Management Tips to Survive An Audit

Does the idea of your organization being audited fill you with dread? You’re not alone. Few people welcome outsiders rummaging through their data, grilling their staff and questioning their decisions.

I get it. An audit doesn’t have to rank up there with root canals and other things truly good for us, but awful in the making. That is, if you understand the audit’s purpose and are prepared.

Someone somewhere wants to know the result of the audit, because you are or have the potential to spend other people’s money.

Audits provide assurance investors can trust a company’s financial statements. Taxpayers have better confidence government programs operate as intended. Donors feel confident charitable organizations respect their intentions.

Commonly, organizations are subject to at least one of three types of audits:

• Financial
• Performance
• Compliance

Usually, independent entities conduct audits, such as accounting firms, external auditors or regulatory agencies. Sure, some organizations have internal auditors, but they must be free from management control for credible audit findings.

Knowing the type of audit guides your preparation

The purpose of a financial audit is to evaluate an organization’s records, processes and accounting decisions to make reasonably sure its annual statements reflect an accurate representation of the organization’s financial condition.

A performance audit determines if programs or operations are managed appropriately to achieve their strategic goals. Performance audit objectives often focus on process efficiency and effectiveness, and in recent years, whether program outcomes are equitable.

Compliance audits are straightforward tests of whether something complies with a standard or not. They are commonly used in manufacturing settings and regulated industries. Compliance testing also can be part of financial or performance audits.

How they are similar

All audits are systematic comparisons of evidence to criteria within a specified scope. Criteria can include accounting standards in a financial audit, management best practices in a performance audit and regulatory requirements in a compliance audit.

Evidence depends on the subject area of the audit. Auditors may ask for your policies, procedures, internal controls, processes, data, records, employee information. Auditors review any information used by management to account for financial transactions, achieve program outcomes or efficient operations or comply with regulations.

How to prepare for your audit

Audit teams generally want the same information management needs to meet its responsibilities in service to strategic objections. It is a red flag to an audit team when such information doesn’t exist or isn’t available, in a usable form or organized for management decision-making.

1. Anticipate the requests from the audit team. It needs to get up-to-speed on your organization, department, program and responsibilities. That means understanding the legal and policy bases for your authority, your mission and strategic objectives, budgeted resources, industry standards or regulations you are obligated to meet, any policies and procedures you use, datasets you’ve created or tap and annual reports you produce or contribute to. Pro tip: Most of this documentation should already be at your fingertips, but may not all apply to you. That’s okay.
2. Anticipate what questions you may get asked. The audit team looks for what’s working well, what isn’t and any ambiguous gray areas. Pro tip: Auditees who are honest about their vulnerabilities are viewed as more credible by the audit team than those who pretend nothing is amiss. Auditors aren’t expecting perfection.
3. Understand what threatens your ability to achieve your strategic objectives. Anticipate the audit will focus on one or more of them. Pro tip: Managers are responsible for assessing and mitigating risks to success, so it’s a red flag to an audit team if this conversation is a mystery to you. You may not be able to address all your vulnerabilities, but you should be aware of them.

How to engage with the audit team

The audit process has built-in check-ins for discussions. You should take advantage of all of them to understand what type of audit is being conducted and why. Understand the criteria to be used, the scope and fieldwork objectives and any findings and recommendations. Pro tip: Participation in these periodic check-ins will help avoid unwanted surprises for management and the audit team at the end of the process. The earlier misunderstandings can be addressed, the better.

Ask which professional standards the audit team follows:

• Audits conducted under Government Auditing Standards (also called the Yellow Book) will conclude with a written report, a draft of which will be provided to management to review and respond to before it is published.
• Internal audits conducted under the International Professional Practices Framework (also called the Red Book) are common in the private sector but sometimes used by government agencies, too. They have different public reporting requirements than government auditing standards.
• The American Institute of Certified Public Accountants is the go-to source for various types of financial auditing standards.

Ways to make the process go smoothly

Remember the point of an audit: To assure third parties – taxpayers, investors, donors, regulators – your organization operates as intended to achieve its strategic goals, whatever they may be. If it’s not operating as intended, the audit report will include recommendations to close the gap between the criteria and the evidence the audit team collected.

• Take advantage of periodic check-ins with the audit team and ask questions.
• Assign a contact to coordinate information requests from the audit team.
• Encourage employees to respond promptly to requests for interviews, documents and site visits.
• Request the audit team meet to discuss any conclusions you disagree with and be prepared to provide supplemental information to support your position.
• Try to reach consensus with the audit team on recommendations you will be expected to implement. The goal is to make the requested actions result in improved conditions.

Finally, resist the urge to use the formal written response at the end of the process to attack the audit team or the findings. There are appropriate venues for that if you believe the audit team did not live up to their professional requirements. If you have an honest disagreement about the recommendations, it’s best to say so in your response. The audit team will circle back periodically to check on your progress, so I’d advise against staying silent if you don’t intend to implement one or more of them.

Last pro tip to survive an audit

Use the formal management response, included as part of the audit report, as an opportunity to acknowledge the areas where improvement is needed. This assures readers you will implement the recommendations. Nobody expects perfection, but everybody should expect management to continuously strive to do better.

If you’d like some help getting ready for your next audit or need to retain an independent performance or compliance auditor, let’s talk.

Join Mary & Leita on March 28

There is no higher priority for chief audit executives than protecting the independence of their shops. Threats can be stealthy or in-your-face and come in all shapes and sizes, usually at inopportune moments. Join Mary Hull Caballero (former City Auditor of Portland) and Leita Hart-Fanta for a two-hour discussion on Guarding Auditor Independence. You won’t want to miss it, plus it may help you survive an audit someday!