Steps to Simplify Complex Audit Requests

If you’re on the other side of the table during an audit this is for you. Over the last two years, I have witnessed one pattern that keeps showing up. The most common audit exceptions don’t come from bad intentions or lack of controls. They come from manual processes. Pulling a report. Running a script. Uploading a file. Capturing a screenshot. Anything involving a human step has a chance for human error. And that’s okay. But here’s the thing. As auditors, our job is to test the design and effectiveness of your controls. If something’s unclear or incomplete, we ask questions. (And then more questions. And then a few more.) Not to annoy you. But because we need to validate the risk is truly addressed. So if you’re a control owner, or someone supporting audit requests, I want to offer you 3 golden rules to reduce audit fatigue: 1. Document Your Process (In Your Own Words) Don’t just tell us what the control says. Tell us what you actually do. From start to finish whether it’s a user review or a system change note the steps you follow. The clearer your explanation, the fewer the follow-ups. 2. Ensure Evidence is Complete and Accurate If you’re running a report, screenshot the parameters. If you’re using a script, include the script and the environment. Add date stamps, URLs, timestamps whatever proves completeness. Your screenshots should speak for themselves, even without an explanation. 3. Know Your Control (And Say It With Confidence) If you’re leading a walkthrough, take time beforehand to understand the flow. Auditors rely on what you say to tie things together. If the actual process differs from what the control says, please say it. WE ARE HERE TO UNDERSTAND, NOT TO CATCH MISTAKES. I know the pressure of explaining something you’ve done a hundred times, while still getting asked: “But can you clarify this one step again?” But when your process is clear, your evidence is clean, and your walkthrough is confident, Audits go smoother. Questions go down. Exceptions go away. Let’s make audits less painful together. Tag someone on the control owner side who needs to see this.

Preparing PBC Requests: Key Considerations In IT audits, PBC (Provided By Client) requests are critical for evidence gathering. Well-crafted requests ensure clarity, reduce back-and-forth communication, and facilitate smooth execution of testing. Why Precise PBC Requests Matter 1. Minimizes Miscommunication: Clear and specific requests reduce confusion for control owners. 2. Ensures Timely Execution: Precise requirements save time by reducing delays in providing or clarifying evidence. 3. Supports Audit Quality: Well-defined evidence enhances the quality and reliability of audit conclusions. Key Considerations for Preparing PBC Requests 1. Know Your Audience Understand the control owner's role and expertise. Avoid jargon and tailor the language to their familiarity with ITGC, ITAC, or ITDM concepts. 2. Be Specific and Detailed Clearly state the required evidence. Avoid vague terms like “provide logs”; specify type, period, and format (e.g., “Access logs for Q1 2024 in CSV”). Include key details like scope, systems, and delivery method (e.g., Excel, screenshots). 3. Structure the Request Organize the request into sections: Control Objective: Purpose of the evidence (e.g., validating access reviews). Evidence Description: Details of required evidence (e.g., “A list of users and roles”). Submission Guidelines: Deadlines, contacts, and delivery methods. 4. Use Simple Language Avoid technical terms. Use straightforward phrasing (e.g., “Please share user access logs to verify compliance”). 5. Provide Examples Share templates or screenshots to clarify expectations. Example: A table for access reviews with columns like "User ID," "Role," "Reviewer," and "Review Date." 6. Ensure Consistency Use a standard format for all PBC requests. Include a reference ID for tracking. 7. Highlight Importance and Confidentiality Explain the evidence's significance and ensure it will be handled securely. 8. Test the Request Review the request for clarity and completeness. If possible, test it with a sample audience for feedback. Common Pitfalls to Avoid: 1.Ambiguity: Vague requests lead to confusion and incomplete responses. 2.Excessive Jargon: Overly technical terms can alienate control owners. 3.Overloading: Large, unprioritized lists delay responses. Group requests logically. 4.Lack of Context: Not explaining the purpose may cause resistance or errors. Checklist for PBC Requests: Is the purpose of the request clear? Have you specified the type, scope, and format of evidence? Is the language simple and free of jargon? Are there clear submission deadlines and contact points for questions? Have you provided examples or templates? Is the request concise but comprehensive? Crafting effective PBC requests is as much about clarity as it is about precision. By considering the control owner’s perspective and simplifying communication, auditors can streamline evidence gathering, ensuring timely and successful execution of ITGC, ITAC, or ITDM audits.

How can internal audit be more efficient with their time? We can find ways to reduce non-value-added time spent during an #audit project. Here are a few ideas to get you started. 1. Reduce the amount of testing needed to come to a conclusion. Can you test less and still provide reasonable assurance the process / control is working as is? 2. Be more strategic with audit meetings. Can your 30 min meeting be cut to 15 min or replaced with a memo? Do you need all attendees? Can you batch audit questions and ask them daily or every other day? 3. Prepare the audit report during the audit planning and fieldwork, not at the end of fieldwork. Audit scope, objectives, and a draft of the executive summary can be completed and memorialized in the audit report by the end of audit planning. Build consensus on audit’s recommendations and management action plans for observations noted during fieldwork. By the fieldwork close meeting, aim to have 80 - 90% of your report finished. 4. Document fieldwork in your audit management solution, not in a standalone Excel or Word document. When the audit team shares files via email or a shared repository, version control issues can arise, and time is wasted sending requests via email without automated notifications and reminders. Additionally, uploading fieldwork into an audit management solution after completing the audit adds an unnecessary step to your audit project. 5. Internal Audit reviews of fieldwork need to be more frequent and timely. Internal Audit Seniors and Managers should review audit scope, individual testing procedures, and identified observations more frequently, daily if possible. More timely reviews will help overcome hurdles sooner and start communication with management regarding identified observations earlier. 6. Eliminate manual reporting efforts. Purpose-built audit software offers real-time dashboarding and reporting as work is completed. If you're manually collecting feedback on document requests, test steps, hours spent, and project completion, and writing out your audit report manually, purpose-built audit management solutions can save you significant time. 7. Leverage Generative AI. Use Generative AI as a starting point to create risk and issue statements, control descriptions, test procedures, and audit summaries. With an AI-powered audit management solution, machine learning can link your data (frameworks, risks, controls, past issues) and provide intelligent recommendations, saving your team time from researching this manually. What’s missing from this list? If you have a best practice or an internal audit time reducing super-power, share it here. AuditBoard #InternalAudit #EnablingPositiveChange