Understanding Audits from Initial Steps to Final Action Plan

Audits may be held to assess (a) the financial health of an organization, (b) the organization’s use of its resources (including people), (c) whether the organization is in compliance with laws, regulations, and internal or industry standards, and (d) how the organization has violated any of those standards if a violation is suspected. 

Getting Started

If you are planning an internal audit, then there are several steps you need to take before you even begin. The US Government Accountability Office has published international audit standards that you may find useful.

1. Assess your own independence and objectivity. You cannot audit your own project or have your team or department audit itself. Personal and professional self-awareness is a goal everyone should strive for but effective audits require distance. You should not audit any project, plan, or team for which you are or were ever responsible.
2. Know your people. Process, program, or project—everything is based in people, with strengths and weakness, prior achievements, and future goals. If you audit without knowing the people, your recommendations will fail to connect with them and any plan for course correction will fail. The people also deserve to know the reasons for and expectations from the audit, focusing on benefits to them and the company.
3. Know the problem. You may need to change your perspective a few times to fully grasp the problem. If you assume you know the problem, you will assume you know the solution, so why bother to audit? Ask the people involved, stakeholders, customers, and other interested or involved parties where they are experiencing pain points.
4. Gather knowledge. Is this particular problem or pain point peculiar to this group of people or to this situation? Have others in the organization experienced the same thing? Is it possible that your audit is too wide or too narrow in scope?
5. Check what is already being done. You may find that current procedures and controls are efficient and correctly targeted but they may also be impractical, too complex, or stress-inducing for a variety of reasons. You may find that they are attacking a problem that no longer exists, covers up a deeper problem (a band-aid approach), or currently creates more problems than it solves. As problems evolve, solutions must also evolve.
6. Schedule. A surprise audit not only raises the stress level for everyone but may result in the people you need to speak to being onsite or unavailable. The group may be struggling to finish a project with a looming deadline or maybe blindsided in other ways. In addition, you want to make sure that you are uninterrupted during the audit and report writing.

TIP: Your schedule must allow for completing the report quickly enough so that it still has relevance.

Investigating

In the course of your internal audit, you should be looking for what the audited group is already doing correctly. If you concentrate solely on what is wrong, your next audit may find that perfectly acceptable actions and solutions have been discarded and a group overhauled that only required a course correction.

7. Ask open-ended questions. Yes/no answers may be clearer and easier to report but they lack context and may hide significant problems and concerns. The questions should be framed as a genuine interest in accurate information, not a challenge.
8. Back up response to inquiries with facts. Trust but verify. An attitude of professional skepticism ensures that you do not rely too heavily on other people’s impressions and your own assumptions. You need measurable data as well, or you will never know if an improvement has occurred.
9. Set a specific deadline for missing information. You want all the relevant information on hand when you write your audit report. Interviews that cannot be scheduled in advance should be scheduled as close to the audit as possible.
10. Keep the specific concerns of the principle stakeholder in mind. The company or principle stakeholder who requested the internal audit probably has specific concerns, such as new leadership, market expansion or contraction, new software, turnover, or changes in products or services. These concerns affect what they will consider important and what they might dismiss out of hand in your audit report. The report should be clear and easily understood by current and future readers.

Writing the Report

In writing the audit report, you may work from a template or develop a format of your own. The audit report generally covers the following information:

• Why the audit was held and what was included
• The standards that were applied and test methods used
• The people involved and areas audited
• The current condition of whatever areas the audit covered (finances, organization, compliance, problems)
• The cause for the current situation and possible effects on the organization
• Specific recommendations for action tied to specific roles in the organization
• An executive summary focused on findings
• The results of the audit.

The results of an audit report fall into one of the following categories:

• A clean report, with no further action needed
• A qualified report, with reasons for why action is needed and recommendations
• An incomplete report, because requested individuals or data were not forthcoming or insufficient time remained to gather the data
• An adverse report, stating that problems are widespread and possibly violate government regulations, the law, or industry standards.

TIP: In the audit report, you must point out the problems objectively, based solely on the standards you are using. However, any solutions or actions you recommend should consider what is feasible for the organization, given its size, resources, and priorities.

Creating an Action Plan

If you are in charge of the internal audit, then your work is probably finished when you hand over the audit report. If you are the person who is expected to take action based the audit, then your work has just begun.

You have the recommendations in hand and you must come up with a plan to put the recommendations in action. That means you need to:

• Understand the report. You may want to ask questions of the auditors and/or gain further guidance from the stakeholders.
• Understand the scope of your responsibility and the project. Make sure all stakeholders are on board with the scope.
• Evaluate your resources and ask for additional resources if needed. You may also need to alert other teams, departments, stakeholders, or vendors that they are going to be involved.
• Evaluate risk. You need to know what will happen if you do not act, miss a deadline, or act too precipitously.
• Decide what information you need to evaluate whether the recommendations of the report have been met. You should set up the criteria or standards that your actions must meet.
• Divide the work into achievable tasks and assign tasks to your team members. Include defined roles, deadlines, and reporting requirements.
• Prepare your own project report at the end of your efforts that refer back to the audit and explain what was done and the results expected or already seen, plus any further actions that should be taken.

TIP: You may have to build ongoing coaching, oversight, or meetings to ensure that your solutions and recommendations stay in place and continue to be effective.