Auditing with data: for Performance Auditors and Internal Auditors that use (or want to use) data
The podcast for performance auditors and internal auditors that use (or want to use) data. Produced by Risk Insights.
Auditing with data: for Performance Auditors and Internal Auditors that use (or want to use) data
51. Performance Audit Mini-Series #4: Conduct/Fieldwork
This is the fourth in a series of episodes that focus on performance auditing.
In this episode, we discuss five suggestions to help improve the conduct (fieldwork / execution) phase.
About this podcast
The podcast for performance auditors and internal auditors that use (or want to use) data.
Hosted by Conor McGarrity and Yusuf Moolla.
Produced by Risk Insights (riskinsights.com.au).
You're listening to the Assurance Show. The podcast for performance auditors and internal auditors that focuses on data and risk. Your hosts are Conor McGarrity and Yusuf Moolla.
Yusuf:Today we are continuing our little mini series on performance audit. We previously spoke about the forward work plan, very high level, then we spoke about getting balance that work program, and then planning with data. Now, I know there's obviously lots of other things to talk about as it relates to planning, but I can't imagine that there's a lot that we would want to say, beyond what we've already said, that auditor s aren't already doing. We're going to now dive into a few things around conduct. So this is mini series episode number four, and we're talking about conduct/ execution / fieldwork.
Conor:Yeah, and they're all pretty obvious things, and little observations we've made over the years. But they're still things that are important to help make your life a bit easier as you work through your performance audits.
Yusuf:And we find it useful to remind ourselves of these as we start conduct. And. depending on the nature of the audit, remind ourselves during conduct as well, because some of the audits that we get involved in could have a conduct phase that go for three or four months really. The first of those, and we've been told this for many many, many years obviously, is begin with the end in mind. So what is it that we need to report on at the end, when we're developing questions that we want to ask of client or the auditee, and when we're developing our working papers and when we evaluating the evidence that has been provided to us or any information that has been provided to us, we want to understand what the end result is so that we don't go into rabbit holes that we don't want to explore. And also we get all the information that we need to be able to report so that we're getting that information early in not having to chase it up later.
Conor:Yeah. So what we find is it's been quite helpful right at the start of Conduct, if you can, even towards the end of planning, trying to put together a framework or shell for what your report might look like in the end, because it's quite a good way to keep you disciplined as you go into your conduct, to keep you out of those rabbit holes. And obviously that may change as you work through your audit and new evidence comes to light, but it's really good insofar as possible to establish that framework upfront. The other thing that it helps with it ensures that the working papers that you have supporting that end result report are not just cookie cutters from your previous performance audit. And that you've actually thought about, what's the objective of this particular review? What are the sub objectives or lines of inquiry and working back from that such that your working papers are, set up as efficiently as possible, just to help you get that information.
Yusuf:Yeah. And often when we set up our working papers. It's not just about what normally would fall into a, table within the document if you like being the objective and the criteria, the lines of inquiry, the specific questions you're going to ask, the audit approach, the evidence you're going to collect, often you want to have contextual information as well. And what we found is that putting that contextual information upfront in the working paper serves two purposes. One is it helps in answering questions that we asking during, conduct, but also it helps then piece the information together that. we need for the report. So you need the context in order to conduct the work, but you also need that for reporting later.
Conor:And it's really helpful having that context upfront in your working papers where you have multiple entities you're dealing with because they might each have a different take on the particular context as it applies to them. So it allows you to crystallize that in your head and then perhaps if you need to tease out later on what the context is in terms of your reporting. So whether that's the macro level across your entire jurisdiction or you're talking about the context for each entity you're auditing, then at least you've got that information there ready to go.
Yusuf:So that leads into the second point and that is sometimes it's easier to actually write the draft report as you go. So you spoke about putting the template together towards the end of planning and early in conduct. During conduct, if you're able to start writing the report based on information that you've confirmed, that means that you get a headstart firstly, on reporting, but also it helps you identify those areas that you may be lacking information in, in order to be able to report early on so that you can feed that into conduct and not have a reporting phase that goes longer than it should.
Conor:Yeah. So it identifies any potential gaps that you have in your work that you may need to address, which is obviously important from an evidentiary perspective. The other thing it helps with is we all have to work through levels of hierarchy for approval when it comes to reporting and so forth. So what we found in the past works quite well is the sooner the better you can show some of the senior leaders in your audit organization how our report's shaping up and get their input that can actually save you a bit of time towards the backend of reporting.
Yusuf:Okay. The third one, And this is a bit more logistical, but is more of an efficiency saver really is that, specifically for longer audits, you often need to have some sort of status update on the audit either externally or internally. Externally you usually can't get away with much more than an actual status update because you're not always able to talk about findings early, et cetera. However when we're doing internal status updates unless we have a very rigid approach as an audit team or an audit office, it makes sense to not duplicate effort and not create additional overhead that doesn't necessarily add to the audit itself. So what we mean there is don't create lots of status, update documents and status update powerpoint decks, et cetera, just to satisfy ongoing management of the audit unless you really need to. if the person that you report to really needs it. Sure. However it is far more beneficial to create those reporting artifacts and update those as you go and use those as status updates instead, because that means that you're not duplicating efforts. And you're just aiming towards that overall final delivery.
Conor:And this goes to one of our recent episodes. where we spoke about simplicity in how you conduct your audit and why that's important for everybody. Now, if we're spending time creating all these artifacts for our internal reporting processes that don't contribute to the final output. Then we're potentially creating extra work firstly, that doesn't need to be done, but we're actually creating a distraction also and getting away from the end goal to develop a report, not to develop a whole raft of internal documents that actually are never going to be external facing. Number four on our list of five issues today is around the mechanisms we use to actually collect audit evidence. Obviously the pandemic issues and the lack of auditors being able to attend the workplace or auditees offices and that sort of thing. That's caused us to create new ways in which we collect that evidence. And some of the observations we'd have around that certainly the past couple of years would be the establishment of things like SharePoint sites by audit offices and Other mechanisms like that whereby the client auditees, so generally government agencies, when they're putting together all their documents, they can actually lodge them straight on there through a secure process. And that's quite efficient for a couple of reasons. Firstly, it means that if there are significant amount of documents, then they can drip feed those documents in there, which allows you to progress your audit and review those documents as you go. it also means that you don't have to, for example, monitor emails or have lots of phone calls which can be really, really time-consuming when documents are coming through that process, you've basically got a one-stop shop and we've seen that working really well on some recent engagements.
Yusuf:Yeah. So the whole secure portal thing I think has been going for awhile, obviously we've seen maybe even complete demise now of physical evidence being collected. So that's been happening over the years and we've moved more towards electronic evidence. There's a few challenges with electronic evidence. The one is that if you're collecting that evidence via email it's not necessarily the most secure mechanism. And like you said, it isn't the most efficient either . both for the auditee and for the auditor. So for the auditee, they've got to then, try to reconcile what has been emailed and what hasn't been emailed and the auditor has to reconcile what hasn't been emailed and what has, so it's on both sides. So if you have a portal. You can upload documents to that is secure. It's quite easy then to see what has been sent, what versions of documents have been sent And what hasn't been sent. And you can reconcile things like dates, et cetera, quite easily in a list type format like that. The other thing is that while this is very relevant for performance audit, where we're getting data from outside of our organizations, typically, you know, so the audit office is getting data or information documents from organizations that are separate to the audit office, albeit within the same government bodies, even with internal audit where you are within the same organization It's even easier than to set up Teams sites or the like SharePoint sites or Google drive or whatever else. Again, avoiding emails back and forth or private chats that go on and making it such that the evidence is collected in one place and can easily be reconciled.
Conor:And audits are all about collaboration, both collaboration within the audit team, but also collaboration with the entities that are subject to the audit. And if you have that visibility among all the stakeholders about what's been provided and where it is, then that transparency just provides for a more seamless process.
Yusuf:Yup.
Conor:The fifth item is around data validation and how important it is to try and do that as early on, as possible during the conduct phase of your audit. So what are we talking about there? It's quite possible that during your planning, you received some data from the entities subject to the audit. You may even have looked at some open data, but once you get into conduct and planning has been signed off and the objective and everybody's clear about what you need to do it's really helpful to get on the front footand go back to the entity as soon as possible and talk through what you think you're seeing at that early stage in their data, because you will have collected it possibly for a different purpose. You'll be looking at it from a different angle. You may be joining it with other data for the objective of your audit. So it's helpful then to revisit that as early as possible, the entities, just to let them know what you're seeing and to get their input and perspective on things that, for example, you may be misinterpreting.
Yusuf:In an ideal world, we'll do this within the planning phase. We know that practically that doesn't happen very often. And we often end up within what is the conduct phase of our audits and we're still validating data. So in an ideal world, like we said, you'd validate all of that upfront during planning so that when you get to conduct you're really just doing the last piece of the analysis however, practically we do find that this happens very often during conduct. What you want to avoid here. So why are we doing this early? What we want to avoid is getting to the end And realizing that we've used the wrong data fields or we don't understand exactly what a data field means. And therefore all of the analysis that we've completed has been based on a misunderstanding of the data really. So the earlier on during conduct, we can go to the client and show them what we're seeing, to the extent that we can, the better it will help us to revise any work that we need to do. Cause there's always revision with data. having discussions with the client and showing them what we're seeing early on as examples will help them confirm what we're seeing or point us in a different direction . And then that becomes useful to do early on because when we get to reporting, there's no debate as to what we've seen. And the results are pretty much validated by then.
Conor:And sometimes it can be tempting when you grab a whole heap of data to try and internally analyze it to the Nth degree so that you feel as if you've got something rewarding or useful to go back to the client with. But just a note of caution there, that that can actually work against you because you may be, like you say, chewing up a lot of time and resources in doing that where you could have cut that off early. Had you just take an initial, look at what you have and go back to the client and talk to them about it.
Yusuf:And some of it could be as simple an answer as now, I'm going to give you a different set of data because what you're looking at isn't fit for purpose. We've seen that so many times and most clients will be helpful like that because they want us to get the right answer.
Conor:To summarize the discussion today, we're talking about conduct. Just some observations we've made over the years, firstly, looking at your working papers and when you set them up, have the end in mind, know what you're going to be reporting on and set yourself up for success as early as possible. Number two flows on from that, think about trying to draft your final report as you go now, obviously that'll change and shape shift a little bit and may move, but. if you do that in parallel, that can save you a lot of time in the long run. Number three, try and cut down any administrative overhead. Don't create lots of internal artifacts just for the sake of creating them. Number four. The increasing use of secure portals to obtain audit evidence as we go. And then number five the importance of data validation during conduct.
Yusuf:Good stuff. So next up, we'll talk about reporting. Last episode of the performance audit mini-series so stay tuned for that. Thanks Conor.
Conor:Thanks Yusuf.
Narrator:If you enjoyed this podcast, please share with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com The link is in the show notes.
.jpg)
.jpg)
