Let’s face it. Even here at Audit International, we understand Internal audit still suffers from some rather negative stereotypes. There are plenty of companies or units where internal auditors are not welcomed with open arms. Audit clients may view internal audit with suspicion, expecting a “gotcha” mentality or may feel like they are under surveillance.

Sure, it’s often undeserved and some of it comes with the territory, but we may even be perpetuating such negative views with the words we use. Words and phrases that internal auditors consider just a normal part of the profession’s vocabulary may actually be words that trigger negative reactions in our audit clients. And often, internal auditors don’t realize they are contributing to the hostility by using them.

Words matter and good internal auditors choose them carefully. But auditors are also as prone to using professional jargon as anyone. These are words that have become so commonplace that we might not think too much about what they really mean, especially to others. We all use them. Yet, how they might be interpreted may not be how we intended. So, what can we do about it?

Here are seven words that we should consider their meanings more closely and either use them more carefully or strike them from our vocabulary completely.

1. “Finding”
Most internal auditors call what we consider reportable (in writing and verbally) a “finding.” Think about that for a moment, though. It’s not as if the vast majority of our audit observations were hiding or lurking in some hard-to-discover, dark and foreboding place, and it took our best Indiana Jones skills to unearth them. Lo and behold, ah ha! We have a “finding.” The word relates a context of sleuthing and uncovering things that were hidden, perhaps intentionally.

So put yourself in the shoes of your audit clients. We come along and have all these “findings,” as if they weren’t doing their jobs and it took us to find these gems of reportable conditions. Worse yet, we are often reporting as “findings” what audit clients told us directly. How would you feel if someone walked through your house and told you at the end of their visit that they found the carpets needed vacuuming, the furniture needed to be dusted, and relayed a few other of their insufficient housekeeping “findings.” You’d likely be inclined to never invite them back.

Try using the words “observations,” “conclusions,” or “conditions,” rather than “findings.” You may find they work better in your organization. Audit clients will feel less like they are being accused of hiding information or that they didn’t see something that the auditors later uncovered.

2. “Weakness”
When we observe an issue, we also sometimes couch that issue by using another troubling word, “weakness.” We may not be able to avoid calling breakdowns in internal controls, as they relate to SOX-like work, “control weaknesses” if the controls are not working as they should (or at all). But we should avoid calling observations outside of controls “weaknesses,” if possible.

Think about it. You go into the manager’s office during an audit, and you say, “excuse me, if you have a few minutes I’d like to go over a few weaknesses that have come to our attention during our review of your area.” Expect immediate defensiveness. We might as well be criticizing their first-born by pointing out weaknesses in how the child looks or plays with others. The word connotes physical ineptitude and can strike a visceral blow to any manager’s ego.

Like weaknesses, “deficiencies” isn’t any better for all the same reasons. So, perhaps, try “opportunities,” or “matters for attention,” rather than “weaknesses.” Even “challenges” or “difficulties” will garner a better response from audit clients.

3. “Material”
While the term “material” has been part of auditing language forever and, although tough to really quantify, is an important and meaningful word. I mean, if it’s not material why look at it or consider it at all? We also have the SOX-related nomenclature of “material weaknesses” (which people want to avoid as best as possible). Look, if you tell someone something is “material” and it truly is agreed that it is “material,” that’s a big deal.

Yet when we tell someone who is the owner of something that we want to talk with them about a matter that is “material,” what would be the natural reaction of the person on the receiving end of that word? Disbelief, denial, and outright defensiveness are natural human reactions when told something is “material,” in a bad way, which affects them or their responsibilities. Think about being in the doctor’s office because you have not been feeling well. After a bit of consultation and tests, the doctor comes in the room and tells you that there is something “material” to discuss. You are likely to act with disbelief, denial, and defensiveness, naturally. The word conveys an urgency we might not intend. Do we really want our clients to react that way, now or in the future?

Note that “material” has an important legal context. The Securities and Exchange Commission defines “materiality” as anything a reasonable investor would deem relevant to their decisions about whether and how to invest. While it’s important to use this word carefully in this legal context, it’s also easy to adopt the word and use it outside this context, which can result in misusing it. Another problem with “material” is that it implies that everything else isn’t important or that other aspects of an audit client’s work are meaningless, which is not a great sentiment to convey.

So, perhaps, when you don’t really have to use the word “material” (or “significant” for that matter) in consultation or in writing, maybe consider some different language. Hey, there’s something important I want to run by you when you have a moment, and maybe we can write about the top matters for attention without calling them “material” (unless, of course, we must).

4. “Disclosed” or “Uncovered”

Like the word “finding,” the word “disclosed” (or the word “uncovered’) has a similar connotation. It’s as if the issue was hiding and no one knew about it or would ever find it without you, and your brilliance—the internal audit superhero with x-ray vision. OK, sometimes things were truly hidden, unintentionally or, worse yet, purposefully, and we did use our internal audit superpowers to uncover it and then we get to puff our chest and—cue music here—disclose it. But, come on, that’s rare.

Yet, we use the terminology all the time. For example, resulting from of our testing, it was disclosed that blah, blah, blah. Or, based on our review of the area, it was uncovered that yada, yada, yada. Now, if you’ve got sneaky and underhanded clients, who are going around hiding stuff from you that you truly uncovered and want to disclose to the world, then fine. But most clients don’t do that, and you want to collaborate with them in the future.

Imagine how you’d feel if the external team you hired to do your Quality Assurance Review (QAR) started telling everyone, verbally and in writing, what their work (and only their work) disclosed and uncovered in your internal audit department? How would you react to that? “Disclosed” implies that something was formerly a secret and now you are airing the dirty laundry out for the world to see.

So, maybe we need to back off the “disclosed” and “uncovered” language, at least a bit. Options might include, “along with management, we identified …,” “taking full stock of the evidence, it can be concluded that …,” “testing demonstrated that …,” or similar language. Just don’t use “revealed” instead. That’s just as bad.

5. “Entrance” and “Exit”
OK, you may need to bear with me a bit on this one.

We’re going to start an audit project, and our first meeting with the client is called, in many companies, an “entrance meeting.” Then, when we’ve concluded all our fieldwork, what do we call the last meeting with the client to wrap things up and ride off into the sunset to work on the audit report for weeks on end? The “exit meeting.” They are decent terms, descriptive of exactly what they are … our entrance (ugh, the auditors are here) and our exit (yes, they are leaving, let’s party).

Let me ask you this, though. Is this audit, the one you are doing an entrance into and an exit from, the first and last time you will ever see these folks? I sure hope you have an ongoing relationship and are interacting all year long, or at least on occasion. If that’s the case, there is no entrance and there is no exit because, like the song Hotel California, you may never leave. And, if you’ve done your relationship management right, they are happy about that.

The point is that “entrance” and “exit” are old-school terms from when we did things on a cyclical basis and may or may not come back. Back then, relationship-building was less important and audits had a fixed beginning and end. So, maybe we need to stop calling them “entrance meetings” and “exit meetings,” and just call them something else that isn’t so clinical and auditor sounding. Schedule your Project Introduction Meeting at the beginning and, maybe, your Project Wrap-Up Session at the end, or something like that. And, if you are well down the path of an agile implementation, all that entrance and exit stuff becomes moot anyway.

6. “Consulting”
Back in 1999, the Institute of Internal Auditors introduced the well-accepted and globally codified definition of Internal Auditing as: “An independent, objective assurance and consulting [emphasis added] activity designed to add value…” Back then, the word “consulting” was viewed positively. And, for internal audit to be positioned to not only provide assurance, but to also be viewed as a consultant? Well, to borrow a ’90s term, that would be “da bomb!”

But, somewhere along the way, the word “consulting” came to be viewed less positively, and we’ve started to insert the word advising to soften the term. Should we blame consultants for tarnishing a good word, and making people view consultants and, in turn, consulting, negatively? Perhaps, but that’s not the point.

We all want to be advisors, and the gold standard, the place to be, the coolest accolade, would be to be trusted and be an advisor. So, in our pursuit of being that vaulted trusted advisor, let’s drop the word consulting from our vocabulary, once and for all. Look, your clients might want to “consult” with you, but hopefully you are “advising” them.

7. “Satisfactory”
Often, we as auditors don’t want to overcommit, and use words that might get us into trouble later if something is determined to be different than our work concluded. There is just so much we can evaluate and then we must draw a conclusion and move on. So, we settle on words like “satisfactory,” even if things are notably better than the word implies. From an internal audit perspective, we are hedging out bets. We don’t want to be overly flowery with praise, and just conclude something is either “satisfactory,” “needs improvement,” or “unsatisfactory.”

Put yourself on the other side of the table. Let’s say, for instance, you’ve worked hard at something, gone the extra mile, and made sure it was done exceptionally well. Then, someone comes in, looks it over, and decides that things seem “satisfactory.” Ouch, gut punch! You put in a ton of effort, expected to get an “A” grade, and the professor gives you a “C.” That’s kind of deflating.

Let’s not forget that the word “satisfactory” means acceptable or good enough, but not outstanding or great. Yes, there are reasons to fall on the crutch of concluding, placing our highest auditor grade on something, that it is “satisfactory.” But, perhaps, if we can avoid it, we take the risk, rely on our work, and conclude that something better than a measly “satisfactory.” Don’t be afraid to say if something is exceptional, great, works well, or exceeds the requirement.

The Last Word
There is a lengthy list of good reasons, justifications, and rationalizations for why we use the words we do as internal auditors. Many of them have stood the test of time. Many are in use, and still exist, because we are hearing the world through our own ears, and not our clients’.

If we stop for a minute, and consider what these words sound like and what they actually mean, and the impressions they may leave on the ears of our clients who hear them, perhaps they are not the best words to use. Perceptions are reality, and if you want to change perceptions, maybe one way to do that is to change our vocabulary. In other words, say what you mean and mean what you say.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International are stating the main Risks and Actions companies are putting on their 2023 internal audit plans. The past year concentrated attention and shone a spotlight on the increasing fragility of organizations. With a complex set of risks manifesting simultaneously, audit committees are prioritizing some of the most serious implications resulting from the ongoing war in Europe and a triple squeeze of supply chain, workforce and inflation pressures.

According to data from Gartner’s 2023 Audit Plan Hot Spots report, which identifies the key risks and recommended actions for Audit to benchmark their efforts against in the coming year, 81 percent of Chief Audit Executives polled have cyberthreats on their agenda to cover in audit activities over the next 12-18 months, with an additional 13 percent tentatively planning to do so. Even in a year with a high number of varied and seemingly imminent risks facing organizations, cyberthreats remained an agenda topping item for Audit Committees and senior executives as the drivers of the risk shifted from a generalized focus on inadequate security controls to specific need to prepare for highly sophisticated state-sponsored cyberthreats and new cyber breach disclosure requirements. Even as some risks remain perennial threats, shifting drivers can change the nature of the risk and need for updated mitigation and coverage plans.

Cyberthreats, however, are not the only vulnerability an organization faces in an increasingly fragile world. In developing this year’s report, the need for Audit to support their organizations through rethinking their approach to resilience in the face of growing fragility became evident as a key theme underlying several top organizational risks. These risks are generally under-covered in audit plans for 2023, in some cases less tangible and immediate than the category of risks that have been urgently prioritized as a result of the headline events of this year.

Resilience-related risks are manifesting with real world and high-velocity consequences all the same, and Audit needs to understand the risk indicators, urgency drivers and the right questions to ask the business to ensure that rethinking resiliency is on the agenda in 2023.

Below I review three such risks and strategies for Audit on how to approach them.

Climate Degradation
Nearly six in ten CAEs have no specific plans to provide assurance over climate degradation next year. This in and of itself is a key risk indicator for most organizations, as a failure to refresh business continuity plans related to climate risks puts an organization at higher risk for a key infrastructure failure and related loss of productivity among other risks.

While CAEs generally express limited confidence in their climate coverage plans, rethinking resilience means going beyond sustainability reports and identifying vulnerable assets. Audit departments need to incorporate in their plans the inevitability of increasingly severe weather events and mitigation strategies for the loss of key infrastructure, both their own and that of key third parties, such as suppliers.

Culture
Even more challenging for Audit is culture, traditionally a key source of resilience for many organizations that now is fraying under the weight of new working models (hybrid/remote), social and political polarization and a general lack of connection felt by employees who are reporting witnessed misconduct at rates 30 percent lower than pre-pandemic.

Despite such challenges, only 16 percent of CAEs are revisiting culture in light of shifting sociopolitical expectations of their workforce, investors and the media for next year, and just 10 percent report they are highly confident in providing assurance in this area. Internal Audit needs to push the business on reassessing how employee expectations and engagement are monitored in a hybrid and remote world, while policies related to political and social issues need to be formulated now and not in real time during a crisis.

Organizational Resilience
Ultimately, rethinking resilience means covering organizational resilience as a dedicated risk that is part of the audit coverage plan. Organizational resilience, broadly defined, is an organization’s ability to withstand shocks. This is likely to become ever more important in the face of new and ongoing geopolitical tensions, which can abruptly trigger a set of interconnected but differentiated risks to manifest simultaneously. While refreshing scenario planning and mitigating against change fatigue are necessary steps in this process, building true organizational resilience requires a view into the interconnected risks facing an organization and developing resilience-related initiatives across the enterprise.

With less than half of CAEs definitely planning to cover organizational resilience next year and just 32 percent highly confident in providing assurance specifically on matters of resilience, it’s clear there is more work to do in establishing this as a top audit priority. Chief Audit Executives can regain momentum by launching activities that encourage collaborative discussions between business units on interrelated risks and reviewing plans to address change fatigue within their organizations at a time when events over the past two years have likely dramatically diminished capacity in this area.

While these resilience-related risks feel less tangible and urgent than mitigating against “clear and imminent” dangers like supply chain vulnerabilities and state-sponsored cyberthreats, they are important and increasingly acute risks in their own right. Viewing them through the lens of rethinking what it means to be a truly resilient organization can be a useful framework for starting the right conversations within the Audit Committee and formulating effective coverage in next year’s audit plans.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Audit International believe effective communication of information on risks associated with hazards and control measures, is an essential and integral component within the risk assessment process. The fundamental goal to communicate the outcome of your risk assessment thereafter to the rest of the organization, contributes to the health and safety of your (peer) employees.

A risk assessment is usually executed by you as a safety professional, being part of the safety department of an organization. For you, the outcome of the risk assessment is often quite clear and simple to follow. However, struggles do arise to communicate about risk outside the safety department. How do you communicate to different organizational levels effectively? How do you make sure everyone in your organization is not only aware of, and but also understands the risks they are dealing with? Audit International have these tips.

In this short blog, we will focus on the Communication and Consultation step. You must communicate about your risks and its treatment, but how do you handle this? If you communicate too much no one will know what to listen to nor remember it. If you communicate too little, no one will understand the context or details of the information. Use the tips below to overcome such struggles.

Tips for effective risk communication:
1. Have a common ground
Before talking about risks, people need to understand the basic concepts of safety. Do not assume that everyone is on the same page regarding risks. Define concepts clearly to avoid confusion. Make sure that there is a common definition of risk established, so employees manage risk based on the common concept and view of what constitutes as risks. Inform your organization about the nature of the risk management and why you are doing it.

2. Make sure everyone can understand
As you communicate to different levels and departments in de organization, it is convenient to tailor your message to the one who receives the message. One of the goals for risk communication is to provide meaningful, relevant, and accurate information in clear and understandable terms. Be aware that these criteria can be different for people on the operational work floor than for higher management. Adjust your information to your target audience, so everyone in the organization knows their role in managing the risks they face. This will help you filter the information effectively.

3. Consider the form of communication
How often do you want to communicate to your colleagues? Depending on which colleagues, this could be every day, every week, monthly, or yearly. If the frequency is yearly, writing a report will not be too much trouble. If the frequency is weekly, writing a report will likely be too time-consuming to create and read. It won’t be long before your employees are demotivated which will likely lead to less clear communication – or worse, confusing communication! Think about other ways of communication, such as videos, posters, or interactive means. A one-sided communication strategy is likely to be less effective.

4. Build a sense of inclusiveness and ownership
You know that managing risk is not a one-person job. This process involves different departments and colleagues. It is impossible to manage risk effectively if there is no communication and consolation with each colleague that is involved – with each stakeholder. To optimize the communication and consultation you need to make sure that each stakeholder understands, knows and agrees what is expected from them in relation to the management of risk.

By communicating on risk management, you will involve your colleagues and create inclusiveness and ownership. Ownership is important, because let’s face it: risks that are not owned are often not managed. Clarity on personal responsibilities is very important to prevent incidents from happening. There is no need to have accidents that could have been prevented through effective communication between stakeholders.

Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

In this final article of the series, Audit International focus on the third element of ESG- Governance risk. This differs from the first two elements – Environmental and Social – in that several governance risks have long been recognized and included in our audit plans. However, many more have recently gained prominence. Therefore, it is important that internal audit understands these risks and is well positioned to provide assurance.

Governance risks :

Some governance risks are broad in nature. Others, are very narrow. Some have little in terms of universal benchmarks, while others have well-established frameworks or regulations. Here are some of the main risks that should be considered:

– Shareholder rights and engagement – are there any limitations on certain classes of shareholders, and does the business engage effectively on important issues?
– Board structure and diversity – are there independent directors, and does the board have sufficient diversity of experience, style, and background? Increasingly, neurodiversity is a consideration, and in some countries a workers’ representative is a requirement.
– Executive compensation – is this structured to be in line with corporate objectives, and is it consistent with peers in comparison to the wages of other staff?
– Anti-bribery and corruption – many countries have a comprehensive legal framework.
– Tax transparency and policy – what is the organization’s approach to tax, and particularly the jurisdictions it operates and pays taxes in?
– Ethics and culture – a broad topic, ethics encompass all the above and more. Culture has become a hot topic over the past 15 years with the link between a strong organization-wide culture and performance becoming increasingly apparent.
– Data protection – often also included as a social risk, good information governance is relevant here as well.
– Typical impacts for the organization will be reputational, legal and regulatory, people, financial, and ultimately strategic.

Getting started – Determining the key risks :
Compared with environmental and social risk, it is much more difficult to take a holistic approach to governance risk, given the breadth of topics. However, it is likely that many activities and risks are already in your audit universe. A governance code may have been adopted by your organization, although these may only cover some of the issues described above. Understanding the relevant governance code(s) –mandatory or optional – is a good starting point. This will depend on jurisdiction(s), market listings, regulators, and industry practices. Governance codes can be principle-based or more prescriptive, and will typically define some or all of the following, often on a “comply or explain” basis:

– Clarity of purpose
– Leadership
– Integrity
– Board composition and division of responsibilities
– Board effectiveness
– Decision making
– Risk management, internal controls, and audit
– Accountability, transparency, and reporting remuneration

In understanding governance risks, you should also take into account what specific legal or regulatory requirements there are around any of these issues. This may include reporting requirements around diversity or executive pay or matters which must regularly be reported and considered by the board. Also, consider what other stakeholder expectations are relevant. This is likely to focus on investors, as they have been increasingly vocal and prepared to vote against boards that do not adequately address specific issues.

With this background information, along with your consideration of the issues highlighted earlier in this article, you can ensure your risk assessment incorporates relevant governance risks.

How internal audit can make an impact :
As always, we should leverage work done by the first and second lines in considering where we can make the biggest impact. We should consider our risk assessment alongside any new information we have about regulatory changes, emerging issues in our sector, or jurisdictions, and investor interest.

Some Examples :
– Governance framework
– Governance codes were mentioned earlier in this article. Whether your organization has adopted a code in full or developed its own framework, it will need to produce a regular (typically, annual) report of compliance with the code. Assessing the processes supporting this reporting is often a good way to execute broad audit coverage of governance risks. Such reports are expected by regulators, provide assurance to the board, and are sometimes published (at least in part in the annual report). – Therefore, it is important that they give an accurate picture.

Reports may take many forms and will often include qualitative assertions and specific data or examples. It is important that any data reported is accurate, but equally as important that narrative assertions or examples are supported by evidence. Internal audit can provide assurance over the processes to collate this evidence, ensuring it is complete and accurate and that the right oversight controls are in place. We can also review the report and verify that the conclusions reached fairly reflect the evidence available. Generally, we take a combined approach to provide comprehensive and broad assurance.

Board composition :
Board composition has been under the spotlight, and while practices have improved there is often still a lack of transparency in recruitment, objective evaluation, and diversity. This is a sensitive audit which needs to be conducted by experienced auditors. When done well, it provides real insight and impact.

It is important not to make this about the individuals currently serving on a board, but about the effectiveness of processes around recruitment, structure, skills-determination, and performance evaluation. Consider some or all of the following:

Is there an evaluation of the skills required on the board and an up-to-date skills matrix? Is this specific enough to ensure the board members possess the right range of skills and experience but sufficiently flexible to attract a diverse pool of candidates?
Do recruitment processes include defining an ideal candidate profile, pre-determined selection criteria, and stakeholder involvement in the exercise? Are candidates sourced in a way that ensures a wide pool of candidates, recognizing that there may be a need for confidentiality?
How are conflicts of interest identified and managed?
What are the rotation policies/term limits for non-executive board members?
How is board performance evaluated? Is there a self-assessment process and a periodic independent assessment?
Is there a training plan for the board and individual board members? Is there an individual appraisal process?
Does the committee structure support effective delegation but ensure the board maintains its responsibility for strategy and oversight?
How effective is the relationship between executives and non-executives? Does the structure facilitate both support and challenge?
Is there an effective process for succession planning?
Do boards allow time for open discussions and strategic thinking, as well as formal meetings?
Some of this can be done by document review — including board papers and minutes, skill matrix, recruitment process documents, etc. But much of this will also require interviews with board members and those who support the board, such as the corporate/company secretarial or corporate governance team.

This article concludes the series on what internal audit should know about ESG risks. If you missed the first two articles, be sure to go back and read our previous blogs, to get you up to speed on our suggestions on how internal audit can approach environmental and social risks.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

At Audit International, we know when people hear buzzwords like ‘data analytics’, ‘artificial intelligence’ and ‘machine learning’, it can be intimidating. Many people don’t fully understand such concepts, but in truth, you don’t need to. You just need to get comfortable with them. And you probably already are: familiar services like Netflix or Spotify use artificial intelligence to understand your preferences and make subsequent suggestions based on that knowledge. The level of consumers’ expectations is continually increasing, and the successful companies are those that are advancing with technology. The same is true for businesses and their expectations. In audit, the revolution is underway and the sections that follow highlight the key drivers for this change.

Improve the audit experience –

The volume of data available to auditors is astounding, but in most cases, this data is simply not being used. If this were happening in any other industry, there would be questions to answer. Data analytics can improve the audit experience in several ways, for both the audit team and for the client.

Improve audit quality-

During the planning phase of the audit, audit teams must shift their focus away from the old mindset of “what could go wrong?” Through analytics, we can turn our attention from what could go wrong to what has gone wrong. Auditors have access to the client’s complete financial data for the period under audit – if they focus on analysing and understanding the data, they could identify an unexpected transaction or trend in the process. During the execution phase, auditors should also build on the knowledge gained in planning to truly understand the business in question and focus their attention on higher risk transactions. Finally, auditors should move away from a ‘random sample’ approach and, instead, focus on the transactions that appear unusual based on their knowledge of the client, business or industry. These are just a few areas where improvements in audit quality can be achieved using data analytics.

Improve efficiency-

In the examples above, the use of data analytics in planning will identify what has gone wrong and any associated unusual transactions. In execution, these transactions will be tested as part of the audit sample. It could also cover some requirements under auditing standards concerning journal entry testing, as the journal entries will likely be the data that highlighted what went wrong in the first place. Again, this is just one example of efficiencies gained without even considering the hours saved by automating processes like creation of lead schedules and population of work papers.

Post-pandemic world-

The world will be a very different place in years to come. Firms with the ability to perform in-depth analysis using data analytics undoubtedly have a significant advantage over those that do not, given the efficiencies they can gain and the potential reduction of physical evidence required from clients, among other things. Due to the changes we have all had to endure, auditors may also have additional procedures to perform (e.g. roll-back procedures where they were unable to attend stock counts at year-end due to the COVID-19 closures of businesses). Such procedures have the potential to be automated, saving even more time and effort for audit teams.

Improve engagement-

Rather than spend time performing mundane tasks such as testing large randomised samples, data analytics allows audit teams to jump into the unusual transactions. This will make the job more interesting to auditors and cultivate a curious and questioning mindset, which will, in turn, lead to improved scepticism and audit quality.

Improve client experience-

This might happen in two ways. First, the time saved by the client’s staff (who, in theory, will have fewer samples for which to provide support) and second, through the value the audit adds to the business. As an example, consider an audit team performing data analysis on the payroll for their client. As payroll is a standardised process, the audit team has an expectation around the number of debits and credits they would see posted to the respective payroll accounts each month. As part of their analysis, however, they find an inconsistent pattern. This can be queried as part of the audit and the client will be better able to understand a payroll problem, which they were previously oblivious to.

Client expectations-

Given the level of data analysis that occurs daily in the life of anyone using a smartphone, a consistent, high quality is understandably expected in people’s professional lives, too. Audit clients, like all consumers, want more. They want a better and faster audit. They want an audit that requires minimal interference with the day-to-day running of their business, without compromising the quality of the auditor’s work. With troves of data now available to auditors, such expectations are not entirely unreasonable. Audit firms have access to vast amounts of financial and related data – in some instances, millions of lines of information – that, if analysed robustly and adequately, would improve their processes, their clients’ experience, and the quality of their audit files.

Aspirations of professionals-

Audit professionals can often struggle with work-life balance, as we here at Audit International know. Though most firms are getting on top of remote working, the hours in busy season are long. In a time of continuous connectivity, the time frame around ‘busy season’ is also becoming blurred. Through the use of technology, we will one day make auditing a ‘nine to five’ job. Many will scoff at that idea and, although we do not expect this to happen in the next five years, or even ten years, it is possible. By automating mundane tasks and continuously upskilling our graduates, we can transform how an audit team completes work. There will be more scope to complete work before clients’ financial year-ends, thus moving much of the audit out of the traditional ‘busy season’. Machines can complete specific tasks overnight so that auditors could arrive at their desk, ready to work on a pre-populated work paper that needs to be analysed by a person with the right knowledge. With appropriate engagement by all parties (i.e. audit teams, senior management, and audit clients), we could significantly reduce the hours spent on audit engagements and give this time back to auditors. Along with attracting high-calibre graduates, we will retain high-quality auditors in the industry while also avoiding mental fatigue and burnout, which will again lead to better quality audits.

Graduate recruitment-

Graduates joining firms in recent years have particular expectations of the working world. They want job satisfaction, flexible hours, remote working, and an engaging role that will challenge them. Professional services firms have to compete for the very best graduates, and no longer just against each other – a host of technology-enabled businesses are attracting talent on an unprecedented scale by meeting the needs listed above. Technology, and data analytics, in particular, can offer the solution to the graduate recruitment challenge – by making the work more efficient and automating mundane and repetitive tasks, graduates can instead focus on analysis. Time and time again, when we talk to candidates, we always hear that if they find their work challenging and interesting, they will feel more engaged.

Challenges-

This move towards technology is not without its risks to the profession. Automating basic tasks removes the opportunity for graduates to form a deep understanding of these sections of the audit file. The onus is therefore on the current cohort of Chartered Accountants to take the reins, both to drive technology advancement forward and also provide practical, on-the-job coaching to ensure that this knowledge is not lost for the generations that follow.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”