November 26, 2007 – How to survive an Audit
Truth in reporting is vital to building trust and successfully managing people and projects, but sometimes it is better to keep your mouth shut. Too much information can lead to problems. One of my former co-worker never had the filter between his thoughts and his lips installed. Case in point: Needing to take Friday off, he asked his manager for the time off. That part was great. However, when asked what he had planned, he should have just said he needed to run some errands. Unfortunately he proceeded to tell of his DUI conviction and that he was going to an alcohol awareness weekend as part of his sentencing.
Having survived many project audits and then being both a Project Officer and Quality Assurance Auditor for several years I can assure you that a project audit is not the place to offer more information than requested. Here are 6 tips on how to survive an audit.
- Determine the audit type. There is a big difference between an project health check and a regulatory audit. The purpose of a health check is to understand the state of the project to help increase the probability of success. A regulatory audit is to verify compliance with regulations or standards. You can use a health check audit to bring visibility to issues and risks facing the project so management can supply the necessary resources to address them. Regulatory audits, on the other hand, are there to find problems. Unless there are serious or illegal problems with your project, you may want to down play the issues for a regulatory audit.
- Understand your Auditor. The audit groups I have worked with all had the interest of you, your project and the company in mind, not their own agendas. Some auditors feel they have to find something wrong in order to justify their existence. Understanding the type of auditor you are dealing with will help shape the way you answer questions.
- Get the list. Understand the standard you are being held to. Since audits rely heavily on question lists, get the list ahead of time. Make adjustments to your management and documentation styles to be able to answer "yes" to any of the questions. If one of the questions is "Are regular meetings held that review status, financials and issues?" then make sure your minutes have those points listed.
- Avoid the search. Based on the list of questions, have evidence that shows compliance readily available. If they want meeting minutes, have a folder full of them. When they are looking for approvals, have copies, emails or other artifacts compiled to present. If they have to dig, you may spend even more time answering misdirected questions.
- Only answer the question. You have the right to remain silent. You many want to use that right, especially for regulatory audits. Just like my buddy the drinker, giving too much information can cause problems. Even if what you say isn’t a problem, additional data can cloud things or look as if there are issues. Again, if there are serious or legal items at stake, don’t hide them but don’t air your dirty laundry, either.
- Less than 100% is good. Odds are you will miss something on you audit and that’s okay. The key is to develop an action plan based on the short comings and get any audit issues resolved before the next one.
As long as you know the expectations, audits results shouldn’t be a surprise to you. By following these steps you may, however, surprise you auditor.