Working With Auditors for Best Results
I am always surprised to hear talented industry professionals who characterize auditors in ways that contradict corporate/regulatory compliance goals.
Auditors are sometimes portrayed as wanting to give their opinions on how your company should operate, and passing critical judgment on the professional outcomes. While this is mostly incorrect, auditors are essentially there to perform a check on the completeness and accuracy of what you produce. When it comes to compliance standards, most of the questions that auditors ask are the result of not being able to understand your audit submission in order to make this sound determination. For process and controls based audits, questions often arise due to the auditor’s inability to understand the controls within the process. In both cases, the auditor has a tough time turning in an audit report that has adequately measured the risk with very little credible information.
Understanding an auditors’ job as a reviewer is critical to your mutual objectives, making your audit process much smoother with just a few simple principles listed below. Based on all of the audits that I and my colleagues have conducted, these suggestions will produce a shorter audit, fewer violations, and a great reduction of questions asked by the auditor from the clarity you will achieve:
- Have a consistent method to your audit preparation.
A highly experienced auditor once told me, “I would rather hear a song with 50 verses than to learn 50 different songs.” Establishing a consistent flow to your audit packaging resonates with the orderly mind of an auditor. Keep in mind the fact that they will be processing your information in defined steps from beginning to end. Structure your submission according to those steps so that the auditor can find what they need quickly, and in the order indicated by their own work papers.
- Be Concise & Avoid “Dump Trucking”
Recently, a client told me, “If the auditor asks me a question, I will give him a 500 page document; if he can’t find the answer, he can’t give me a violation.” This not only doesn’t work, it will instantly create a hostile audit environment that won’t win you any popularity contests. Auditors actually want brief, succinct compliances that answers the questions truthfully and transparently. Everything else appears to be a contradiction of the audit objective.
- Avoid “Over-kill”
Your organization may not be the biggest or most perfect in the world. If it isn’t, don’t write up all of your policies and procedures in a manner that restricts you from reaching our goals. This will only produce unnecessary violations. If you haven’t had any serious issues with your current practices, don’t go out and incorporate other practices that your employees will not be able to follow. Typically, as long as you have a good basis for how you conduct your operations, auditors will only hold you to your policies and procedures as written. Auditors just want to be sure that you have addressed risk in proportion to your company scope, not necessarily to a best practice.
- Provide Several Illustrations
In the process of an audit, a picture is definitely worth a thousand words, so use this consistently. For all processes and controls, show a flowchart. For all relevant systems, deliver a detailed diagram. It may be advantageous to incorporate a whiteboard diagram to clearly highlight what is going on. Transfer that drawing to your audit submissions as well. If an auditor can see first-hand what you are doing in concept, read what you are doing in practice, and finally, review an example of the result, you are very likely to save a lot of time answering questions during the audit. As an added bonus, you will be able to better understand organizational practices that could be improved upon before they are presented to any reviewer.
- Exceed Expectations
A key indication of how well your organization manages risk is whether it functions on time-sensitive basis. Proactively schedule meetings with your lead auditor early in the process, if possible. Educate the audit team on your compliance program methods, helping them to better understand how to efficiently audit your organizational business cases. Turn in your initial submission on the first day it is allowed, and respond to any additional questions and requests without any delay.
In the auditor locker rooms, you hear audits characterized in positive phrases like, No-brainer, Piece of Cake, A Walk in the Park or Good Stuff. You also hear negative language such as Bloodbath, Same Old Thing, or A Real Money-Maker. Assuming that your organization is attempting to do the right thing, utilizing these solid practices could bring your best business assets to light.
Questions or Ideas? Please direct inquiries regarding this article to firstname.lastname@example.org.