Call in to speak with the host
Anthony J Smith has 14 years of audit experience and currently leads the Audit and Compliance Department for Mitsubishi Electric Power Products. He spent 9 years with PricewaterhouseCoopers Boston, Washington D.C. and Pittsburgh an Internal Audit Services Manager, where he worked with various Fortune 500 companies on internal audit and Sarbanes-Oxley compliance engagements. In 2009 he was hired by Mitsubishi Electric Power Products to start up their Audit and Compliance Department. Anthony is a Certified Public Accountant in Pennsylvania and recently authored an article entitled, “Requests for Information” which was published in the April 2014 issue of Internal Auditor magazine.
Hi, I am Sonia Luna, CEO and Founder of Aviva Spectrum, an internal audit and compliance consulting firm, headquarter in sunny Los Angeles, California. I am also a speaker and writer on topics like COSO 2013, SOX 404, quality assessment reviews, internal auditing and related topics. Today's interview, which I am super excited about, is with Anthony Smith. Anthony currently leads the Audit and Compliance Department for Mitsubishi Electric Power Products and has 14 years of audit experience under his belt. He spent nine years in the Internal Audit Group at PricewaterhouseCoopers where he worked with various Fortune 500 Companies. In 2009, he was hired by Mitsubishi Electric Power Products to create and develop their Audit and Compliance Department. Anthony is a Certified Public Accountant in Pennsylvania and recently authored an article entitled "Requests for Information" published in the April 2014 issue of the Internal Auditor Magazine. Welcome Anthony. It is a pleasure to have you on our show.
Thanks for having me on.
Great. Well, I wanted to get started a little bit about the article in it of itself, so can you share with our listeners what inspired you to write this article?
Sure. "Requesting information" seems to be one of those areas of audit planning that is often overlooked when considering how to improve the efficiency and effectiveness of an audit. It typically is delegated down to a low-level staff member and it is really not something that is thought about until comes around to the start of fieldwork and you realized you do not have a lot of the information that you need to actually start fieldwork. But, it is one of those areas where it is actually your first contact with the auditee and can really set the tone for the audits and it is really worth spending the extra time to get this stuff right. In my article, I talked about a better approach to requesting information that improves efficiency and effectiveness of the audit and really enables questions that get answered faster and it also enables you to build a better relationship with folks in the business.
And I often see, like you stated earlier, that request is typically done at the lower-level staff position. So it is kind of like, here is the audit objective or the goal, here is what the activity were going to be, you know, needing or the evidence that we need to collect and then we make a big assumption. The staff actually knows how to craft the language that is appropriate to meet that core objective and then you get in to fieldwork testing and then people are like, well what about this, what about that, in order to gather substantial evidence and it is. Let us says, 80% of it is pretty much accurate or complete, but then you have got this missing gap where you could be annoying other people when they say well why was not that requested in the beginning. You follow or you know, why are you coming back to me for something that you should have thought about, I do not know, in the planning stage of the project. So, I enjoyed the article because it was, I know it was in the section, I think it was called Back to Basics in that area of the IA Magazine and it is a good refresher because often, we get so complacent and then we forget about some of those best practice items that we should be thinking about even if it is delegated to our staff and I wanted to hone in on another point, which is kind of a hot issue this year in particular about transitioning to the new COSO framework and I know you discussed in the article about the request of information from your auditee or your client can impact the quality of the audit, but can you share with our audience some of the tips when you are requesting information, for example if you need more documentation let us say if you are transitioning to the new COSO framework?
And then one of the other, it is the last tip I will mention here is make sure you know what you are requesting. You need to have a solid understanding of not only the audit stuff, but the audit objective and the associated risks. You know, it is not uncommon to walk into one of these meetings and just get thrown a curve ball which makes your original request irrelevant. But, if you know the audit objective and the risk, you can make that change in the fly and get back on track without too much delay.
Yeah, I have also had asked our staff. Like, see last year's work papers as a clue, but I want you to be able to answer the question, what question does this answer? So if it is a purchase order, I mean, what question are we trying to answer here related to the risk or the control objective etc and it gets them in a problem-solving mode where they are thinking about the goal of what that evidence is trying to achieve, you follow? So, I mean it is just another pattern or another viewpoint to take away, but you are right. What is it that you are requesting? And then, if you do have priority work papers, I have noticed that people sometimes just copy and paste and they are not thinking about the actual situation or the actual goal and when you ask him like, okay, what does this really tell us? You know, I mean, I am not trying to put people on the hot seat but, it is getting them to think critically to say, is this even the right information to answer the question that we need to get answered. So it makes them think rather than just assume this is just the proper way to get the information and just let us copy and paste what we did last year. And I love the better versus the traditional approach, which I wanted to get into. Can you share with us the better approach to requesting information versus the traditional approach?
Yes. So the traditional, at least on my experience, you send out a PVC list or document request list and you sit around, wait for the due date to go pass, then you start making phone calls and send voice mails and finally you use the last resort, you kind of go knock on their office door and force them, twist their arm until they give you the information you need so you can just start your fieldwork. But, like I said earlier, that really sets the tone for the whole audit because it is based on your first contact. So it is really kind of bad approach, at the first time you are dealing with them is to take that from an arm-twisting approach. So the method or the better approach that I suggest in my article is to just initially schedule a meeting upfront with them. It is only going to take 30 minutes of your time. It sounds like it is really going to be a time-consuming process, but it is really the benefits are really worth it. So basically, you schedule a meeting, meet with them, describe what you are looking for, describe what you are trying to do. And we found that, if you that, the auditee really has kind of a better sense of really what you are doing and really kind of appreciates that extra background information on what it is you are looking for. Some of the other key benefits that we have seen, you know, if you do make a bad request, I think we all have been in the situation where you maybe request something like the vendor set up form from the AR manager when you really should have been requesting from the AP manager. You can kind of make those changes in real time, opposed to having to kind of wait a week for them to identify that it was a bad request, send it back to you and then you send it back and having to wait another week for them to look at it again. You know, it is just a much more efficient process to do it that way.
The other thing is, you really gain a better understanding of the process when you are sitting there talking to the person about what it is you are requesting. Just last week, we actually had a good experience that kind of illustrates this. We were sitting with one of our group controllers and we are discussing one of our internal controls. And this controller have been in placed for a couple of years, and he really, we were sitting down and just talking about it and he is like, you know guys this is really a lousy control. He is like, yes, it works and it kind of meets it, but it is really just kind of a lousy control. There is a better control, kind of earlier in the process that I think would meet and would really address the risks better. And we looked into and he was absolutely right. But if we did not have a conversation with him, because the control was in fact operating fine, we would never really taken that second look at it. So it is good for us to sit with him and for him to basically give us his opinion on what he thought the control was doing, which is not something we typically would have asked him. But since we are sitting there, he felt he did expressed his opinion to us. The other thing that we like about these meetings, is typically at the end of the meeting, after we have already made a request and they gave us the information about where it is located or what we can look at or they just handed it to us, you know, we tend to ask them questions, like how is business going, how are sales? Or how is the new stock where you just implemented? Or how is the new quality manager working out? And by doing that, we just gain, well it may not relate exactly to audit we are doing at the time, it gives us some additional background information about the business and you know, something may pop up where we can kind of make a note, oh we want to look into this later. So it just gives us that extra information.
But the most important thing I like about this new approach, it really helps us build stronger relationships with the folks in the businesses and that is what really helps improve audit planning, is knowing this additional information because we have these relationships. It is, I would say, you know a couple of times a week, somebody from the business calls me up and ask my opinion on something. Whether it be a compliance topic or something audit-related. They did ask my opinion on something because they know that I have a relationship with them. They can call me up. They can ask me a question and they can do the right thing from the start, opposed to me having to come back and identifying it later on during an audit.
It sounds like this better approach, obviously, is more proactive but it is also kind of being human in the sense that, you are not saying to the auditee or the client, hey this meeting is just about this agenda item. It is kind of sorting out like hey, how is business etc and the kind of dovetailing from that point for being human basically and then saying, okay the real core of the meeting is now that we have this time blocked off for 30 minutes, is these requested items. And the way I have also put it to staff members is we have what we call just kick off meetings and it is nothing other, so the auditee does not know that it is really kind of PBC request meeting. We will say, hey this a kind of kick-off meeting, we just want to be on the same page for timelines, due dates etc., and we just do not want to assume that you are completely available or you do not have any other sets of auditors or other deadlines. So we want to cover that in this meeting, let us block off X number of minutes, what have you, and then we go into some of the more complex request items or sometimes it is a voluminous request items. So those are the two major categories that I have told my like, go through the higher risk processes and then within those processes, take your top three request items that you know are very either complex to get or maybe the auditee does not understand the core objective, just to make sure that we are on the same page with them. So we only have a certain limited amount of time blocked off for the meeting.
So we are not going to be able to cover 100%, let us say of every request item in 30 minutes or an hour so we should use that time very wisely, either super high-risk complex or very voluminous time-consuming just to make sure that maybe there is something better out there like you had stated earlier where you found out your group controller, hey there is a better piece of evidence out there before that initial control that suited the same objective that you guys wanted. So I completely agree. It is just some of those things that you get caught up in your audit program and you are kind of knocking things out and you kind of forget those basic best practice items to do this better approach. And I wanted to dovetail into kind of the overall underlying message, you know, that I know you wanted our listeners to get, to understand about the role of relationships in audit planning. Can you share with us your vision for that?
Sure. Uhm, see, unlike Phil Mickelson and Martha Stewart, inside information is actually an auditor's best friend. You know, knowing what's going on in the business really adds to audit planning and allows you to, you know, basically create a better audit plan, and then, subsequent audit programs. You know, having that extra information really will key you in on the key areas that you need to look at during, the year or during that particular audit. You know, developing relationships like you mentioned is really critical just to the base in getting, you know, obtaining that kind of inside information that I mentioned, and that's really kind of the focus I have for this, you know, the article. That's kind of what I really wanted to get across the people, is really developing those relationships is really key. In my experience, you know, internal auditors have a tendency to kind of, you know, stay in the area, and do, what the auditor program said, but really do venture out and try to develop those relationships. When I started the internal audit practice here, in my company, five years ago, one of the things I made sure that we did is really kind of, you know, get out into the company without that kind of internal audit stigma. So you do things like you do a lot of the community service activities and you join different groups and you know, you can even do things like, you know, join the golf league or fantasy football league, just something, so you know, people get to know you outside of that kind of internal audit role. In that way, you know, they get to know you on a different level and they're not always maybe intimated by, you know, your title or what you're function is within the company.
And you know, by doing that and developing those relationships, you really do get a lot of information that you wouldn't otherwise get just during, you know, during the normal audit or just by, you know, talking to people normally or sitting in a business being. So, it is really key to getting that inside information that we are talking about and having a new information is what makes you a better auditor and what makes your, you know, internal audit shot be able to truly add value to the company.
So, it's like the roles of relationships in terms of it's a matter of making that extra additional investment outside of the internal audit department that's going to add a lot more value, and it's really hard to measure because like you said, I mean, if you are part of the company's fantasy football league, you're part of the company's, you know, community outreach efforts, etc., so the stigma of being just a, you know, the hall monitor or the internal cop, you're now, you know, a person that is actually people can get to know that there's something about you above and beyond just being part of the internal auditor group that they can say, "You know what? This person has a job responsibility just like they do and they're just trying to get the job done right" and therefore, you know, seeing internal audit group members doing other activities with them like just like a normal team member, it breaks down certain barriers of either out to get me or the out to find something negative about my performance that's more of, no, they're just trying to make the company better. This isn't so much about my individual performance, but rather, you know, a bigger picture objective that, you know, the internal audit group is trying to reach. So, I really like that about the article kind of dovetailing into, you know, the role of relationships and trying to remove some of that stigma by just being, you know, human and being part of the team in general. I wanted to move on to something that's near dear to internal auditors, which is risks so I wanted to ask you, how do you, you know, what are some of the risks that auditors should be aware of when obtaining audit support?
Yeah, so I just mentioned a couple of things here, but, and some of these are a little more obvious than others, but I mean one thing, the main thing I guess to watch out for is what I call corrected information. A lot of times, when you're making a request and you're citing a sample of you know, 15 whatever, you know, if the audit is going to hand it to you, there is a good chance that they've already gone through it particularly when we're talking about like Sox type work because everybody knows what exactly you're looking for, you're looking for a signature, you're looking for some kind of evidence or review, you know, so they already know that, and so there's, you know, there's always that possibility if they're going through the information, reviewing it ahead of time and you know, correcting it. I remember when Sox first came out, its probably back in '04 I was doing an audit and a controller actually handed me a stack of 25 something, it said there's three areas in here. So, she's already gone through it. Now, luckily she was an honest person, had integrity and did not change any of them, but you know, she already knew, she's like, there's 325 issues on there, you know, we know, we are already dressing it, blah blah. So, you know, it's something you gotta watch out for because some people aren't as, you know, honest as that particular controller was. That's the first thing I'd watch out for. The second thing I'd look out for is what I refer to as filtered information. One of the popular sayings is you know, don't give the auditors more than they've asked for so you know, you gotta be careful and a couple of things here, one, don't make your request so narrow that you'll only get one more sheet of paper with one signature on it, you know. If you're looking for a signed costumer setup sheet, you know, maybe ask for the customer file opposed to just the setup sheet. That way you can look through, see what else is in there, see if any else is, you know, amiss. Also, if you're making requests and they're only giving you the bare minimal of information, you know, be aware of that. You know, they may not be trying to hide something, but they're definitely, you know, maybe trying to, you know, divert your eyes elsewhere type of approach.
So, I would encourage your listeners to maybe make their request a little broader so they don't get that kind of filtered information risk. I guess the last thing I'd mention here is misunderstood requests and I think we've all had this where you know, you request one thing, you know, maybe request a list of active projects for the year, but what I'm getting is a list of projects that were started during the year so it's only, you know, it's a slight misunderstanding of what you asked for, but you may only get half the population that you expected, so you know, misunderstood request is definitely difficult particularly with you know, internal auditors because you know we're so used to doing this and we know exactly what we want and so there's always a chance that the auditee, you know, it is the first time they're seeing it, they may have misunderstood, you know, what you are requesting so just be careful that you're looking at that pretty closely, you know, after you receive, but the bottom line is whenever you can, try to pull the information yourself. It's kind of the best way to avoid a lot of these risks, so if you can get access to your __22:43__ system or if you can get, you know, access to, you know, where the files are located originally, you know, try to pull out that information yourself.
Yeah and just one quick story to add to that in terms of you know, doing this yourself, we had a situation where we were making a recommendation, this is during the process of auditing controls and it was in the AP function and one of the comments I had asked was, you know, can you make vendors you're no longer doing business with inactive in the accounting system? Therefore, locking down any just potential, you know, checks and/or other purchase orders being entered into, you know, an inactive vendor. And the answer I got was "No. You know the system doesn't do that" and I thought "Well, I know that package. That seems very odd", you know, I'm not a detailed worker bee in the accounts payable department, but I walked over to the accounting manager and I said, "Hey, I just wanted to find out, you know, can we go into the module itself because, you know, this particular, you know, package is pretty darn sophisticated now" and, you know, the only package I can think of is quick books that may not be able to do inactive vendors and even now, today, it can actually do that, but here's the point, he and I were going to the module and sure enough, as we were going through the different tabs, I saw a whole slew of other areas in the AP function for vendor setups. And there was in fact a check box, it was actually a tiny little box that could make a vendor, you know, active or inactive.
So, he himself hadn't really thoroughly gone through, I think was more of just avoiding an issue (laughs) of it and actually implementing a recommendation that is preventative, you know, fraud type of control and I said "well, look, you know, I don't know how many vendors, you know, you could have thousands in here, I have no idea, but that's something that you guys wanna consider because you can do this, it's just a matter of, you know, prioritizing your time and that's something for you to kind of put together, I mean can't force recommendations, but it was something very clear that seeing for myself, not only did we find inactive little check box available, right? But I was able to see a whole of slew of other tabs related to vendor setups and you can even limit to thresholds, I mean, it was a whole new ballgame after I saw that myself, but it was just kind of asking a question saying "Hey, I just want 5 minutes" and, you know, it was just more of my curiosity at that point, kind of like "Huh, that didn't make sense" I mean, usually these things actually have that functionality. So, well, Anthony, I wanted to first and foremost thank you for making the time here. It's been an insightful interview. Thank you again, Anthony, for being here with us.
I appreciate you having me on.
Great. And as a reminder, you can find Anthony G. Smith Article Request for Information in the April 2014 issue of the Internal Auditor Magazine also found online at www.internalauditoronline.org. This is Sonia Luna. CEO and founder of Aviva Spectrum, signing off!
Sorry we couldn't complete your registration. Please try again.
Please enter your email to finish creating your account.
old-style code for hosted blogs
300 x 295
400 x 370
640 x 550
It's good to talk.