All companies experience some degree of turnover, but high turnover of control owners can impact the company’s ability to perform its SOX controls consistently. When recent hires are responsible for SOX controls, ownership of processes can become scattered. New control owners may change controls without letting others know, or skip over control procedures without realizing the importance of performing the control as designed.
In industries with high turnover, it is critical for control performers to communicate process changes — and internal audit can lead the charge in opening lines of communication and taking a collaborative approach to audits across the business. Control owners, internal auditors, and external auditors need to collaborate so controls are performed appropriately to mitigate risks and testing procedures do not go overboard. In my experience working in both External and Internal Audit functions, I have found four best practices (and two bad practices to avoid) are key for building a collaborative audit culture between audit teams and control performers.
How to Build a Collaborative Audit Culture
1. Maintain Open Communication
Maintaining open communication is essential in establishing a good relationship between control owners, internal auditors, and external auditors. Open communication allows audit teams to maintain relationships of trust and encourage proactive communication. When teams trust each other, the control owners are more likely to see internal audit as a business partner and give a heads up to the SOX team when changes happen.
2. Practice Adaptability
Auditors are often perfectionists — it’s the nature of the work we do. When we encounter an error, we often focus on immaterial findings when we know that we should look at the big picture to determine issue severity. When we are adaptable and reasonable with the control owners, we can work in a spirit of collaborative auditing to understand the details and scope of the issue we are assessing. If they know the internal audit function will approach issues with empathy and understanding, we will have more effective and productive collaboration.
3. Make Time to Listen and Share
When we build strong relationships, control owners will see internal audit as a resource — not an adversary or roadblock. One way to reinforce this view is to set up scheduled touchpoints to discuss significant changes to the control environment and the regulatory landscape. In a collaborative audit culture, the audit teams can proactively schedule a time to listen to control owners’ questions and make them aware of trends in the organization or the industry. Scheduling time goes for both internal auditors and external auditors. External auditors can share what they are seeing in PCAOB reviews and with other clients in their portfolios. Holding this type of collaborative audit strategy session continues to build trust and helps prevent significant disasters.
4. Onboard New Control Owners
New control owners almost always see SOX as an afterthought. We all know what it feels like to be inundated with information in a new job. Setting up meetings with new hires or transfers who will have control responsibilities establishes a collaborative audit culture from the beginning. If a key control owner passes ownership to someone else or leaves the company, interview that person to understand the transition and identify who will take over.
Two Worst Practices to Avoid in a Collaborative Audit Culture
The four tips above should help you create a collaborative audit culture built on open communication and trust, but two things can hurt the culture.
- Only being concerned with your team. The focus of our work should be on the control environment. Rushing the control owners to make updates or pushing them to turn over documentation for the sake of an audit deadline sends a selfish message.
- An unwillingness to change or make improvements. Control owners will sometimes bring up concerns with a testing procedure or the amount of requested documentation. Listen to their concerns to understand if there is a more effective way to approach the control or the testing process.
It takes two to collaborate — by doing your part to bring an open mind to every meeting, you’ll be advancing a collaborative audit culture one engagement at a time.
How Technology Can Support a Collaborative Audit Culture
I am a firm believer in supporting processes with technology. Instability in the control environment caused by turnover or with the world switching to a flexible/remote workplace can be minimized when you have a technology-enabled SOX process. In a modern SOX process, sending out quarterly certifications, updating narratives, filling documentation requests, and streamlining testing are all part of a solid SOX management solution. Putting in the time and effort to create a consistent SOX compliance program will go a long way toward enabling open communication and a collaborative audit culture.
John Concillo is a Customer Success Manager at AuditBoard, helping customers adopt the platform and make strategic decisions when it comes to product updates and design. He brings nine years of external and internal audit experience with a SOX compliance focus. He also has five years of experience as an AuditBoard system administrator. Connect with John on LinkedIn.