Download the PDF of this article 7 Practices for Better Audit Outcomes
When it comes to ensuring successful audit outcomes, the two parties involved — the auditors and the auditees — must be committed to active cooperation. Throughout my career, I have followed certain principles that, when consistently adhered to by both parties, have resulted in successful audits.
I have worked in the U.S. Air Force Audit Agency and in the Office of Inspectors General (OIGs) of both the U.S. Postal Service and Department of Transportation. Since 2010, I have served as the director of the U.S. Government Accountability Office (GAO) OIG Liaison Office for the U.S. Department of Homeland Security (DHS). In my current position, I facilitate nearly 250 GAO and various OIG performance audits at one any time across DHS.
These seven principles, along with approaches DHS uses to implement them, can easily be used by other organizations seeking to improve their audit outcomes.
1. Believe Audits Make Things Better
This foundational principle requires auditors and auditees to believe in the work they are doing and remember that it’s not just a job. Auditors and auditees must do the best they can with a view that the results of their efforts will add value to something greater than themselves. For many at DHS, believing this translates into knowing that audit’s efforts are helping make the department’s programs, operations, and activities more effective, thereby ensuring the U.S. and its citizens are safe and resilient against terrorism and other hazards.
Tone at the top in both the audit and audited organization is crucial to successfully implement this principle. For example, senior leaders in the audited organization must have processes in place to demonstrate a personal awareness of, and an active interest in, the audits occurring within their organization. To facilitate this, DHS assigns a priority of 1, 2, or 3 to each audit using broadly defined criteria supplemented by professional judgment and experience. Criteria include considering the level of taxpayer funding in a particular program or initiative and the significance of potential violations of statutory or regulatory requirements. Priority 1 audits warrant secretary or deputy secretary of DHS attention; Priority 2 audits are those that can be monitored at the component or headquarters directorate level, such as by the administrator of the Federal Emergency Management Agency; and Priority 3 audits are considered less critical and can be monitored at the program office level. The priority assigned to an audit is subject to change, depending on circumstances, as the audit progresses through its life cycle.
2. Understand and Respect Audit Independence
Arguably, one of the least understood audit standards is the U.S. Generally Accepted Government Auditing Standard of Independence, which establishes a foundation for the credibility of the auditor’s work. Independence allows audit opinions, findings, conclusions, judgments, and recommendations to be impartial and viewed as such by reasonable and informed third parties. Independence requirements relating to the audit organization and individual auditor — including what independence of mind or in appearance means — and how professional skepticism is correctly defined, can be difficult to fully understand. When auditees have trouble with these or other aspects of independence, they usually just need to learn more about the concept. It is more problematic when auditors do not fully understand what independence is and is not.
During my more than 30-year career, I have seen instances of auditors knowingly or unknowingly misapplying the independence standard as leverage in an attempt to get whatever they wanted, thereby impeding successful audit outcomes. For example, some auditors have told auditees that if they did not immediately produce exactly what they asked for, or let the auditors come and go throughout the organization whenever they wanted, then the auditee was impinging on audit independence. This is quite an overreach. One way DHS mitigates misunderstandings about independence is through an annual joint DHS-wide town hall meeting hosted by the DHS under secretary for management with the inspector general and attended by audit staff, agency leadership, and program officials. The meeting’s question-and-answer format provides an opportunity to openly discuss topics such as independence and, more importantly, to correct misunderstandings. Without audit independence, the value of an audit is considerably diminished; auditors and auditees need to be in sync on independence and why it is needed.
3. Be Open and Transparent
There should be no secrets when working with auditors. Honesty is the best policy, even if being less than open and transparent may seem more expedient in the short term. Making sure there are no surprises at the end of an audit goes a long way toward ensuring successful audit outcomes. The audit life cycle can be long, sometimes taking a year or more from research, announcement and entrance, fieldwork, summarization, report writing, exit, and management response, to final report publication. Ample opportunities exist throughout the life cycle for auditors and auditees to allow the truth to wander. This may involve something the auditor wants to know, such as how a specific aspect of an internal control system might actually be functioning, or something the auditee wants to know, such as what findings and recommendations the auditor might be thinking about including in the final report.
DHS designates an executive-level senior component accountable official (SCAO) for audit activities within each component and headquarters directorate. SCAOs have wide organizational influence — typically at the chief of staff level — and also are responsible for, and have authority over, their respective organization’s audit activities. The SCAO enables and assists program officials, audit liaisons, and others with all aspects of the audit process, including helping to resolve issues that could endanger open and transparent relationships with auditors. For example, SCAOs have mediated disputes concerning what sensitive records may be shared with GAO and OIG auditors.
4. Be Responsive
Successful audit outcomes require a commitment to work collaboratively with the other dedicated professionals involved with the audit. Responsiveness means reacting quickly and positively, and generally reflects how much someone cares about something. For example, consider how auditors and auditees respond to information requests from one another.
One way to help ensure success is to set clear expectations for these interactions and adhere to them. Senior departmental leaders at DHS have consistently articulated expectations for the entire workforce regarding cooperation with GAO and OIG, including their contractors. To maximize effective implementation of this guidance, auditor-to-auditee communication is streamlined and, as a matter of practice, audit issues are addressed at the lowest organizational level possible, trusting and empowering staff and elevating matters to more senior leadership only when necessary. This involves a certain degree of risk — for example, sometimes auditors do not receive the most fully informed response to their questions — however, DHS has found the risk to be acceptable given other controls implemented to balance the risk for the benefit of both parties.
5. Stay Engaged
Early and continuous involvement can be difficult, especially for auditees, because audits can require significant time and are not part of their primary day-to-day responsibilities. However, if auditees believe audits make things better, they will give them an appropriate level of attention among competing mission-related priorities and demands. Likewise, auditors should be mindful that continuous and effective communication with auditees ultimately enhances the flow of information and exchange of ideas. Auditors also need to be understanding about responsiveness lag when other auditee duties occasionally take precedence over the audit.
One way DHS engages with GAO and OIG during the audit life cycle to help ensure successful outcomes is through a standardized technical comments process for communicating and documenting management feedback on auditor statements of fact, notices of findings and recommendations, and discussion or draft reports. Auditors receive and consider these comments, seek clarification when needed, and make changes to work products, as they deem appropriate. The comments are not intended to substantively alter audit findings, conclusions, or recommendations. Instead, they are meant to strengthen work products by improving accuracy and context, preventing the inadvertent disclosure of sensitive information, helping validate actionable recommendations, and minimizing the number of disagreements. As a result of this process, DHS officials rarely find themselves questioning audit report narratives once published and distributed to the U.S. Congress and the public, including the media. Rather, conversations focus on what is being done to implement recommendations.
6. Prepare Detailed Management Responses to Audit Reports
Management responses can contribute to successful outcomes if they clearly document management’s position on the findings and recommendations, identify the corrective actions that will be taken (with estimated completion dates), and assign responsibility for those actions. Auditors generally include management responses verbatim in an appendix to final reports, which are then widely distributed inside and outside the organization. Well-written management responses represent an opportunity to demonstrate how seriously the auditee takes audits. Also, when considered with the auditor’s evaluation and analysis of the response — which provides additional audit perspectives on management’s comments and is included in the final report — management responses provide a good roadmap for recommendation closure and the resolution of disagreements.
DHS requires a written management response for all audit reports with recommendations. Responses must:
- Clearly state agreement or disagreement (concur or non-concur) with individual recommendations. Partial concurrences are not allowed and it is acceptable to non-concur as long as the rationale for doing so is included.
- Specifically identify the organization and office responsible for taking the corrective action, such as the U.S. Customs and Border Protection Office of Field Operations.
- Outline what will be done to implement the recommendations — including proposing alternative corrective actions if program officials believe these would be more effective. This is typically stated in terms of actions completed, ongoing, or planned, being sure to address all aspects of each recommendation.
- Include an estimated completion date for each action, which can be up to 12 months beyond the estimated date of the final report, or longer if interim milestones are included at approximately six-month intervals.
7. Actively Follow up on Recommendation Implementation
DHS and its auditors view audit follow-up as a shared responsibility and an integral part of good management. This view has significantly improved and facilitated positive interactions among auditors and auditees. DHS devotes substantial attention to taking corrective actions on audit findings and recommendations, a practice that is essential to improving operational effectiveness. This requires sustained leadership commitment at the highest levels. For example, the DHS deputy secretary and/or the under secretary for management meet with the SCAOs every two months to review and discuss the status of ongoing audits, open recommendations, and related performance measures. Senior leadership also receives various periodic audit status reports in between these meetings, including a biweekly Priority 1 report.
If DHS management commits to an action in an audit response, it does its best to follow through on that commitment timely. DHS also strictly adheres to a practice of not closing any GAO and OIG audit recommendations without first reaching agreement with the auditors. This provides Congress and the public added confidence that appropriate actions have been taken to implement these recommendations or otherwise resolve any disagreements. As a result, DHS averages less than one recommendation annually that requires formal resolution.
A Positive Approach
Successful audit outcomes do not just happen. The participants must believe audits make things better and be mindful of the six other principles for ensuring successful outcomes. Moreover, auditors and auditees have a fundamental responsibility to ensure that the resources expended on audits provide a positive return on investment for stakeholders.
Source: Internal Auditor magazine February 2019 article 7 Practices for Better Audit Outcomes