Discussing System Changes with Auditors — 7 Tips to Make It Easy

By:  Brian Henneuse, CPA | Principal Consultant | SandPoint Consulting

Communicating system changes with internal and external audit can be a difficult process.  Below are tips on how to improve your experience and avoid potential misunderstandings.

1. Document, document, document! In the eyes of an auditor, if you didn’t document a risk, you didn’t consider the risk or plan for a mitigating procedure. Clearly understand and document your objectives, potential risks and changes.  Determine if you’re making the change merely for cosmetic reasons or if you’re trying to eliminate a significant risk/impediment to your daily operations. Document throughout the entire process, including planning, execution, and completion/finalization.
2. Put on your other hat — try to think like an auditor. Throughout the planning and execution phases, approach your proposal from a detached point of view and objectively evaluate the risks of the change you’re making.
3. Develop a testing plan and stick to it. Test (and document) every possible outcome that could reasonably (and sometimes not so reasonably) occur.  Again, documentation is the key!
4. Don’t just hand off all of your hard work. Schedule a kick-off meeting to discuss what you did and how you documented it.  Determine and discuss how your evidence will be made available.
5. Schedule times to go through each major artifact. Managing the testing evaluation process is key as many audit teams frequently develop and perform testing plans independently.
6. Spend the extra time and effort to ensure the audit team understands all the procedures. Be sensitive, especially when working with a Big Four firm and less than senior individuals.  Misunderstandings with the audit team may not be your fault, but they will be your problem.
7. When a conflict arises, don’t sacrifice operational efficiencies for the sake of compromise.  It’s the job of auditors to ensure you’re doing things safely, however it’s your job to ensure the business is running as effectively and efficiently as possible.  If you reach an impasse, enlist the help of a third party to suggest other solutions and possible outcomes.  Don’t let someone bully you into a bad solution by using the “Internal Controls” or “SOX says so” arguments.