Investigations and Audits: Developing an Effective Game Plan


Monday Morning Quarterbacking

On Monday mornings during pro football season in offices around the country, win or lose, there’s the inevitable water cooler discussion about the team’s performance and what they should have done during the game in critical situations. The discussion, or post game review, is generally referred to as “Monday morning quarterbacking” and is analogous to the kind of after the fact analysis that occurs in a highly regulated industry.
 
In the business environment, this kind of hindsight, and post event regulatory scrutiny, heightens the need for effective governance, risk and compliance (GRC) programs as “getting it wrong” often comes with penalties, fines and sanctions. Everything companies do on the global playing field is viewed microscopically by regulators in the unique position to assess day to day operational performance after the fact.

Key Areas for Improvement

While scrutiny from regulators and interested outsiders is inevitable, there are steps companies can take to ensure investigators and auditors are operating from thesame playbook.

Football plays are complex, diagrammed with X’s and O’s. Likewise, the compliance plays that companies draw up are often harder than they have to be. The truth is operational improvement doesn’t have to be complicated.

In this article, we’ll touch on the synergies between audit and investigative teams which, when functioning cohesively, form a “dynamic duo” for the business. Plus, we’ll look at five key areas (Review, Teamwork, Agendas, Communication and Access) which are necessary to optimize audit-investigations interaction and the need to capitalize on the synergies between these two essential business units.

Synergy

It’s impossible to discuss keys to audit-investigation improvement without first acknowledging the fact that there are quite a few synergies between audit and investigation team functions, knowledge and skill sets.

Investigators have knowledge of people, human behavior and criminal acts while auditors have knowledge of business processes, work flow and systems. The knowledge base may appear different but there’s actually a functional intersection between these two teams activities and synergies to be found in their fact finding and analytic missions. Capitalizing on each areas strengths, skills and abilities forms an effective “one-two punch.”

To derive maximum ROI, it’s imperative that senior management recognizes the synergies between these two teams and facilitates effective, holistic, and regular interaction between them.

TeamworkPartnering

Oftentimes, businesses that are operationally challenged, and being scrutinized by regulators, have ineffective audit and investigations teams which operate in a siloed environment. Silos are neither effective nor holistic.

Viewing the relationship between audit and investigation as allies, or partners, interested in the same business outcome versus a siloed, “I own it,” mentality is critical to a company’s success.

The complimentary skill sets and interests between audit and investigation teams must manifest itself in a spirit of teamwork, collaboration and coordination.

Agendas

 Two essential parts of effective teamwork are collaboration and coordination. Collaboration and coordination suggest the need for the development of a joint audit-investigations agenda. While the audit and investigations teams have their own missions, schedules, work flows and operate independently, independence isn’t often insightful.

Effective interaction requires the creation of a “big picture” agenda for both teams, with complementary and coordinated processes, which is clearly beneficial to the company and its stockholders as a whole.

Further a shared agenda increases both teams ROI and demonstrates to regulators that the company’s “burning on all cylinders” and has its fact finding act together.

 Review

 For starters, audit should be reviewing investigations outcomes and following up to determine areas for re-audit or improvement (critical control failures) post corporate event.

Likewise, for the investigations department, reports of areas previously audited should generate investigative leads, places to start investigation or the development of an expanded investigations scope based on an audit’s parameters and results.

Over time, internal and external fraudsters learn what transactional thresholds are so there will not be anomalies found in the sample population, data or records audited.

This presents an excellent opportunity for investigators to expand the scope of their investigations and look outside the samples previously audited which has the potential to generate surprising results.

Communication

 Effective communication is a “two way” process which involves sharing information, insights and active listening. One of the major keys to improvement between audit and investigation teams is breaking down communication barriers which exist under the siloed work unit approach.

To accomplish this, regular communication and reporting channels must be established

across the enterprise to facilitate the exchange of previously agreed upon business unit information and the information flow must go both ways.

Communication is more than just exchanging reports, it’s about engaging in real dialog about the business. This type of open communication must take place between the audit and investigation teams to maximize both team’s effectiveness and the corporation’s emphasis in these areas.

If there are operational issues with these two teams, or they are simply not functioning as effectively as they could be, breaking down communication barriers and opening new communication channels is a great place to start the rebuilding process.

Access

 Investigations case management, data and incident reporting systems often have “permissions based” access levels. While it’s understandable that investigators want to maintain the secrecy of their cases, putting walls and moats around the castle and preventing key individuals in the audit department from having access to the information is a critical mistake as there is definitely a “need to know.”

The need to know is based on the fact that the audit department has SOX related, Board of Directors, reporting requirements. So, giving the head of audit, or a select member from the audit team, “read only” access to the internal investigation and hotline reporting system is a must.

The information concerning incidents occurring around the business unit should not be a surprise (the “no bombshell rule”) to key audit employees. The audit team should not be put in an “I didn’t know about that” position when sitting in front of the Board to report their findings. Nothing good comes from that.

The Final Word

 There are a number of ways to improve the effectiveness between the audit and investigations teams. While space prevents us from covering them all, the focus of this article has been on five key areas where businesses can easily improve operational performance.

These “quick wins” are not based on complicated plays, drawn up with X’s and O’s, but common sense steps which are easily achievable. From a management perspective

there’s also an upside to concentrating on these areas. To achieve better audit-investigation results, you can increase your ROI with little to no capital expenditure and that translates directly to your bottom line.