Requesting documentation is an integral part of any audit, and it signals the transition from planning to fieldwork. Standard 2310: Identifying Information states, "Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives." How the request for that information is made sets the tone for the audit, and can help or hurt the auditor-audit client relationship. It also can impact the overall achievement of audit objectives, so it is worth spending the extra time to get this step right.
Request lists tend to be hastily put together, with the expectation that the sooner the auditor requests the information, the sooner it will come back. However, requests can get lost, forgotten, or ignored, and weeks can go by with no response. Auditors are not easily deterred and often send follow-up emails, leave voice mails, and, as a last resort, knock on the client's office door in an attempt to get all the requested information before the start of fieldwork. In some cases, requests seem to never end. If the first request was for a list of projects, a second request for invoice milestones needs to be made, and the process starts all over again. Hopefully, the project list was both complete and accurate, so another request does not need to be made.
The good news is there is a better way. It requires more front-end work but requests are received quicker, questions are answered faster, and stronger relationships are built with the client. The answer is to simply schedule a meeting with the client in his or her office before requesting documentation, or if the client is at an off-site location, use Web conferencing. This may sound like a lot more work, but meeting with the client has many benefits and is worth the time. In addition to obtaining the requested items in the face-to-face meeting, auditors gain an opportunity to improve their knowledge of the business and strengthen the relationship with process owners.
Practitioners should make sure they understand what is being requested before the meeting. It sounds like obvious advice, but it's common to learn something new about an audit area in a meeting that makes the original request irrelevant. The best way to avoid this is to have a solid understanding of the audit steps, the audit step objectives, and the associated risks, so the auditor can quickly regroup and make a new request that satisfies the overall audit objective.
During client meetings, auditors should start with a brief overview of the audit and its objectives. This will help communicate the reason for the information requests. They should then make the population request. More often than not, the client will easily be able to produce the requested list because he or she is sitting in front of the computer. The auditor can then make the sample selections and explain what documentation is required. If the documents are accessible to the auditor, he or she can inquire where they are located and pull the information. This is the best way to ensure the samples are reliable and have not been altered before submission. The auditor should be certain to allow enough time to review the population, make the sample selections, and ask questions. Another benefit of this approach is that clients appreciate having the audit objectives and requests explained to them in person. They are more willing to provide the documentation and answer follow-up questions because they have a clear understanding of what is needed and why.
If, during the discussion with the client, the auditor realizes a change needs to be made to a request, it can be addressed in real time. This also saves the auditor from having to send an embarrassing email apologizing because he or she inadvertently requested the wrong information.
After all of the requests have been discussed, the auditor should wrap up the meeting by asking a few questions about how the business is doing, if any new initiatives are being undertaken, if the new document management software is meeting expectations, etc. Anything learned about the business will improve internal audit's ability to make recommendations and may identify other areas to look into at a later time. Standard 2310's interpretation states, "Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals." Obtaining this useful information is much easier face-to-face than over the phone or via email.
After the client meetings are finished, the audit team will be able to start testing immediately because most of the requested documentation has been obtained. Another benefit to this approach is efficiency, because it can significantly reduce the time spent waiting and following up with the business process owner. It also allows the auditor to use his or her time effectively. It is much better to spend one hour with the client up front than to spend an hour each of the following three weeks sending follow-up emails.
Bridging the Gap
The best-case scenario is that the auditor walks out of the meeting with all the sample requests and is ready to start testing. The worst-case scenario is that the auditor leaves the meeting without the requested information, but now knows where the supporting documentation is located and can pull the sample selection him- or herself. Regardless of the outcome, the auditor has spent time building a stronger relationship with the client and may have received some valuable information related to that department or business unit that could not have been obtained through an email exchange.