by Duke Okes.
Audits are intended to gather audit evidence that allows an organization to know how well it has implemented policies and procedures designed to meet external requirements and internal expectations. Audits can then only be of value if the audit evidence acquired is accurate. But is it?
Unfortunately, there are times when what is presented to auditors may involve concealment, manipulation, and/or fraud. Policies and procedures may intentionally not be followed, and process outcomes may be different than what was required. However, auditees occasionally deliberately conceal these problems during interviews and present falsified research.
Following are some signals auditors can watch for that may indicate that the real facts are not being presented:
- Access appears limited to certain people, locations, products, or records. For example, managers/supervisors insist on answering auditors’ questions, rather than allowing those who actually perform the activities to do so. Even if access to operations is allowed, specific individuals or groups may appear to always be unavailable.
- Answers may not address the specific questions asked, and/or answers sound programmed. The individual may hesitate at important junctures, illogically shift between past/present/future tense, and involve generalities (e.g., “usually”) rather than specifics.
- Body language may show a defensive or aggressive posture, and/or the respondent’s eyes may shift. Crime investigators watch for whether an individual’s eyes move to his or her left or right to get an indication of whether he or she is recalling answers from memory or making them up.
- Handwritten records may appear to have been improperly done by the same person at the same time, or the wrong person, based on writing patterns, ink, or alignment. Digital trails for electronic records indicate improper use of passwords.
- Variances are acknowledged but explained away as “management said to do it,” but there is no documented evidence of a management override. Or, overrides are documented but are far too frequent to indicate proper and consistent use of policies and/or procedures.
What can an auditor do if such situations arise? If it’s the first time, perhaps simply increasing the depth of the audit (e.g., sample size, time frame, triangulation) and going downstream to evaluate outcomes (e.g., looking at customer feedback) to gain a more systemic view of performance.
If it’s a repetitive problem, future audit plans should address it by including specific day, time, products, or people to be audited, securing interview agreements before and during the opening meeting, and perhaps delaying portions of the audit (and documenting the reason for the delay) until the correct access is provided.
At some point it may be necessary to conduct a surprise audit and/or openly confront key members of the organization with one’s concerns. Before doing so consider whether there are others within the organization with which you might ally, such as compliance specialists and risk management personnel.
About the author
Duke Okes is a knowledge architect who provides guidance for management system design, assessment of those systems through metrics and audits, and the use of root cause analysis to address performance issues. He’s an ASQ fellow and author of Root Cause Analysis: The Core of Problem Solving and Corrective Action (ASQ Quality Press, 2009). He can be reached at www.aplomet.com.
TAG: audit evidence