Page 1 of 5

Citrayudha Komaladi
From:
Sent:
To:
Subject:

Goh Kheng Leng

Wednesday, March 25, 2009 5:23 PM
Citrayudha Komaladi; Heng Cheng Chiang Eddie; David Song;
Nick Lim; Tham Hoe Ming
A Kinder, Gentler Audit

Importance:

High

Internal Auditor

Home / Feature Articles / 2007 / October / A Kinder, Gentler Audit

A Kinder, Gentler Audit

Successful audit reports don't pull any punches, or blindside recipients. A tactful approach
can lead to a satisfying, constructive outcome for all parties involved.
Lawrence de Berry, CPA, CISA
Director, Internal Audit, Basic American Inc.

In 1513, Niccolo Machiavelli wrote in The Prince, "There is nothing more difficult to plan, more
doubtful of success, nor more dangerous to manage than the creation of a new system. For the
initiator has the enmity of all who would profit by the preservation of the old institution and merely
lukewarm defenders in those who would gain by the new one." In a very real sense, changes
proposed by an internal auditor are viewed in the same way as a new system.
Most organizations are not staffed and managed by Machiavellian conspirators. Instead, they are
typically composed of intelligent, well-intentioned individuals who are committed to seeing the
organization succeed. So how do internal auditors get these good people to embrace changes
recommended in the audit report?
Suppose you've put some effort into landscaping your front yard and take pride in its appearance.
Your neighbor, a representative from the homeowners association, comes to your door and says the
yard falls below neighborhood standards. He also says he has put together a fertilizing, watering,
and maintenance schedule that, along with other suggested modifications, will bring the yard up to
standard. Like most people in this situation, you would likely resist the recommendations or perhaps
implement them grudgingly and do the bare minimum required to meet association guidelines.
By contrast, suppose this neighbor never knocks on your door to discuss the landscaping but instead
invites you to his house for a barbecue one weekend. While at the event, you compliment the
neighbor on his yard and say you wish yours were as lush as his. He tells you that his lawn grass
variety is the same as yours; the secret is in the fertilizer and watering schedule, which he happily
shares with you. In this scenario, would you be more inclined to follow his suggestions?
The success of audit reporting is determined largely by the attitude and specific approach with which
internal auditors carry out their duties. When handled appropriately, and with sufficient tact, the
reporting process can proceed as smoothly as a backyard barbecue. Five rules, in particular, can help
auditors not only achieve greater reporting effectiveness, but also bring about positive organizational
change.
5/25/2010 10:14 AM

Page 2 of 5

RULE 1: TREAT CLIENTS WITH RESPECT

During a recent fraud investigation I conducted, the perpetrator thanked me at the final interrogation
for the respect with which I treated him. He was extremely grateful, even though the company had
just terminated him and subjected him to fairly draconian restitution obligations.
Even people who knowingly and deliberately commit wrongdoing deserve to be treated respectfully.
These individuals may be fighting personal demons, and internal auditors should look upon them
with no less humanity than they would anyone else. Moreover, suspected fraudsters may still have
extensive social networks in the organization, and the way auditors treat them could impact morale
as well as the auditor's ability to function effectively even on routine assignments. If the auditors
have done their job well, they will have the necessary facts to conduct their work there is no need
to denigrate anyone in the process.
Auditors who follow this first rule ensure their clients are well-prepared for the audit report. They
share results with clients as the engagement progresses, noting issues along the way. They discuss
items that might represent control concerns or efficiency issues directly with those responsible for
the areas involved. Before issuing their report, these practitioners already know if the client will
agree with the findings, and they've provided their thoughts for mitigating control risks or crafting
more effective processes.

RULE 2: GIVE CLIENTS THE BENEFIT OF THE DOUBT

When auditors disagree with clients' work processes, they should never assume the clients arrived at
their approach out of ignorance or incompetence. Staff and management perform their jobs day in
and day out; it is their life. Auditors look at client processes as outsiders, and the limited time
allotted to individual assignments may preclude them from correctly placing all pieces of the puzzle.
Thus, while client methods may seem unusual or wrong at first glance, valid reasons may exist for
their decisions. Auditors need to maintain humility, recognize their own fallibility, and give clients the
benefit of the doubt.
Internal auditors should give clients credit for doing what they believe is right, even if their actions
eventually prove wrong or misguided. For example, auditors can remove significant barriers to
change by saying, "I understand your approach, and it makes sense in the context of what you've
learned or what you've previously been trained to do on this job." This type of acknowledgement can
help disarm clients and make them more receptive to constructive feedback. The auditors can then
say something like, "We'd like to share with you some new information that has bearing on this
issue." When auditors later follow up by seeking client input on practical solutions, the client will be
more inclined to feel part of the solution and more likely to implement recommended changes.
Clients have a greater tendency to buy into the process and take ownership of the recommendations
when their input is solicited. At my organization, clients often implement changes well before the
audit report is issued because they want to move forward with identified processes or control
improvements as quickly as possible.

RULE 3: PICK YOUR BATTLES CAREFULLY

Not all audit issues are worth pursuing. Effective auditors know when to persist with their findings
and when to back away.
Audit comments usually fall into two broad categories: control-related comments and those related
to effectiveness or efficiency. Each of these categories generally breaks into two subcategories:
minor or serious. Internal auditors need to recognize these important distinctions. If the auditors find
a serious control weakness without any mitigation in place, they must report it and ensure the client
5/25/2010 10:14 AM

Page 3 of 5

understands that internal auditing has no choice but to do so. Auditors do have a choice, however, in
determining how reporting issues are framed.
When auditors find a significant effectiveness or efficiency issue, they must obtain agreement and
buy-in from the individuals who would implement recommended changes. Effectiveness issues are
not black or white. They pit the auditor's opinion of effectiveness against that of the client who does
the job day in and day out. If the auditors do not reach an agreement with the client but still want to
make a recommendation, they are forced to butt heads with personnel who are intimately involved
with the processes in question.
Pursuing effectiveness and efficiency issues aggressively with upper management typically results in
one of two possible outcomes. In the first scenario, the auditor accomplishes nothing because the
personnel doing the job every day possess more credibility on judgment calls than the auditor. From
then on, clients will likely be discouraged from cooperating with the internal auditors a side effect
that may well spread to other areas of the organization.
In the second scenario, the auditor wins the battle but loses the war. Although the auditor may be
able to convince management that a change is necessary for the good of the company, the clients
forced to implement this change may become hostile toward members of the audit department.
Clients will likely seek ways to prove the system change is unnecessary, unworkable, and
counterproductive. In the end, there is a strong likelihood they will return to their old methods and
procedures.
To avoid unnecessary, relationship-damaging conflict, internal auditors need to choose their battles
carefully. They must try to convince clients to recognize the wisdom of fixing problems identified
during the engagement. If these efforts fail, and the problems represent a serious control issue, the
auditors need to apologize for the stalemate and explain that they are obliged to report the problem
and the risk associated with it. If the issue is not control related, the auditors should let it go there
is no point in creating ill will when little upside potential exists. Internal auditing can still mention the
issue informally to management and discuss the benefits of making a change, but this discussion
should not be placed in the report. If managers see value in the idea, they will address it on their
own.
When auditors report a control weakness without reaching agreement with the client, they must
handle the report with care. They need to explain why the control is not in place and why those
running the process believe they should not implement the control. In many instances, resource
constraints prevent clients from responding to control needs. The auditor's job is to ensure that
management is aware of the deficiency and the risk associated with it, and explain both the severity
and likelihood of the risk as clearly as possible. Controls cost money, and management must decide
if it wants to spend that money or simply treat the risk as a cost of doing business.

RULE 4: ACCENTUATE THE POSITIVE

Although following the first three rules should result in a constructive, professional audit report,
internal auditors must still be mindful of the overall need to maintain a positive approach to the
reporting process. Regardless of the assignment, auditors must always be able to communicate
results and recommendations without using negative or accusatory language. Even in areas where
significant deficiencies exist, there is no need to say something like, "Department personnel are not
doing what they are being paid for, and they need to start pulling their weight." Instead, auditors
can use a more constructive approach: "This department has significant challenges, and we have
identified several areas where improvements can be made. We have agreed with department
management on appropriate changes to address the concerns identified."
When significant findings must be reported, such as during a fraud investigation, auditors can get
their message across by simply stating the facts and avoiding editorial comments. Emotionally
charged, subjective language can be tempting to use when the auditor feels strongly about a
situation, but it is ultimately counterproductive. Auditors need to avoid this temptation by remaining
5/25/2010 10:14 AM

Page 4 of 5

objective and keeping their work on a professional plane. Moreover, they must be sure to give clients
credit for their positive achievements, rather than only discussing problems or weaknesses.
The old homespun expression many of us learned from our mothers remains valid: "You catch more
flies with honey than with vinegar." A positive approach and positive language draw people into
dialogue; a negative approach usually results in walls erected to keep auditors and their new ideas at
a distance.

RULE 5: BE INFORMATIVE
To ensure clients read and clearly understand report content, internal auditors must pay close
attention to the document's substantive content and structure. Reportable issues need to be
developed fully and presented in a cogent manner. Moreover, audit reports need to be persuasive,
especially to readers who have not received any prior exposure to the audit.
The most effective, best-crafted audit reports are based on well-developed, detailed comments. To
ensure comments are informative and useful, internal auditors can follow the development criteria
found in Sawyer's Internal Auditing, 5th Edition, which cites five audit-comment elements:

The criteria are the rules, principles, or guides that lead the auditor to believe a problem may
exist. Auditors must have a clear understanding of criteria to articulate them to others.
The condition explains what's being done (i.e., the client's process), focusing only on the
facts. The description should be communicated clearly, without judgmental language.
The cause helps explain any deviations from the criteria and account for why these deviations
exist.
The effect answers the question, "So what?" That is, what are the potential consequences of
the condition? Without a cogent effect, the auditor has not established that a problem exists
and does not have a valid audit comment.
The recommendation describes the actions for management to consider. The internal auditors'
job is not just to "throw rocks" but to help find solutions. They must find an agreeable
solution to the condition, or an approach to finding a solution, to which all are parties are
willing to commit and follow.

Auditors should also consider a sixth element not covered in the Sawyer text the response.
Management needs to be comfortable with not only the ideas discussed but also with how those
ideas have been presented in the report. Responses give management an opportunity to provide
feedback on the report findings. Moreover, that feedback helps auditors gauge the effectiveness of
their work.
Each of these elements is essential to effective detailed audit comments neglecting to incorporate
any one of them will leave readers wondering why reported issues require change or whether the
changes suggested would lead to improvement. Detailed comments are the foundation for the
summary report to senior management and the audit committee, and internal auditors must keep
this audience in mind when drafting them. The summary should contain the auditor's conclusions
and opinion and convey the essence of the detailed comments. Auditors should keep the summary
brief, ensure the content is accurate, and focus on presenting solutions, not problems.

AGENTS OF POSITIVE CHANGE

During his presentations to company employees, my boss often uses a cartoon to illustrate a point
about teamwork. The image shows a rowboat with a small group at each end of the craft - one end is
in the air and the other is resting deep in the water. The partially submerged group is shown bailing
out water. The group on the high end, safe for the time being, says something like, "It's a good thing
we're not on that end of the boat."
5/25/2010 10:14 AM

Page 5 of 5

When conducting their work, internal auditors need to remember that they are part of the
organizational team. Practitioners should approach each engagement with a cooperative mind-set
and continually seek ways to help other employees and make their jobs easier. They should
remember that, for many clients, auditing can be seen as an intrusive, disruptive process. After all,
internal audit work essentially boils down to walking into employees' personal workspace, looking
over their shoulder, and making value judgments on their performance. Any engagement can be an
intimating proposition for the audited group, and the power wielded by internal auditors should be
handled responsibly.
To obtain optimal results, auditors must conduct themselves in a way that encourages clients to see
them as a trusted counselor. As agents of positive change in the organization, auditors need to
become valued insiders not outsiders who cause others to put up their guard and resist
constructive change.
To comment on this article, e-mail the author at lawrence.deberry@theiia.org.

Internal Auditor
www.internalauditoronline.org

Goh Kheng Leng

Head Internal Audit
NTUC Income
DID:65-68773460
www.income.com.sg
Make Insurance Make A Difference
(From 1 October 2008, my email address is khengleng.goh@income.com.sg)

5/25/2010 10:14 AM