Auditing has long been a requirement of law firms, and although necessary as part of the AML regulations and quality standards such as Lexcel, CQS and SQM, it is too often the case that firms struggle to keep pace with the requirement.
The reality is that in most firms (particularly in current times), all staff are busy. Furthermore, those tasked with auditing and file reviews are often the senior and experienced staff/partners whose time is valuable and needed to service the work, supervise and manage the firm generally.
In some cases, this results in audits being delayed and stockpiled, or the exercise turns into box-ticking where the audit is completed with minimal effort to ‘get the job done’. Whilst this may put the numbers in, it does not enable the firm to learn and adequately identify any issues.
With more emphasis being placed on auditing by Insurers, the SRA and the quality standard auditors, the need to bring structure and make audits more effective and integrated into the firm is paramount.
Part of any risk and compliance strategy has to be evidencing that risk is being managed effectively, and a proportionate audit programme that is structured will deliver the evidence a firm needs to demonstrate to external bodies or people that the firm is in control and supervised.
At The Strategic Partner, we work with and for a large number of law firms and a good representation of the Professional Indemnity Insurers. As a result, we see the best and the worst of auditing processes within law firms.
This paper will hopefully assist in setting out some direction for firms to ensure their audit strategy can stand up to scrutiny.
The Audit Process
The audit process needs to run seamlessly alongside the way the firm operates. Staff should be aware of the audit process, and the appropriate areas will direct the audit itself.
An audit should never be a tick box exercise to get the minimum number of audits completed. Firms should direct their audit resource to where problems may exist so they are found and resolved. Alternatively, if issues are not found, as they are not there, and the firm can evidence that they have looked and a positive report produced.
Even where there are issues, as already highlighted, the action that is then taken is essential. Not every audit will be perfect, but the solutions will direct the firm in the right direction.
For an audit process to be effective, there should be two types of focussed audit: –
- Policies Controls and Procedures – an audit that ensures the staff in the firm are applying the requirements of the firms PCP’s at case level. It should include the file audit, interviews with staff to ensure understanding, and a review of the compliance registers. This type of audit is more regulatory focused, but it also ensures that elements such as risk assessments are being completed. PCP’s are wide-reaching in a firm from AML through to risk management and complaints etc. There is a lot for staff to undertake, but they have to do what is required with consistency. A regular PCP audit will help to ensure the requirements of the firm are implemented and maintained.
- Technical Audits – the technical audits focus on the handling of a matter, the service provided, and the quality of advice. These are more specialised as the auditor must understand the work area to ensure they can observe and comment on the strategy adopted by the case handler and their work. A technical audit can and will be more time consuming and require a different level of expertise.
- Directing Audits – a well run and managed firm will be aware of matters which are high risk and cases that will be causing concern. These are identifiable through providing guidance to staff on what is high risk and ensuring they are reported and recorded. Directing audit resource to these higher-risk matters will provide a firm with a significantly more robust audit process. It is better to see a high-risk matter several times a year than to ignore that and focus your audits on matters known to be low risk and fine. Risk management is about supervision and control, and that comes from understanding where your risks are and interacting with them and those involved in such matters.
The PCP audits are easier to outsource. They are required to ensure the firm’s processes are being complied with, and they provide objectives as they identify the requirement and assess the implementation. Technical audits are harder to outsource as they require expertise in a specific area of law, but firms can outsource them, and TSP have technical auditors available. However, firms will often tend to keep the technical audits in-house but outsource the PCP audit.
Audits should always be independent, but the word independent does not always mean external. Independent within a firm means someone who has the ability to guide and direct decision makers without the fear of reprisal and, of course, independent of the file holder.
The regulation falls short of telling firms that going external is better, and for some, it may not be, but for others, it is and may also prove more cost-effective. It is undoubtedly the case that the SRA and insurers are likely to be more content with an external and independent audit.
The valid benefits of an external audit are: –
- Cost Effectiveness – it is more than likely that the cost of an external audit will be significantly cheaper than using an internal resource to perform an audit. With senior staff often being charged with auditing tasks, this will take them away from fee earning and providing services. If a fee earner loses 7 hours a month to auditing and their external charge rate is £250 an hour, the cost of each audit performed is £1750. This cost is significantly more than bringing in external auditors (based on TSP audit day rates)
- Independent – an external audit is truly independent. While it is true to say that a firm will pay the auditors fees, the audit provider has to maintain their service’s integrity or lose respect. External auditors benefit from not being influenced by the firm and must report on its findings. Establishing an independent and impartial process that helps guide the firm and deliver solutions to any issues. Working with a firm to overcome these issues is an essential part of the audit role. Problems will exist, and that is expected. How a firm responds to those issues is important. Not every audit will go well, but those audits fall short of the requirement, where firms can learn, adapt, and improve. In our experience, firms that use our auditing solutions respect the independence and work with us to ensure that the audit is constructive and delivers solutions to improve. Approach and understanding are essential.
- Expertise – external auditors work across more than one firm. At TSP, we work across the industry, overseas and out of the industry. We see what is going on in other firms and other sectors, and we can bring best practice that may not be obvious to internal staff. With an independent auditor, you can have a level of insight that is simply possible to attain for many firms.
- Solutions – an external auditor has a vested interest in ensuring that the audits are undertaken and solutions provided and to assist the firm in delivering improvement when necessary. It is their role and an essential part of what an auditor must do.
- They get done! – there is no excuse for an audit not to happen when it is outsourced. Audits will be booked in, conducted, and the reports completed. An external auditor has the task to complete the audit for the firm, as failure to do so will mean the service has not been delivered. For this reason, the job gets done.
- Evidence and impact – an audit that has been directed effectively and performed independently provides the firm with an external and independent assessment that will have more impact than an internal audit. This evidence that the firm is ready and willing to be assessed and challenged by an independent party is useful when it comes to demonstrating compliance to the regulator or liaising with Insurers to discuss your approach to risk when negotiating renewals.
Auditing is part of The Strategic Partners standard risk, compliance and AML service or you can access our auditors on a stand alone basis. Rates are cost effective and we ensure that appropriately skilled auditors undertake the audits and report back the findings.
At The Strategic Partner, we work with firms to enhance their defences through the implementation of robust policies and procedures that work. Our Standard, Risk Compliance and AML solutions deliver firms a robust and effective compliance infrastructure.
For as little as £215 a month a firm can be assured of compliance with the regulations and more than that will ensure their staff know what to do and when to protect the firm.
For more information on our risk and compliance products, you can click on the links below, visit our website www.thestrategicpartner.co.uk, email us firstname.lastname@example.org or call us on 020 3911 9710.