Read an Excerpt

Auditing for Managers

John Wiley & Sons

Chapter One

Things must be as they may. William Shakespeare, Henry V, Act II, Scene 1

A4M Statement A Auditing is an important aspect of managing an organization and all employees should have a good understanding of the audit concept and how it can help organizations become and remain successful. Our approach to initial auditing is based on 11 statements and 88 values and is known as Auditing for Managers (or for short, A4M.99).

Introduction

A4M 1.1 Auditing should be considered by all managers as a powerful tool for reviewing the adequacy of their governance, risk management and internal control arrangements.

Figure 1.1 shows how the book is put together.

Chapter 1 deals with the audit concept, which has to be set within the wider context of an organization's governance arrangements, covered in Chapter 2. Risk drives everything that goes on in an organization and Chapter 3 describes the concepts that underpin risk. We then describe the different approaches to audit work, including the contrasting focus on the past, present and future in Chapter 4. Chapter 5 focuses on management initial audits, which are straightforward reviews commissioned by the manager, while team initial audits in Chapter 6 involve work teams in assessing their own risks and controls. The final audit tool is addressed in Chapter 7, which relates to management initial investigations that may need to be carried out from time to time in response to specific concerns. Chapter 8 goes on to suggest that a manager's audit effort is about promoting successful risk management. In this sense much is about creating a new, risk-smart culture at work, which is the subject of Chapter 9, while Chapter 10 discusses how assurances may be provided to the board through formal reports. The final chapter of the book, Chapter 11, seeks to consolidate the audit concept and attempts to answer the question: 'Why auditing?'

Chapter 1 describes the basic audit concept and the different specialist audit aspects therein.

Audit skills

Most people working for an organization have little or no interest in auditing. The concept of auditing is seen as something relating to verifying the accounts or checking on workers and making sure that assets exist and are protected by contingency plans. So auditing may be associated with periodic reviews made by external checkers - something to be suffered in silence. One thing for sure is that auditing is regarded as nothing at all to do with managing. It is something that is 'done' to managers. Meanwhile, the members of the in-house audit team spend most of their time explaining their role and trying to convince everyone they meet that their work is important.

On the other side of the coin, the various government and industry regulators have for many years been dispatching an assortment of codes and guidance throughout the private sector, central and local government, the health sector and other not-for-profit organizations. The regulators' jargon tends to be written by accountants and typically consists of a mixture of advice and firm requirements regarding various topics such as risk, risk management, internal control, compliance arrangements, audit committees, nonexecutive directors, auditing provisions, financial reporting and other somewhat uninspiring issues. Not many business managers bother to delve into the mysterious world of audit, risk reporting and control, preferring to get on with their job and leave this sort of thing to the accountants and auditors.

In fact there is an abundance of key guidance that has not really been sold to nonspecialist employees. For example, the following documents provide a wealth of information on the governance, risk and control debate:

Combined Code for companies listed on the London Stock Exchange;

COSO Enterprise Risk Management;

Sarbanes-Oxley reporting requirements;

Institute of Internal Auditors professional standards;

Institute of Risk Managers Risk Management Standard;

Australian/New Zealand Risk Management Standard;

British Government's Audit Committee Handbook (HM Treasury);

Institute of Business Ethics guidance;

Certified Fraud Examiners guidance.

The audit dilemma

The dilemma is simple: managers and employees generally need to be aware of the governance, risk and control agenda, but they tend to be far too busy to get involved in researching this debate. Moreover, most people would rather be doing the right things themselves than have teams of auditors checking up on them at regular intervals. This book aims to introduce the business manager to the debate and suggests an empowered approach to self-auditing, using a simple, toolbox-based style. The empowered approach is called 'auditing for managers' and is based on 11 statements and 88 key values that are set out throughout the main sections of the book. We have given the model a shortened name of 'A4M.99' (initial auditing). The hope is that these values will help managers and their staff get to grips with managing risk, self-audit, business assurances and controls. We have also developed an abundance of diagrams to help the reader through this simplified version of what might otherwise be a complex topic. In fact, we have provided diagrams and checklists rather than straight text wherever this has been possible.

A new way of thinking

Auditing for Managers is based on a new way of looking at business and accountability. This new thinking is found in many of the recent developments in commerce, public life and everyday events. An attempt has been made to capture some of this new thinking in the section of each chapter (called Newsflash - read all about it). Each chapter closes with a short narrative that tries to capture the main points from the book in an illustrative story or quote. Moreover, most sections end with a short statement of the key point at issue. The hope is to make a 'turn-off' topic so attractive that people actually want to get involved in auditing their systems as a good idea rather than a basic corporate requirement. It is an attempt to make the auditor's toolbox readily available to everyone who works for or is associated with an organization, regardless of the size or sector involved. As society changes to reflect both increased flexibility and regulation, the tendency is for organizations to lurch between apathy and paranoia. This represents both the challenges and the fun in working for or with different types of organizations.

The auditors

To get to grips with the A4M.99 initial audit process, we need to understand the formal audit process that exists in most larger organizations. Incorporated bodies, public-sector and not-for-profit organizations are required to have an appointed external auditor. Meanwhile, many larger organizations also have a team of internal auditors in place, either staffed by the organization or provided by an external firm. There is also a tendency for more complex organizations to employ other review teams that go by an assortment of different names, such as compliance teams, inspection teams, quality teams and so on. As well as outlining the audit concept, this chapter provides a brief account of the work of these different types of audit teams. The business manager needs to appreciate how the wider audit process fits together in order to benefit from employing audit tools in their own work.

In short

Unfortunately, many important messages on governance, risk management and internal control are often dressed up in coded jargon that means very little to busy managers and their front-line staff.

Why auditing?

A4M 1.2 Each employee should understand their role and responsibilities in respect of the initial audit process. These roles will vary depending on the employee's position and duties within the organization.

Auditing is a formal process for examining key issues with a view to establishing accountabilities and securing an improved position. The pressures on all types of organizations mean that there has never been a greater need for effective auditing. The requirement to perform, behave well and account properly for corporate resources has meant that things cannot simply be left to chance.

Before we examine the concepts further, we need to consider the concept of auditing. A search of synonyms reveals various suggestions for the term audit, such as:

inquiry inquest exploration examination inquisition inspection research scrutiny study analysis probe account for review survey report on check out

The busy manager

None of these may appear attractive to a busy manager who has deadlines, various urgent problems and pressures to deliver the goods. Auditing is about taking a little time out to check things out before making a decision and pushing forward. It encourages a viewpoint and decisions that would be supported by what most stakeholders would consider to be adequate deliberation, based on reasonable information. A viewpoint or decision that does not meet this standard may leave the manager exposed. The secondary aspect of auditing is that it means a viewpoint or decision can be explained if necessary. This is important since all organizations are in a constant struggle to realign themselves in response to threats and challenges that alter almost on a daily basis.

A model of accountability

We need to use a few models to illustrate this idea of threats and challenges that mean managers cannot simply do their job in the same way they have done for years. That is to follow routine, put in the effort and hope for the best. The corporate climate has changed in such a way that this simple approach is not always enough. A formal audit process has been built into most businesses and Figure 1.2 demonstrates this change.

We can describe the four main aspects of Figure 1.2 in the following way:

1. Board. The board reports back to the stakeholders in line with the formal arrangements that are in place to ensure this happens. For private-sector companies this really means they report to the shareholders and the marketplace. For public-sector bodies, the accountabilities are to the public through ministers, local councillors, trustees, parliamentary committees or whatever format is in use.

2. Management. The manager runs the various front-line teams and back-office support people, and should have regard to ensuring good business performance and also compliance with laws, regulations and corporate policies.

3. Formal audit reviews. The audit review process tells the board and stakeholders whether what they are being told is happening is actually happening.

4. Initial audit review. The bottom box is most interesting. Here we are suggesting that there is a secondary level of audit; that is, the managers and work teams should carry out their own initial review and report on threats and challenges that have an impact on their ability to perform and conform. In this way the information received by the board (or management team) comes straight from the horse's mouth. The idea is that the formal audit process may well change its focus away from checking the performance reports and level of compliance, and more towards the way that management itself reviews these matters.

Summing up the book

Figure 1.2 entirely sums up this book. For readers who need a short-cut to auditing for managers, then this figure is all that they need to make progress. The problem for those who now wish to put down the book is that you will have not yet covered how to carry out these initial audits. Accordingly, you are invited to read on.

Different levels of management

Directors tend to have a good appreciation of the audit process and more senior managers know that corporate accountability is an important aspect of running a business. The problem is that this message has not always got down to grassroots level. Figure 1.3 illustrates the dilemma.

The review and accountability chain runs from the middle of the organization to report back to stakeholders, while it is the front-line people who tend to interact with those people who have the most impact on corporate success and failure; that is, the customers. Where threats and challenges are not being reviewed by front-line employees, there is much that can go wrong.

Reputation and performance

We need to explore further this idea of auditing and why it is so important. It is not just about working in a changing environment, where managers have to centralize and decentralize systematically to show that they are doing something drastic at least once a year. Figure 1.4 shows a more involved dynamic where the review and change process is aligned to the position of the organization.

Corporate processes form the centre point of Figure 1.4. The processes need to respond to external and internal risks to result in either a poor or wellrespected reputation in the marketplace. This in turn is aligned to the corporate results, where there is either weak or strong performance over the year. The way the organization responds to risks is important. A weak performance and poor standing in the marketplace call for a focus on change strategies to close this gap. Risks are seen as forces that are stopping the organization scoring more goals than it is conceding. The question is:

How can we change this unacceptable result?

The converse, where both performance and reputation are strong, encourages a focus on stability to maintain the hard-earned position. In this case, risk is seen more as what could spoil the game and we would ask:

How can we continue to be on the winning team?

Both questions are about the way corporate and business processes are responding to external and internal risks. The first organization with poor results is not in full control, while the good performer has been able to address these risks much more effectively. The audit process can help focus minds on reviewing risk and determining whether or not processes are up to the job.

A credibility gap

The auditors have an important job to do, as do line management and work teams. The auditors are well versed in assessing risk and controls, but tend to come from outside the core business. Conversely, the staff know the business but may not be skilled in assessing their risks and ensuring that controls are sound. Figure 1.5 shows the positioning of auditors and managers in this respect.

On both fronts, there is a credibility gap. The managers have total credibility in terms of understanding their business and the context and constraints that they work under. Meanwhile, the auditors pride themselves on their independence in examining aspects of a business and reporting without fear or favour. The gap lies in the fact that managers cannot be independent from their own work, while auditors cannot have an intimate understanding of the business under review. Hence, the standard solution is that auditors audit, while managers manage.

Self-assuring controls

Anther way of considering the situation is to ask what is needed to ensure that a business is able to self-assess its processes and people. Figure 1.6 seeks to address this question.

What we need is a self-audit process to be based on a clear understanding of the business in question. This is pretty much accepted, as managers and front-line people know what it is all about. Those that rely on reliable information about the business, that is the stakeholders, need to believe that the self-audit process is worthwhile and makes sense. The final aspect is that managers need to have the right tools to do the assessment. Stakeholder credibility may be derived from using our A4M.99 approach based on 11 key statements (A-K) and 88 key values. The tools and techniques are also found in the book. In this way, the focus may change to giving people a chance to check their own systems before the auditors come in. A4M.99 may also be referred to as initial auditing, to contrast it with internal auditing and external auditing.

In short

Whenever we need to know what's happening, it's normally best to ask those who are responsible-before asking outsiders.

(Continues...)

---

Excerpted from Auditing for Managers by K.H. Spencer Pickett Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---