“I have a shop to run here. If I spend all my time focusing on your controls and checklists and spreadsheets, I won’t have time to make the money to pay your salary! So why are you wasting my time??” – Management addressing audit
While the tone may be unusually strong, this general sentiment will feel familiar to most auditors. Audit may have found an issue or observation that audit believes will require management’s attention and remediation. Furthermore, audit departments can be quite forceful in their insistence that such issues be addressed urgently. Management recognizes the importance of some risks and controls but can’t get over the feeling that audit is being nit-picky.
The bottom line is that sometimes audit DOES focus on minutiae. Good practices about audit planning and risk assessment can address this, and will be the focus of future posts. But what is the auditor to do when they know the client is not likely to accept audit’s findings at the level of significance they deserve? The short answer: Phone a friend!
When audit finds a concern within the client’s part of the organization, audit will document that concern. Audit will then attempt to present the concern to management, and it will ultimately be referred to as an “Audit Issue” or an “Audit Finding”. But Audit Issues are not generally problematic for the audit department. They are almost always significant for some other part of the company. The key to success is for the auditor to engage that directly impacted part of the organization and enlist their support in presenting the significance of the finding to the audit client.
For example, if audit identifies that a call center is failing to fully train all phone representatives, despite a policy that requires such training, the policy violation is NOT the issue per se. The issue is that a call center representative may not be able to service a product effectively (contradicting Marketing’s Brand Promise), may fail to give required disclaimers (contradicting a Compliance mandate), or may not upsell the customer appropriately (violating a Product Owner’s cross-sell assumptions). In each of these cases, audit has the opportunity to reach out to the truly impacted area (Marketing, Compliance, or Product in the examples above) and engage them to support the issue.
A conversation between the head of marketing and the head of call center operations will focus on the full business implications of the policy violation. Once the “issue” is presented as a “Marketing Issue” rather than an “Audit Issue”, the audit client is far more likely to appreciate the business value of the finding and respond with appropriate urgency.
Of course, being able to “phone a friend” requires that audit has established a good relationship with every functional area. I’ll discuss business relationship-building more in other posts, but the auditor also must be prepared to learn! If audit cannot find any other business unit that believes the issue to be as serious as audit does, then possibly the auditor should tone down their concern and focus on higher priorities.
Until next week, good luck at finding all of those marketing issues in operations!