Expert: Don Sadler - 5/29/2008

Question
I received a email from my director to follow up on a request from an internal auditor. Prior to recieving the email from my director. The auditor had talked with one of our attorney to pull and provide some vital agreements records. The attorney pulled the documents and asked that I copy the materials for the auditor. I copied the materials and provided to the auditor. The second request from the auditor (in the email from my director) she wants a comprehensive index of all vital agreements for all entities that we may possess onsite such as (service agreements, marketing agreements and reinsurance agreements) I contacted the auditor for more clarification as to what she will need. She responded she wanted an index of all agreements for all entities. We have many types of agreement since this is a legal dept. However I  have an index of the files the attorney pulled. These agreements are from 1972 to 2002, but the index was last updated in 12/04. Apparently, The index is not up to date. The paralegal who was responsible working on these files and creating this file system had retired and therefore,  the index has not been updated since. The retired paralegal manager was aware of the project and at one point was involved but however had let this fall through the crack. My director tells me not to hand the indexed to the auditor and wait till the paralegal manager return from his vacation. She wants me to dance around a little. Meanwhile I have the auditor calling me and dropping by to pick up the pulled documents from the attorney and demanding that I provide her with the index. The auditor want an index.  I am caught in the middle relying message between my director and the auditor. I don't know what to say and how to handle but inform the auditor that the manager of the paralegal who handles is out on vacation and is unaware of the scope of this request. upon his return I will meet with him asap and get back to her with her request and a deliverable date. She is not happy about this and expressed she can not wait. She also expressed we should have an index according to the records retention schedule. She also informed me she wanted to confirm we were indeed have the agreement onsite and recorded it properly. How should I handle? We do not have a current index and the index indeed need to be updated. However, we have many type of documentation for our records such as online log.. database capturing the records we have.  
Pleas help... How can I communicate with the auditor to by myself time to produce her with a comprehensive list. Should I send her what I have and advise we will provide an updated list within a specific timeframe.  Any help will do.  

Answer
I understand your dilemma and am glad you asked for advice.

First, unless directed otherwise by your executive, you are under NO obligation to do the auditor’s work.  Auditors will frequently attempt to have the auditee develop indices, cross-references, etc. purely for the auditor’s convenience.  
While your policy may call for an index and while an index may be useful, I can easily imagine that there are much higher priorities than administrative policy compliance.  Again, you are expected to reasonably accommodate the auditor and provide access but not to do extra work for them or do their work.

If I were in your position, I would do the following:

A.   Talk to your Director to ensure you have the executive support.

B.   Disclose to the Director that the index is incomplete and it is a work in progress (though likely not a high priority).

C.   Ask your Director for guidance – does creating the index take priority over other work?  If so, do it. If not – go to step D.

D.   Tell the auditor that they are welcome to whatever records, files, indices that currently exist but that you will NOT be performing additional work for their convenience.

E.   Tell the auditor they are welcome to write up the lack of an index as an audit finding if they think appropriate and that you will challenge the finding unless they can prove there has been some material impact (negative effect) due to the absence of the index.

F.   Tell the auditor that they are very welcome to review the files and create whatever index they may need to complete their audit work.

G.   Tell the auditor to get off your back and work around this issue or you will need to escalate this issue to the next level of management and let your Director resolve the issue with the Audit Director.

H.   Tell the auditor that you and your Director want to be fully briefed on each finding as it is discovered and validated (proven).  If you disagree with the findings, contest it on the spot and show why it is invalid.

When an auditor writes up a business unit or organization, it is called a ‘finding’, ‘exception’, or a ‘deficiency’.  Whatever it is called, it may be valid but not material. In other words, it would be simply a minor finding of an administrative policy not being followed.  Minor findings seldom show up in a report - they are usually addressed verbally.  In order for a ‘finding’ to be in a report it usually has to meet six criteria [or contain six elements].  These criteria [elements] are as follows:

1.   CONDITION (WHAT IS THE PROBLEM - IN HIGH LEVEL TERMS?)
2.   CAUSE (WHY/HOW DID THIS CONDITION EXIST?)
3.   CRITERION (WHAT IS REQUIRED/DESIRED & BY WHAT AUTHORITY?)
4.   SUPPORT (PROOF – WHAT MAKES THE AUDITOR SURE OF THIS CONDITION?)
5.   MATERIALITY/IMPACT/EFFECT (SO WHAT?)
6.   RECOMMENDATION (DIRECTLY ADDRESSES THE CAUSE)

When you do receive the audit report, respond to it appropriately.  Review each of the 'findings' and, if valid, acknowledge it and propose a corrective action. If you

I hope this is helpful.