you are going and what you are looking for. This will help them to be much better prepared.
Ensure that your pre-audit requests are focused on accessing key information and data, and that you review it properly. Don’t ask for information that you probably won’t look at.
Be respectful. Recognise that being audited feels personal, so ensure they understand it’s the process or system being audited, not the person.
Recognise that while they are the experts in their processes, you bring a different perspective.
During the audit fieldwork, use your senses actively. Listen to – and watch –what they say and how they say it. Equally important is what they don’t say – what is missing can provide great insight. It is also important to give the auditees time to think after you ask a question as not everyone has the answer at their fingertips.
It is essential to ensure that you have understood the evidence correctly. Whether it is a verbal answer, or a conclusion based on data review, “trust, but verify” (to quote the US Food & Drug Administration). This will help you to draw the right conclusions about the issue and with potential root causes (if applicable).
Understanding the local and organisational cultures is also key to a successful audit.
What are the standard ways of working and behaviours?
What are the ‘do’s and ‘don’ts’?
What are the hierarchies and how do they work?
What communication methods and styles are most effective?
If you are part of an audit team, use all the members’ different strengths and qualities. Challenge each other – positively – and work together to get the right, and best, result.
When writing the report, start from the premise of who is the recipient. The audit report is in effect your product. You, therefore, want, and need, to communicate with impact. Ensure that the reader clearly understands the following points:
what do I need to know?
why do I need to know this?
what do I need to do?
Senior management will have different needs from operational or junior management, who may need much more detail. It is not necessary to list the minutiae of what you’ve looked at; you don’t need to show how thorough your work was or how much you looked at.
Many of the most effective audit reports include charts or diagrams, rather than only solid blocks of text. These can summarise the overall state of control much more clearly and help the reader to draw the right conclusions. The detail can be provided in appendices, if necessary.
What should you avoid?
In effect, it’s the opposite of everything above, but also keep in mind the following:
do not swamp the auditee with requests for information on a ‘just in case’ basis;
do not ‘play the expert’;
do not try to ambush the auditee – avoid the ‘gotcha!’ moment;
if there are two of you, do not play ‘good cop/bad cop’;
be very careful with humour - what you might think is clever or amusing can come across as rude or insulting.
Audit can be seen as a business improvement tool. As with any tool, there are right ways and wrong ways to use it. Going in with an antagonistic or aggressive approach can hinder the conduct and delivery of an effective audit. It can also make the auditor look smug or arrogant (or worse).
The proper use of the tool will help to deliver a high-quality, fit-for-purpose, product – and that’s what we all want.
Book your place on one of our IRCA certified auditing training courses.