Auditing with data: for Performance Auditors and Internal Auditors that use (or want to use) data
The podcast for performance auditors and internal auditors that use (or want to use) data. Produced by Risk Insights.
Auditing with data: for Performance Auditors and Internal Auditors that use (or want to use) data
52. Simplicity
In this episode we discuss why and how audit quality is improved when we keep things simple.
About this podcast
The podcast for performance auditors and internal auditors that use (or want to use) data.
Hosted by Conor McGarrity and Yusuf Moolla.
Produced by Risk Insights (riskinsights.com.au).
You're listening to the Assurance Show. The podcast for performance auditors and internal auditors that focuses on data and risk. Your hosts are Conor McGarrity and Yusuf Moolla.
Yusuf:Today is slightly different from some of our previous podcast episodes. So we have been talking about performance audit in the mini series that we had recently. We've had all sorts of discussions around the use of data within audit and we will touch on the use of data within audit a little bit in this episode, but the focus is simplicity and bringing simplicity back into our audits.
Conor:Why care about things being made simple?
Yusuf:Auditors want things to be simple because a simpler approach and output of an audit means that you can get to a higher level of quality and be confident in that quality that you're producing. Because it's always easier to see problems or issues in something that's simple than it is in something that's complex. So we've all picked up complex audit files before, and it's very difficult to navigate. Whereas a simple, well-structured audit file and audit report is far easier to review. Why should stakeholders care about something being simple? They don't care about our process, but in a lot of cases, they will respond positively, where audit reports are being made simple or audit plans, that are shown to audit stakeholders, are simpler. This may not happen all the time, but often those stakeholders recognize that simplicity has been created. Over the years, people have become used to seeing things that they have to read and then interpret and then understand. And when you read something that is simple, it is very clearly easier to read, and people recognize that. We've seen, so many times, shorter reports are recognized, simpler reports are recognized. And so management, audit committees - even if they don't necessarily say it out loud- they will recognize that is not something that is easy to do. People that sit within audit committees, management executives, they've all been there. Quite a few of them would have been within either internal audit or performance audit teams in some way, and so they know what it's like in a lot of cases. And even if they don't, even if they haven't been in those shoes, they've had to create documents at some point - and they know how difficult it is to get to simplicity. It doesn't come naturally for everybody. So even if they don't say it out loud and hopefully they do. That recognition is there that you've made their life easier and you've made things easier for them to digest.
Conor:So if I'm an audit committee member or a member of the board, I'll appreciate the fact that you, as an auditor have taken a process that might have 50 inputs and lots of mechanisms in the middle and boiled that down to a few key steps that I can see and digest really quickly.
Yusuf:They would have seen what the complex equivalent would have been. And if they ask, is this just a simple process? You can quite easily respond that no, it's not simple, but we've simplified it for purposes of reporting. And they'll understand that as well. So sometimes you may need to make that explicit and say that you've done it. Not that we necessarily as auditors are salespeople, but often we need to be. So we need to explain that this stuff takes time and it's not that easy to do and people will get it and appreciate it. In most cases I think. Long ago when I started at Deloitte in South Africa the partner that I reported to said to me one of the things that you can do to make your professional life easier is to try to keep things as simple as possible. So continuously aim for simplicity because there's far more value to be had in simplicity than in trying to make things more complex than they should be. And it also makes life a lot easier for both you and your clients and stakeholders.
Conor:Based on our observations and dealings with audit offices and internal audit teams in the past few years, there is a recognition of the need to get better at simplifying things. How can we simplify planning? What can we do there?
Yusuf:The first of those is the way in which we communicate with our stakeholders, and this goes back to understanding our audience. One of the things that we seem to continuously do is write external communications about what we're going to be doing or how are we going to be doing it, from our traditional audit standards and audit approach perspective. That's an easy, comfortable place for us. We talk about what our approach is and what we need and what we'll give. That doesn't always translate very well to the stakeholders that are receiving those. So in that case, it would be a little bit more difficult to think about these things from the perspective of our audience. But the discussions that we have around a particular document that we issue will be easier because it is targeted at the audience. And it is not talking about our internal processes and approach. We always want to be transparent about these things, it is telling them exactly what they can expect.
Conor:As assurance professionals, we come in and tell stakeholders, particularly those we're auditing, what we're going to do to you.
Yusuf:It's not an easy thing to change. If somebody asks us, tell me exactly how you're going to do this. I'll explain to you how exactly I'm going to do this, but I'm not going to do it if you don't ask, because the person wants to know what do you need of me? Everybody's busy for lack of a better phrase. Everybody has things to do. Don't tell me about things that you're going to do that I don't need to know about, just tell me what you need from me and I'll be on my merry way. So that's the way maybe to think about it. There's other things within planning that we can do. If we spend enough time in that planning process, then the objectives of the audit and the approach can be made a lot clearer if we properly understand what it is that we're trying to achieve. Often we write plans, that are ambiguous, and that ambiguity usually results from us not understanding the topic and what we're trying to achieve properly. If we know exactly what we want to get out of an audit, we should be able to write that very simply.
Conor:Okay, so we've covered simplicity in planning there. How can we make our conduct or field work phase of the audit more simple?
Yusuf:There's a couple of things here that we can do, but the most important one, based on the work that we do, focused on the use of data within audit that I found over the years is around how we ensure that any data workflows that we create or data scripts that we create or whatever it is that we want to call it. Whenever there's a change in either the inputs. So the data coming in or the way in which we understand that data or the way in which we obtain insights from the data or where there's a change in what the expectation is around the outcomes of that data exercise. We should go back and check whether we need any of the complex steps that have been created over time. In the technology world, they call it technical debt. And we build a lot of technical debt during an internal audit or performance audit. We end up with this spaghetti complex set of code. The thing that I've struggled with over the years and hopefully better at it now, but if you don't go back and check whether you need all the complexity in your code you end up with something that is far more complex than you really need to get the outcome that you're looking for. Part of the challenge with that also is that it becomes very difficult to then document it because you've got all of these steps that are unnecessary and it becomes difficult to reuse afterwards. So it becomes quite an inefficient process. So at several stages during data work check whether each of the steps that you've done makes sense and is needed. And particularly those very complex technical steps. Do you need all of those? Now I recognize that it does take a bit more time to go through and make things simpler. But what I found over the years, that actually saves you a lot of time and frustration both during and at the end of the audit. So there's a trade-off in taking that complexity and making it simple. But that trade-off is definitely worthwhile in the long term.
Conor:And is there any value in somebody with a non-technical background questioning, for example, a data workflow to say, can you explain to me what's happening here?
Yusuf:It's not only a valuable thing, but it's a necessary thing. In the steps that we use for QA of any data work there usually has to be a non-technical person asking those questions. Because technical people do get caught up in technical stuff. There's lots of people that can switch between the two, but either a technical person with a non-technical approach to the review or a non-technical person coming in to do the review and asking those questions is invaluable.
Conor:And obviously that would just improve the quality of the overall output. What else can we do during conduct slash fieldwork?
Yusuf:Yeah. So this probably crosses over between planning and conduct and may even be a broader approach. But really thinking about the controls and whether they address the risks. Now, surely we all do this and we evaluate it, but time and time again, we see that there are specific things that we're looking for to presumably address a risk that don't, and we create this complexity within our control environments that just isn't necessary. That goes way beyond the audit into complexity we're creating for our stakeholders that have to manage these things ongoing. And often, depending on how powerful, for lack of a better phrase, the internal audit team is sometimes you can get management to create controls that are just unnecessary. So I think one of the things that we can do to create simplicity for ourselves, but also for our stakeholders is rethinking certain controls and how they actually address the risks. And whether risks that we've identified a long time ago are still relevant. So with COVID, many people are working remotely. You're not necessarily in the office. That creates a slightly different risk profile in terms of physical security, for example. So do we still need to be testing those physical security type controls in the same way? Do we still need to be thinking about them in the same way? Are they still the same as they were before? There's lots of those sorts of things that just create unnecessary complexity and that we can with a little bit of effort, and this is what we should be doing because, for sure the standards talk about making sure that controls address the risks and that you don't have superfluous controls in place. So that's a sort of planning slash conduct simplicity step.
Conor:Over the years, I've seen very few assurance reports where for example, an internal audit has suggested that redundant controls be removed. Are you thinking that we may move more to that sort of focus as part of our reviews?
Yusuf:That would be almost an efficiency audit, and I'm not suggesting that we do that. There's all sorts of different ways in which internal audit mandates are set up and the way in which people think about how internal audits are presented. So I'm not suggesting that. Obviously there are many teams that do it. But it's not about suggesting that controls are removed. It's about whether we need to test those controls when we're actually executing our work. So yes, it would be great if we can suggest that, but there's challenges with that as well. There's other things that we can do that don't necessarily go to that full extent that still enable us to get to a good result.
Conor:It goes back to the old premise of the risk. What's the risk we're trying to address. And if the control is no longer relevant to the risk or in excess of the risk, then we need to think carefully about that.
Yusuf:Yeah. And that goes to previous findings as well, where we've recommended certain actions be taken. Are those actions still relevant? The last one, this is probably quite a simple one, but this is something that auditors face all the time. A lot of time and effort is spent on cross-referencing and gold-plating our working papers. One thing that we can do is consider whether we really need to be documenting everything that we are documenting. And again, I'm not suggesting. that we should be under documenting, but sometimes we go a little bit too far and we do more work than we should, or that is necessary to actually document what we've seen and conclude on it. That is something that all internal audit teams have struggled with over the years. A lot of them have actually got better at that. There's nothing wrong with us thinking about what we're documenting when we're documenting it. Especially if the thought process or the thinking process is shorter than the documenting process.
Conor:Planning and conduct, slash field work, we've covered there. What can we do to make reporting more simple?
Yusuf:This is probably the easiest one, right? So everybody knows about the plain English language movement using things like active voice versus passive voice. The main thing here I think is just to properly understand who your audience is and what we need to tell them and how we tell them what we need to tell them. So make sure we're getting the message across in a way that is understandable to the reader and gives them everything that they need. Part of that is shortening our audit reports because frankly, nobody wants to read a hundred page audit report. Okay. One came across our desk just the other day, and the challenge with that is we found a host of errors in the document. And I would suggest that the reason is the document was so long that it would have been difficult to find all of those things and review them properly and get them to read properly and be accurate. So shortening our audit reports. Whatever it is, you can always make it shorter. So that's one and then using plainer English, of course. We're still on a journey to using plainer English, ourselves. And that's going to take some time, some audit offices and internal audit teams have done really well at this. That simplicity does take time. But it's definitely worthwhile because that report, once it's created is available for a long time, and many people will be reading it potentially. That time that you spend during the audit, making it easier to read, in all likelihood, will be saved by the reader. And they're our audience, they're paying for the work that we're doing. So we're doing them a disservice if we don't get a report that is more efficient to read and understand.
Conor:And I'd maybe add one thing to that. And that's the use of data visualizations where possible. We can have a page explaining some statistical information and why that's important. But if we can turn that into a chart that's consumable and a quick read, then that's a good outcome as well.
Yusuf:For sure. So charts, infographics, sidebars with little summaries of what's on the page, all of those are important. With the visualization and the use of data we do need to be careful not to put information in that is not relevant to what we're saying. So often in, trying to make our reports look fancy, we'll try to find a nice visual with a nice color and put it in, if it's not actually adding any value, we should leave those out. The other is putting in visuals that are just too complex, or that can be misread. So if we do that, we're then creating more complexity again and complexity in the mind of the reader. Using data, using infographics is good. But not if it's done purely for being fancy and definitely not if it's creating more complexity or ambiguity.
Conor:If you give it to a nontechnical reader and they can't immediately pick up what a chart or an infographic is trying to convey. Then you need to go back and fix that up.
Yusuf:Part of the challenge also is how much of time do you spend on that? Because different people read differently. So there's a level to which you need to get it that you may not be able to get beyond and get to 100% and satisfy everybody's reading needs. So when you read a report and I read a report, we read it very differently. We see things differently. Can you satisfy both of our needs? Probably not. So you want to get it as close to what the average person can understand quickly. Sometimes you need a bit of detail, but then when you have that detail or you have something that could be potentially ambiguous then the way to counter that is to have a good explanation so that at least somebody can read and understand if they can't see something in the chart straight away.
Conor:Okay, fantastic. Today we've discussed simplicity and some techniques for how we should be aiming to make our audits more simple in the planning phase in the conduct phase, and obviously in the reporting phase. Thanks Yusuf.
Yusuf:Thanks Conor.
Narrator:If you enjoyed this podcast, please share with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com. The link is in the show notes.
.jpg)
.jpg)
