Fieldwork Within and Outside the Organization
By Dr. Hernan Murdock ,VP – Content and Programming at ACI Learning
Fieldwork is the Second of Three Phases of Internal Audits.
During this phase the focus is primarily on testing transactions by selecting a sample and examining those items to verify conditions and practices. With this knowledge, auditors get insights into the dynamics within the population and if the sampling is statistical, they can extrapolate the results within certain levels of confidence. Choosing which sampling methodology to use is often determined by the amount of resources available.
Another approach is to test all relevant transactions through Data Analytics.
By testing the entire population, auditors get a comprehensive view of dynamics within organizational programs and processes, and can better determine what is and is not happening. Testing a larger data set provides greater certainty about prevailing dynamics and we can avoid having to extrapolate from the sample to the population. This has become more prevalent as organizations have digitized their transactions and documents, and query software has improved in terms of its sophistication, ease-of-use, and its power. With this, auditors can provide higher levels of assurance; still only reasonable assurance, but higher.
The work performed during fieldwork can be viewed as an Experiment
Where the internal auditor is attempting to answer three very important questions:
- Is the unit, program, or process making satisfactory progress towards the achievement of its objectives?
- Are the controls present and functioning?
- Are key risks occurring to the detriment of stakeholders?
Discussing Findings with Audit Clients
It is very important that internal auditors discuss findings with audit clients during fieldwork to verify the accuracy of the auditors’ results and obtain management’s agreement. By bringing findings and concerns to the client’s attention, internal auditors can get timely feedback, discuss the methodology used, and help management begin the process of preparing corrective actions. This way auditors can also make address any misunderstandings about data, documents, risks, and controls.
By getting agreement during Fieldwork, the Exit Meeting and the Draft Report should receive greater acceptance, rather than the audit team getting bogged down in debates and discussions at that point.
The fieldwork phase is also characterized by status updates to the client. The type and frequency of these status updates vary based on the needs of the client, but in general, internal auditors should err on the side of more communication. This means in most cases at least a weekly meeting to inform the client how the audit is progressing. Due to time constraints, some audit clients may not want, or be able, to participate in regular status meetings. In those cases, a status update report or e-mail, is recommended.
Typical topics in a Status Update Meeting include:
- Activities Performed: What the auditors reviewed and the results
- Activities in Progress: What is ongoing
- Activities Planned: What procedures are planned in the near future and any support needed to avoid delays.
- Findings: Discuss new observations to confirm agreement with management
Auditing Outsourced Activities
Most of the discussion regarding fieldwork focuses on the work of auditors within their organizations. However, outsourcing to others has become commonplace and while it gives organizations the opportunity to lower costs and gain efficiencies by focusing on their core competencies, it also introduces risks that should be examined.
Outsourced activities include IT services, transaction processing, customer service, help desk services, accounting and financial activities, and human resources activities like health care benefits administration, payroll administration, and retirement benefits administration. Auditing these relationships can be a complex endeavor but getting access is facilitated by a right-to-audit clause in contracts and obtaining a Service Organization Control (SOC) report under Statement on Standards for Attestation Engagements (SSAE) 18 or similar under International Standard on Assurance Engagements (ISAE) 3402.
These reports are designed to provide information about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports are helpful to gain an understanding of the oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight. Providing reasonable assurance often requires insights into the organization’s risk management framework, a description of controls and an audit opinion by an independent auditor. Whether it is necessary to visit these providers’ physical locations is an important consideration too.
Internal auditors should remind management, if management doesn’t already know this, that the organization can outsource the process, but the contracting organization retains the risks. In many cases, outsourcing activities are invisible to the hiring company’s customers, but even when the outsourcing is known to customers, if problems occur they will put the responsibility on hiring organization, not the outsourced company.
Make sure to review sub-contracting arrangements too.
The contract should be clear about sub-contracting expectations and restrictions, compliance with laws and regulations like the Foreign Corrupt Practices Act (FCPA), and the UK Bribery Act, compliance with a Code of Ethics, liability and insurance, performance standards, supervision of the work, compensation and reimbursement of expenses, confidentiality and non-compete provisions, ownership of intellectual property, breach of contract, and provisions for conflict resolution.
Fieldwork often represents the longest phase during an audit and all the effort put into interviews, observations, walkthroughs, document reviews, calculations, narratives, and flowcharts help auditors determine if satisfactory progress is being made towards the achievement of goals, if risks are occurring, and if controls are working as intended.
Fieldwork testing is key to providing reasonable assurance to audit clients. Looking carefully within the organization is common, but evaluating the conditions and work of business partners is also important to provide reasonable assurance to stakeholders.