At the 64th Annual Fall Conference of MD/DC ASBO in November 2015, a panel of Maryland school administrators offered advice and insights about successfully preparing for and managing audits. The panel—which was facilitated by Suzanne Jones, secretary of MD/DC ASBO board of directors and MIS coordinator from Caroline County Public Schools, Md.—featured Diane Moore, data systems manager of Caroline County Public Schools; Susan Ortt, information systems specialist of Talbot County Public Schools, Md.; and Jenn Berlin, information systems analyst from Somerset County Public Schools, Md.
The hour-long discussion, which involved extensive audience participation, highlighted five keys to a successful audit.
Develop Strong, Well-Documented Processes and Controls
The panel was unanimous in stressing that auditors cannot manufacture “findings” where there are none. School districts with strong processes will naturally fare better in an audit than those that don’t.
The group recommended thoroughly documenting district processes, particularly those in the areas of payroll, accounts payable, and data security and controls, which tend to be the most closely scrutinized aspects of school district operations during audits. They also advised districts to conduct annual internal audits in order to identify and resolve weaknesses in their processes and issues of non-compliance.
In describing the features of effective documentation, Suzanne Jones noted that her district’s most effective documentation featured step-by-step instructions, along with screenshots, that would enable anyone with the appropriate skillset to easily execute that process. She also commended Diane Moore for her thorough documentation of Caroline County’s payroll processes saying, “If someone would walk in and want to execute that process, there is no guessing about what’s the next step because Diane has truly spelled out everything.”
Create Alignment on Audit Response Team
Panelists recommended approaching the audit as an aligned team. “You want to find out as much as you can before the auditor comes to town,” said Diane Moore. “I think the list went to my superintendent, and he forwarded the list out to the appropriate people. We then gathered as much information as we could before the auditors came onsite.”
The panelists recommended conducting a pre-audit meeting to provide district staff with guidelines and direction for their roles and responsibilities during the audit. During the meeting, the panelists recommended advising staff not to become too familiar with auditors and to give them only what they ask for and no more, as additional information may lead auditors far beyond the defined scope of the audit.
In addition, the panelists recommended that communication among the team members be encouraged throughout the audit. Team members should be encouraged to share auditor inquiries and requests, along with responses, with the entire team. Often auditors make duplicate requests in an attempt to uncover deficiencies in district processes. By communicating inquiries and responses, districts can ensure that everyone remains on the same page and that staff is efficient in managing the workload associated with the audit.
To Provide Access or Not to Provide Access: That is the Question
There was divergence of opinion about whether districts should provide auditors with access to district ERP systems or not. Smaller districts in the session indicated that it is convenient to give auditors restricted access because staff members then don’t have to run reports. The larger districts, however, generally preferred not to provide auditors access, as they remained in control of their data and were able to scrutinize reports prior to providing them to auditors.
Most of the panelists, which represented smaller Maryland districts, create limited-access accounts for auditors. Jenn Berlin elaborated, “The account we created for the auditors is a read-only account. We did a lot of testing to ensure the account had the access it needed to have and no more, because I can only imagine getting pinged on an audit for giving the auditors more access than they needed. It’s my job to provide the auditors with support so that they know how to run reports and can access the information they’re looking for.”
Maintain Documentation of Responses throughout Audit
Most of the districts represented at the session said they lean heavily on the canned reports available in their ERP software for answering audit questions. For many on the panel and in the audience, dealing with duplicate requests for information during audits is both common and frustrating.
Susan Ortt recommended keeping thorough documentation of responses to auditor inquiries. “As soon as we get notice of an audit, I create a folder in my email inbox,” she said. “Everything and anything, particularly my sent emails, goes in that folder. If you don’t do it, I highly recommend you start.”
The panelists again advised session participants to follow good internal communication practices of sharing responses with members of the audit team. They also emphasized that it’s appropriate to demand accountability from the auditors for forwarding relevant information to appropriate parties.
Be Open to Change
A session participant suggested that a typical audit report has between 15 and 25 recommendations. While it’s easy to approach an audit report with a critical eye, session participants all agree that it’s important to keep an open mind and be open to change as you review audit findings.
One session participant shared an instance in which an audit finding resulted in a beneficial change to their district processes. “During our last audit, we received a finding on defining critical user rights. It was one key takeaway that we benefited from,” he said. “Because of transition and reorganizations, you always will have people that go from one department to another. And, it’s a hard thing to take away rights that they have. Now, we have it set up where our managers are responsible for looking at the personnel in their department who have critical roles and need particular user rights. And, anytime there’s a change, a notification goes right from our human resource software to our CFO. Resolving that finding benefited us.”
In wrapping up the session, Suzanne Jones echoed his observation and shared similar situation at her own district. “Some findings do come to help us,” she said. “It’s those kinds of things that I hope we can learn and benefit from.”