The End of Gotcha! Auditing
By Ali Hasnain, CIA, CISA, Team Leader, Production Audit
Who hasn’t been to a party where, when someone is introduced as an auditor, someone else asks “So what is the first word that comes to mind when you hear the word auditor?” There follows a low ripple of laughter and among the negative generalizations that are then applied to auditors is always, “gotcha!”
What is “gotcha” auditing?
The negative public perception of auditors stems largely from the root and origins of the professional practice of auditing – including the role of the auditor as enforcer of rules and regulations, the verifier that policies and procedures are being adhered to, and often, the whistle-blower on issues like fraud and other types of malpractice in the workplace.
The traditional approach to how auditing works has not helped. Typically you are approached by an auditor (often with little or no announcement or warning), who then asks some questions, solicits some supporting documentation, does some analysis, and presents a list of things you are doing wrong, along with instructions on how to fix them, when to fix them, and the consequences of not fixing them.
This image of “gotcha” is most obvious in two aspects: you didn’t invite the auditor, and the focus of the auditor is exclusively on finding problems (e.g., non-compliances, fraud, operational flaws, or financial errors) and ensuring that you fix them.
Collaboration: A new approach
As the professional practice of auditing has evolved, so have the approaches taken during the conduct of audit work. One such approach is the concept of the “collaborative” audit – participative in nature and unapologetic in its attempt to garner the buy-in, trust and dedication of the auditee by introducing an element of “partnership.”
“Great,” you might say, “but how can auditing be a partnership?” Well, the answer lies first in finding common ground between auditor and you. Often, that common ground is found in identifying problems or issues before they occur, rather than after the fact. All auditors and all auditees can agree that finding the root causes of a problem, and addressing it proactively, before the next instance, is the optimal path to achieving goals whatever they may be – financial, operational, or regulatory compliance. Under the collaborative approach, the auditor assures the auditee that the object of the audit is not to find flaws, nor to uncover mistakes, but to begin setting up a structure whereby problems are averted or prevented to the greatest possible extent.
Leading audit practice calls for such collaboration to occur in all phases of the audit, including planning, conduct of audit, follow-up discussions between auditor and auditee, and the reporting of results. The building of trust-based relationships between auditor and auditee is the desired result, because when trust and mutual respect develops between auditor and auditee, the flow of information improves, dramatically increasing the chances of an audit being successful in achieving its goals.
Applicability to EPAP
So what does this mean for EPAP? Several things:
First, we are going to assign to you a specific PAT member to take care of your file, not only to ensure that communications do not get lost or mixed up, but also to build the relationship of trust and understanding that is so important to collaborative auditing. The more your PAT member learns and understands about your operations, the easier it will be to deal with issues as they arise.
Second, you are going to receive, monthly, the same Compliance Assessment report that your PAT member is going to see, so that when he or she phones you, there will be no surprises. We are even going to allow some time after you receive it for you to get prepared for our phone call. Most importantly, our first phone call on any issue will be to inquire, not to tell.
Third, our concept of Action Items creates a collaborative, step-wise approach to solving specific problems so that we can work together to understand and resolve the issue. In a non-collaborative approach, the errors would simply be pointed out with an instruction to fix them, followed by a follow-up visit to ensure that everything was done as specified. In the collaborative approach, we hope to work with you to understand the root causes of the problem, and rather than “slapping a wrist” and enforcing fixes, we can identify and implement corrective controls that prevent the problem from recurring.
Fourth, and perhaps most important, a key component of EPAP is your declaration that you have controls and you are evaluating them to ensure that they are working. Unless your declaration is obviously incomplete, we are going to accept what you tell us; until there is data from other sources (i.e. in the Compliance Assessment process) that suggest otherwise, there will be no challenge, no second-guessing from us.
“Collaborative” defines the approach taken by the PAT; we want to achieve higher levels of assurance over compliance and higher levels of compliance. We understand this will not be achieved overnight and that continuous improvement is a process that takes time and understanding.
Phase I of Industry Consultation Provides Useful Input
When the Enhanced Production Audit Program (EPAP) was announced in October 2008, the ERCB committed to consulting with Industry on a wide range of topics related to the design and implementation of the proposed EPAP process. The plans for consultation called for two phases: the first to gather input on the concepts related to the new audit process, and the second to review the proposed new Directive and related documents and processes.
An EPAP Stakeholder Committee was formed and held seven meetings as part of Phase I consultation. Over 30 individuals representing 14 operators and seven other organizations were involved in the Committee. In addition, a subcommittee was formed specifically to discuss the proposed Compliance Assessment process. This subcommittee held five meetings during Phase I consultation.
Committee members provided valuable insight into the issues related to EPAP. A number of proposed aspects of the program were modified and enhancements were made as a result of Committee input. Consultation with operators also resulted in changes to terminology in order to increase clarity and improve understanding. The following are just a few examples of changes and enhancements resulting from consultation:
• The Project Team has moved away from the proposed three levels of data detail associated with Declaration process.
• Operators will be able to indicate their preferred Declaration month.
• The monitoring and escalation process will include a documentation component to ensure agreement and confirmation of action.
• The EPAP Operator’s Handbook will be significantly expanded to provide additional guidance on operator evaluation of controls, implementation and the use of operator judgment related to materiality.
• The list of candidate compliance assessment indicators has been enhanced as a result of subcommittee input. Some indicators will be deleted or modified, while other indicators suggested by the committee will be added.
