Iyfjky

Question

IÃ¢Â€Â™m an auditor reporting to headquarters auditing their subsidiaries. Management of the subsidiaries is super duper fragile mentally and negative thinking. Anything sent out will be considered as finger pointing saying that they are not doing well (although in fact they are so terrible and badly performing with so many findings, I also cannot comment much on that) or instructing them as doing something.

Recently, I sent out an email to the management of the subsidiaries for review as Ã¢Â€ÂœDear XXX, kindly help to review enclosed monthly reportÃ¢Â€Â, which also made them feel confronted!!! I have really come to the dead end of my mind about how to be polite in email writing.

Is there any other better way that can help me to write a request for document review email, such that the reader will not feel confronted / instructed / uncomfortable?

It sounds like they are overly sensitive because they know their performance is not as good as it could be. Just be objective, outline your findings plainly and matter-of-factly. If they take exception to that, then there is very little you can (or even should) do about it. — Jun 11 '15 at 4:47
make them feel confronted You are not them, how do you know their feelings? Did they say something already? Sounds like something is missing from your question. — Jun 11 '15 at 5:25
Can you ask someone is not affected by the notice to review it? E.g. a neutral party to avoid possible confrontation — Jun 11 '15 at 7:44
How is it decided when and what is reviewed? If this is a regular process and documents are selected somewhat randomly, then just stating that may help. If they are specifically being audited for a reason, then they are being confronted. — Jun 15 '15 at 16:22
I have rolled back the last edit. It added part of Anthony's answer as an "if this applies to you" and made the question grammar/logic look strange. — Feb 7 at 14:37

score 6 · Answer 1 · 2015-06-15 17:47:43Z

I worked for an audit agency of the US Federal Government for 5 years. I was not an auditor although I occasionally participated in audits as a technical specialist. I also was reponsible to reviewing all audit reports.

You are an auditor. It is your job to point out what is being done incorrectly. People don't like that, so this kind of conflict is inherent in the your job. There will always be defensive organizational groups. You cannot soften the blow or you will stop being an effective auditor.

The first thing you need to do is to get a thick skin. You have to let any criticism of yourself and your report be interpreted by you as professional and not personal. You need to be prepared to defend your findings but not be concerned if the people who you send them to are unhappy. If they are doing their jobs incorrectly or illegally, it is your job to point that out. Of course they are going to be unhappy.

The next concern is to not let criticism make you decide not to present all the findings as strongly as you need to present them. It is NOT your job as an auditor to make people happy; it is your job to point out what they are doing incorrectly. You are an outside force for a reason, you need to stand outside the corporate politics of this. You will win some and you will lost some (yes even when you are right.) but what you can't do is stifle your voice because people might object.

You also need to present your findings dispassionately. Take great care to present only things backed up by facts (you should be tying everything in your report to a specific source anyway) and are not just your opinions. For instance, don't say these people are disorganized and stupid. Say they failed to do this task required by this law. They failed to perform this internal control required by this corporate policy. All costs that had receipts did not appear in the accounting system as required by the GAAP, etc. That is what I mean about the difference between facts and opinion. Let their management draw their own opinion about the relative competence of people.

And yes you need to allow them to comment on your findings. Again, simply send them to the people involved with a due date for scomments to be received. The email or letter should just be a simple. Here is the report. Please provide comments by 1 Jul 2015.

You need no discussion in what is being sent. The report should contain the facts you need to make your case.

I also wanted to add that they are likely behaving the way they are as a tactic to make you back down. Your report threatens their jobs. So they are trying to discredit you or make you feel uncomfotable enough to drop the findings. YOu need to pay hardball with people like this. Don't back down on anything that is valid. However, in the cocurse of the review, they may have valid points to refute what you say as the auditor frequently may not have seen all the information. Make sure to be scrupulous about evaluating their aruments on the merit of the argument and not how you feel about the people making the argument.

If you can make changes based on some of their counterpoints, then to the senior managers, who are the real audience for the report, you will appear to be the reasonable person. Don't fail to provide as much information as possible to refute any changes they request that you cannot find valid. However, including the objection with your refutaion again shows you in the better light than just ignoring it.

Remember every time you do an audit, the potential to cost people their jobs or send them to jail exists. You have to be ok with those results to do your job effectively. If they are committing fraud, they deserve to go to jail; it is not your fault for pointing out crimes they committed. If they are managing their organization so badly that the senior managers in the organization decide to relieve them of their duties; that too is not your fault. Your job is to point out problems; it is also to point out potential solutions. It is not to implement solutions. If someone is costing the company due to their poor management, it is not your fault that he or she loses his job. Be aware though that the more they have to fear from your report, the stronger they are going to be in fighting it. Talk to your boss about strategies for dealing with objections.

Make sure that what you did is not something that can be attacked on a factual basis (i.e., check your math for instance. I once found a 12 cent rounding error in an audit report that found $400,000 of cost savings. The activity we audited would have used that rounding error to discredit the whole thing. So check every fact and figure in your report meticulously (and do any calculations by hand as well as in Excel formulas). Check that values in the appendices match the values in the text, etc. Make sure you have backup documentation for every single number in the report.

I don;t know if people still do this, but we had to cross reference every single fact in an audit report to an audit workpaper. We always created on annotated copy of the report just for this and our quality control checked those cross references to make sure they were correct (and our peoples who did that QA check sometimes made the auditors rephrase because the work paper did not support what they posited as fact). When you do your work meticulously, it is far easier to fight objections to your findings. the first review should not be the organization it is intended for but a QA check. — Jan 4 at 21:37

score 3 · Answer 2 · 2018-02-07 11:52:08Z

Excuse the late answer. @ Gabrielle, as a fellow auditor, the situation you described is something I am very familiar with. I often encounter resistance / stonewalling from management, unwilling to acknowledge bad news. What I have found helps:

Focus on the finding rather than on the person(s) "at fault"

Do not be accusatory and try to avoid the use of the word you as well as words such as failed. These make objective findings (assuming valid ones backed by testing work papers) sound personal. People often react strongly and defensively to what they perceive to be personal failures. It has been my experience that deficiencies are often not the result of what one person did or failed to do, but of faulty process design, lack of resources, technological limitations, or ignorance.

Explain the risk and impact of un-remediated findings

A simple failure might be a minor issue in relation to the business environment of the client if the extra risk incurred by the client due to that failure is minimum, either due to low likelihood of occurrence and / or impact if such risk is realized. I am an IT auditor, so to give an example:

A terminated employee did not have read-only, Active Directory linked access to an application removed. However the AD account was disabled timely.

While the above might be a deviation to company IT security policy, its your job to evaluate what the the impact of such a deviation is on the company and adjust your reporting accordingly. I don't know the nature of the audit you have done, but if it IT focused, please see this link for consideration of materiality in reporting. In this case, true the underlying application access should be removed, but a compensating control effectively mitigated the risk - unauthorized access to / theft / tampering of data. Hence rather than reporting the deviation as a finding, consider reporting the deviation as an observation instead.

Explain how remediation of deficiencies helps the company

Tell management of the benefits remediating weaknesses / vulnerabilities will have on the company. Examples from several perspectives:

Customer - improved customer confidence leading to increased revenue

Operational - More efficient processes leading to cost savings

Technical - Increased IT security from internal / external threat agents

In this manner, it does not seem the effect of remediation is merely personal satisfaction and / or arbitrary, but that your actively involved in helping to better the company by reducing risk exposure. Most management is reasonable and rational, and they should understand, in a sense you and them have a common interest.

I am not sure what country you are in or whether this obligation applies, but if you are in the United States and are a CPA in public practice, you have a duty under professional audit guidelines of the AICPA to report to the board or "those charged with governance" certain matters encountered in the audit. One such issue you should communicate is that you encountered significant difficulty in performing the audit (paragraph .34)

sleske 9,79633655 · Answer 3 · 2015-06-11 10:29:40Z

This is a difficult (though unfortunately not uncommon) situation, and there is probably no simple solution.

The fundamental problem, if I understand correctly, is that the people you are reviewing feel that you are working against them. As long as that is the case, there is probably little you can do to make them cooperate, as it is against their own best interests.

What you could do:

First, figure out whether there is really so much distrust on the other side. Maybe this is all just a misunderstanding, or your email got lost, or whatever.

If there really is mistrust, find out whether you can dispel it. For example, you could tell them: "I am here to audit, but not to make you look bad. If I find problems, I will discuss them with you and give you an opportunity to comment. While I cannot promise I will always agree with you, I will note your comments in the final report." Of course, do not promise anything you cannot deliver. This may or may not work, but is worth a try.

Finally, if everything fails, you will have to continue without their cooperation. Point out to them (in writing) that you need a review by a certain date, and that you will have to notify your own superiors if none is forthcoming.

In the worst case, you will have to follow through and report that the management of the subsidiaries is not cooperative. Note that this is sort of the nuclear option, because afterwards cooperation will be very difficult, but if you need to finish your audit, it may be the only option.

Good luck - and remember Hanlon's razor:

Never attribute to malice that which is adequately explained by
stupidity.

... or in this case, by carelessness or misunderstanding.

score 6 · Answer 4 · 2015-06-15 17:47:43Z