In my last blog post, we discussed common assumptions that can stifle audit planning and lead to unfavorable outcomes. So, what can you do to facilitate an optimal audit/client relationship? One of the most significant success factors is selecting an auditor that fits your organizational culture and is committed to supporting not only your compliance initiatives, but also your business objectives.
Culture is important because auditing involves interpersonal relationships and communication. An auditor that understands and supports your business objectives is enabled to be the best partner.
Qualities to look for in an auditor:
- Eager to learn about your business and how your organization operates.
- Be careful not to misinterpret discovery questions related to the business as “nosy” or “overbearing.” These questions indicate that your auditor is genuinely trying to understand your business and how to audit within your organization’s way of doing business.
- Seeks to understand your business drivers behind the audit requirements.
- Who are the readers or end users of the report or the certification your auditor will produce?
- What factors are driving timelines? A potential contract or customer relationship?
- Is flexible in their audit process and will adapt to the organization's processes and certain norms.
- Acknowledges organization's unique risk factors and leverages them when evaluating an issue.
- Looks to incorporate smart technology (evidence workflows, reporting dashboards, and automation) into their audit process.
- The audit and compliance landscape is going through a transformation. Hold high standards for innovation and efficiency throughout your audit by leveraging technology.
You selected your auditor, now what? Here are a few quick tips to lean into partnership with your auditor:
- Hold your planning meeting BEFORE your internal audit or GRC review cycle kicks off.
- Confirm key audit activities and audit fieldwork timing.
- Confirm any anticipated scope changes or personnel changes.
- Educate the auditor on key business drivers that could affect the scope of the audit.
- Context is key. Each organization is different, so communicating how your business works and your high-level strategy helps the auditor tailor the approach.
- Share your “audit goals” in the planning session so that the auditor can help you achieve them, or at least manage expectations based on industry knowledge.
- Example: For complex environments, I’ve partnered with clients in the past to facilitate day-long, in-person boot camps where the audit team is educated on the client's business and structure. This increases collaboration and knowledge transfer, leading to a smoother audit process.
- Establish a communication plan.
- What collaboration platform works best for your team? Email? Slack? Teams?
- Who should be kept in the loop on all communications? Establish a written plan for communication hierarchy.
- This can be as simple as a checklist in your audit kick-off deck, or as formal as a RACI Matrix.
- Get tactical in your audit planning meeting.
- Consider resource constraints.
- Are your engineers available during audit timeframes?
- Consider leveraging audit-enabling technology.
- Are you onboarding your auditors to an existing GRC platform?
- Are you onboarding your GRC team onto an auditor compliance management platform?
- Do the relevant parties have the access and training needed to use the platforms?
Investing time upfront in these activities may feel like a burden, but with an equally dedicated auditor team, the engagement will undoubtedly result in decreased audit fatigue and long-term time savings for your organization.
We covered how a client can avoid surprises and build a trusted relationship that enables good planning and collaboration. But what about auditors? What can we do?
The biggest and most common oversight I see auditors make is treating an audit like a transactional service. “You give me evidence; I give you a report. The end.” They ask questions, document conclusions, and get out. While that is a business model plenty of auditors follow, and it might seem like it is saving time, I can guarantee that it is not in the long run. An audit of that nature can be a red flag.
Ultimately, a smooth audit hinges on partnership and preparation. Investing time in these tactics to create a collaborative relationship will benefit the organization and the auditor long-term.