While auditors spend a great deal of time and energy scrutinizing processes, analyzing procedures and transactions, and identifying control weaknesses, the real value we add to organizations resides in our audit recommendations.
Management expects auditors to leverage our business knowledge and ability to perform root cause analysis to suggest process improvements that will mitigate risks, improve efficiency, and that are aligned to the business objectives in the short and long term.
Internal audit teams must also decide on the extent of recommendations to address the identified problems. Potential approaches can vary from “just fix it” to providing a very detailed list of steps, depending on the company culture, risk appetite, audit group maturity, and other factors.
Here, I’ll consider some approaches to provide management with recommendations that best demonstrate the consultant aspect of our profession.
1) Identify Root Cause(s)
Yes, we have a finding, but what about it? There are some issues that seem easy to fix, but more problems may be lurking under the surface. For example, the finding: “The report did not include an acknowledgement signature,” is easy enough to remedy. The obvious thought would be, “well, sign it!” While this could be considered as an effective solution, if we don’t identify the root cause, it is highly likely that the situation will reoccur in the future. Potential causes for the real problem could include:
- No person was appointed as signature responsible
- The person who used to sign left
- There is no procedure indicating who is responsible
- Accountability is not clear
- No priority was assigned to the task
Another example: “Manual Journal Entries (MJEs) are not approved by a supervisor.” The auditor must gather and write down all the facts. In this example, the following could occur:
- There is no formal procedure or policy to enforce approval
- The supervisor left the position, and a new person has not yet been appointed
- Accounting MJE requestor and approver are the same
- Only specific MJEs are required approval
Per conversations with auditees, and per process walkthroughs, the auditor has a privileged position to identify the factors triggering issues and get to the root cause. Once noted, these need to be discussed with management to ensure alignment.
2) Write Down the Finding
Once an internal auditor encounters a control weakness, the focus must be on the facts, without judging the situation or its circumstances. The internal auditor must stay objective at all times in evaluating the situation and the impact on the process performance, taking into consideration the business objectives and risk appetite.
Based on the information gathered and the identified facts, the auditor can write down the issue. For example: “From a sample of xx MJE’s, representing x% of the population and y% of the value, it was noted that yy MJE’s did not have an associated formal approval due to ________. MJE approval oversight may cause ________.”
3) Make the Recommendation
Audit recommendations consist of guidance that highlights actions to be taken by management. When implemented, process risks should be mitigated, and performance should be enhanced. Depending on the company culture, and the issue impact, recommendations can be more or less detailed. Auditors must find a balance between being too simplistic and providing overly detailed procedures that attempt to do management’s job. Also, the relevance and seriousness of the finding will influence the tone of the report. For example: “Management could / should / or must take the following actions…”
Types of recommendations:
Depending on the relevance and complexity of the noted issues, the level of the corresponding recommendations may vary. Here, I have tried to establish some categories:
Straight actions: When there is an accurately identified root cause, the auditor can advise specific actions that are achievable. In certain cases, those can be implemented during fieldwork and this situation can be pointed out in the report as “addressed.” For example: “The AP clerk should be trained on how to process certain payment types to ensure the right coding is used.” In this case the recommendation is very specific. Still, it is up to management to decide the means and timing to achieve this goal. If this training occurred during fieldwork, the issue can be categorized as “addressed.”
Generic: There are instances where more than one business group is involved in the resolution of an issue and it will take joint efforts to define the actions to address it. As this is a more complex situation, the auditor can provide guidance in the recommendation, but probably not a detailed plan of action. For example, the recommendation might read: “Supervisors should inform HR and IT simultaneously of any changes in their organizations to ensure appropriate user profiles are maintained. A formal procedure must be defined to ensure this is accomplished. In addition, IT may propose tools to expedite this process and keep data restricted to ‘as-needed only’ basis.” In this case, the auditor leaves the options open but minimum requirements are established.
Detailed: When the organizational culture is at a learning-curve stage, and the internal auditor has a Subject Matter Expert (SME) level on the audited process, a specific recommendation can be provided. For example, the recommendation may read: “A procedure on deferred revenue management and booking must be defined. At a minimum, the procedure should include: a), b), c) … Once defined, the procedure must be formally approved by all relevant stakeholders and training should be provided to all relevant parties involved with the process. The procedure should be incorporated as part of the on-boarding training for new finance employees. Training records should be kept on file to ensure compliance with this requirement.” In this example the auditor recommendation provides sufficient guidance to management to ensure all compliance requirements are taken into consideration.
4) Management Action Plans (MAPs)
Next, coordinate efforts with stakeholders. As mentioned above, the auditor is in a unique position to work through silos and identify process breakdowns impacted by poor communication, lack of formality, undefined accountability, resource availability, insufficient segregation of duties, redundancies, and other difficulties. As an internal consultant, the internal auditor, in addition to supporting management to recognize these instances, is also an agent of change with a process-improvement mindset. From the beginning of the audit process, it must be clear to the auditee that examiners are on the same team as they are, and that the overall objective is to improve the level of comfort that stakeholders have with the company performance in terms of internal controls. Being an ally with management will facilitate the auditors’ work by easing the communication and helping support feasible and practical recommendations.
When management receives the audit report, they are required to provide the set of actions that will address the audit findings. These actions are commonly known as Management Action Plans.
While MAPs are the responsibility of management, they will often seek internal audit’s input. In general, I recommend auditees to follow the SMART methodology:
S – Specific: To the extent possible, ambiguity should be avoided. Defined actions should be specific. For instance, “personnel will be trained” is not as specific as: “Procurement personnel will be trained in these specific procedures …”
M – Measurable: You cannot manage a process that cannot be measured. Keeping this in mind will allow process owners to identify process-related measures. For instance, “By June, 80 percent of the procurement area personnel will be trained in these specific procedures, and by December all personnel, including new employees, should have completed training.”
A – Achievable: Each action plan item should be attainable for the group and the overall organization. For example, “All Manual Journal Entries (MJEs) will be reviewed and approved by a supervisor,” would be difficult to achieve. In a mid-size company, a position would have to be created just to comply with this action plan, given the volume. However, “All MJE’s above the company defined threshold will be reviewed and approved by a supervisor,” is an action that addresses risk and that can be achieved with reasonable effort.
R – Relevant: Consider whether the action plan item is aligned with the overall business goals. For example: “All Anti-Money Laundering (AML) procedures will be made available for all bank personnel,” may not be as effective, since there may be procedures that are more applicable to private banking than retail, for instance.
T – Time Bound: Actions should be performed in a specific timeframe, otherwise there is chance they will not be executed. Timely execution should be revised during the follow-up process as needed. MAPs can include specific dates, such as “this action should be executed, by November 15, 2022.” But approximations and ranges are also acceptable. For example: “Action actions will be implemented by Q2.”
Keeping these definitions in mind will allow the auditor to support management efforts to create and deliver the required MAPs that can be subsequentially verified for effectiveness.
5) Follow-up
The role of the internal auditor does not end with the delivery of the audit report. Once the time established in the MAPs has elapsed, the auditor must verify that the committed actions were implemented and that they addressed the identified risks. Only then is the audit cycle is completed. Don’t neglect the follow-up process!
Following these steps may not ensure that every issue that internal audit identifies during an audit is magically fixed, but it will help improve the recommendations that internal audit provides management. It’s not enough for internal audit to point out problems and walk away. To provide real value in the organization, internal audit can play a vital role in advising on solutions and ensuring the hard work of remediation is completed. Better audit recommendations will go a long way toward achieving those goals.
Hector Garcia is an active community member of Auditopia, a new learning and collaboration platform for internal auditors, and also a LinkedIn creator.
Great article. Something to consider with ambiguous time based completion dates – If remediation of the finding is to be completed by Q2 why not just say, for example, June 30th. It is specific and helps with when to follow up. If it is completed at some earlier date in Q2 then Management can celebrate the success.
Great article, SMART recommendations enriches remedial processes after audit.
Great Article. Major takeaways for me are: 1.) Don’t neglect the follow-up process! 2.) The real value IAs add to organizations resides in our audit recommendations. 3.) Ensure your recommendations are SMART.
Great article. It helps au internal auditors to understand how we add value to our organizations. We must work with the auditees to profer SMART recommendations.
Very informative article. Yes, recommendations have to be agreed by audit clients, should be relevant to the business and actionable. That is why validation of audit findings is a crucial part of the fieldwork as that gives the opportunity to the audit client to give feedback before the conclusion of the audit.
Great article, key to value addition is collaboration between the auditors and the auditees, else nothing is done, and audit effort is wasted. Read it with satisfaction, that my Team is on the right track!
This was insightful. Identifying the root cause is often a missing link between the finding and the cause. Thankyou.