GUEST BLOG POST
I recently wrote about an inherent problem with some audit reports. I discussed the fact that some auditors believe they can persuade management with an audit report to take action to correct a deficiency. I pointed out that a report is far less persuasive than a face-to-face discussion, with both management and the auditor sharing and listening openly to each other.
One of the people who commented on the piece talked about a management failure: failing to follow through and take the actions they had agreed in the audit report. As I read and considered the point, I came to believe that the writer was talking about this:
- The auditor drafts a report, discusses it with management, and makes recommendations for corrective actions.
- Operating management reply in writing, which is included in the audit report, that they agree and will take defined actions by a certain time.
- The due date passes without the actions being taken.
The author of the comment said this was 100 percent a management failure, but I’m not so sure. There is certainly a failure of management to keep their commitment, and this needs to be discussed with them and probably their management. It may be indicative of another and more serious problem with management. But sadly there is often an internal audit failure as well.
We might have one or more of these situations:
1 Management agreed on the facts, but not whether they indicated a risk of significance. As a result, even though they committed to taking action, they did not make it a priority.
Maybe they agreed because “the auditors tell us to do it”. They may fear disagreement and how it would look to senior management or the board.
When I was a vice president in IT, my information security team was subjected to an internal audit (deliberate wording).
One of the issues identified by the auditor related to the way in which we allowed our senior executives to dial in to our data center from home. (This was before remote access was through the internet. Back in those dark days, the executives used a modem to call a dedicated phone number attached to a security device that allowed them access after providing their userid and password.)
The auditor read in a book by IBM provided to him by his manager that the company needed to change phone numbers at least monthly. The “risk” was that a hacker could detect the phone number by attaching a device to the executive’s phone line and use it to gain access to our data center and its systems.
Even though the auditor agreed that a hacker would need a dial-in userid and password before accessing our operating system, a different userid and password for the operating system, and yet another userid and password for each application, he included this as a “high” risk in his audit report. He recommended that we change phone numbers every month.
In a meeting with the auditor, after he agreed with the facts, I pointed out the disruption that would be caused by constantly changing the dial-up phone number. Every month, our help desk would be besieged by angry and frustrated executives demanding not only that we provide them the correct number, but to stop the insanity. Nevertheless, his manager insisted on including this as a high risk in the audit report.
I provided my response, disagreeing with the rating of high risk and explaining why this was the wrong action to take for the business.
I received a call from my boss’ boss, an executive vice president and direct report to the CEO. He told me that management never disagreed with the auditor. We had a “constructive” discussion about it, with neither of us willing to concede the point.
I have seen this before, where management is afraid of how it would look if they disagreed with the internal auditor. So, they agree on paper and delay in practice.
2 While management agrees to the auditor’s recommendation, they don’t see it as a priority. They have more important issues to address that require the same resources.
The auditor is happy that management agrees with the finding and recommendation. However, they don’t seek to understand management’s other priorities.
I had this with the same audit of information security. The auditor had taken every item in our information security software implementation project plan and made it a recommendation. They did not indicate that we had already identified the need and it was on our schedule. Instead, they “recommended” (read as “insisted”) that we complete each item within a month or two, ahead of plan.
When I pointed out that we didn’t have the resources to move more quickly, let alone that it was high risk to move too fast, they stood their ground. They agreed my team had properly prioritized each task in the project and that we couldn’t move faster. Nevertheless, that is what they recommended. I asked that they say something about resources being limited, but they would not. At the direction of my management, we agreed to the recommendation but continued to proceed at the pace indicated in our audit plan.
3 When I was with Tosco, we agreed to acquire refineries and other assets from BP on the West Coast. I asked my counterpart at BP for copies of any audit reports for those operations, which I received soon after.
One of the audits was of the refinery at Ferndale in Washington state. The auditor had made many recommendations, including one to remove access by receiving personnel to information about what had been ordered. As a result, they would no longer be able to check that the items received were the items ordered, including whether the quantities were correct.
The action was countermanded when more senior management got involved, after they read the audit report.
The auditors were not informed of the change in plans. They only found out when they followed up to confirm the recommended actions had been taken.
4 I have seen situations where management agreed with the recommendation but later decided there was a better response. They took business-appropriate actions in response to the risk, but they were not the actions recommended by the auditors.
I want to make a few points:
- Make sure, by listening openly and collaboratively to management, that you understand the true business risk and how significant it is to the business.
- Take the time to identify and address the root cause(s), not just the symptoms. Be brave enough to suggest that management hasn’t sufficient or the right people if that is the case.
- Discuss the options for addressing the risk, including how difficult and time-consuming they might be – and whether there would be other consequences. For example, would fixing one risk prevent management from having the resources to fix another one, or seize an important opportunity?
- Don’t ask management to do what you wouldn’t do in their shoes!
- Make sure management recognizes, truly, that it is in their own interests to take the actions. It will improve the likelihood and extent of their own success, as well as that of the organization. If they don’t believe it, they may not do it. They need to want to take the actions, they need to own them. They aren’t doing them just because the auditor said so.
- If they understand the facts and their implications but don’t believe it represents an issue deserving prompt action, why should we? Is our understanding and assessment faulty?
In other words, don’t just sell your finding. Make sure you have a committed buyer. Management will 100 percent deliver on actions they believe are high priority and in their own interests. They will dawdle if the only reason to take action is “the auditor told us to do it.”
I welcome your thoughts.
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
Great article! I agree with most of the things you said. When Auditors start looking at the their recommendations as requirements, we’ve crossed the line to making management decisions. And that’s not allowed. Audit is a tool that management MAY use if they want to. It’s only advisory.
However, I don’t think Audit should automatically cave when they think there is a significant risk that is not being addressed. I would suggest raising it to the next level and if management still does not think the risk is significant, they have the right to accept the risk. Audit has done it’s job by raising the concern to the proper level. Audit just needs to make sure it keeps all of the information in its workpapers in case the issue ever comes up.
While I commend you for the article, I quite agree with Jonnie T. Keith on his submissions without any reservations.
Very interesting article, I believe Internal auditors keep their right as an independent function to raise any concern that poses a higher risk to the organization and recommend any further control that decreases the gap between inherent risk risk appetite of the organization. in other side i am agree that the management has their own right to accept the internal audit recommendation or take their own action in order to deal with a certain situation.
Waiting for your next articles Noman.
Thank you!
Great article shared. Thanks for the insight. However, in my view, internal auditors should purpose to provide best practice in the industry irrespective of the company’s ability to implement in a given time. Governance and management are continuous improvement processes and Internal Auditors should not shy away from giving the best-practice-based recommendations.