For internal auditors, there may be nothing as frustrating as going back to an audit and finding the same deficiencies and problems year after year, audit after audit. It’s not uncommon for process owners and units to ignore audit findings and fail to make the recommended changes or fixes. When it happens, it creates tension between auditors and auditees, leaves internal auditors feeling that their work is futile, and puts companies at risk.
Once auditors review and then recommend changes to an operations process, they should have reason to feel confident their recommendations will enhance controls and performance. So what can they do when auditees show no sign of implementing the recommendations?
To start, it helps to understand why operational managers sometimes ignore audit findings. Time and budget constraints often come into play. Managers may feel—rightly or not—they lack the resources needed to implement the recommendations.
That’s especially true if management believes the report focuses on immaterial and irrelevant items, so, in their eyes, it’s not worth diverting resources from other priorities. “The findings should have proximity to things that are important to the entities’ objectives,” says Phillip Austin, national assurance managing partner with BDO.
Communicating the value of an audit is just as important. Letting auditees know, for example, a previous audit helped a department cut expenses or improved its performance can help convince them the work required to complete an audit pays off and that the audit findings are meaningful.
Once an audit concludes, auditees need to know the specific actions to take to address the root causes of a problem. Sandy Pundmann, head of Deloitte’s U.S. internal audit practice, provides an example: an audit finds that access to computer applications for 5 of 20 former employees wasn’t terminated in a timely manner. Management fixes the five specific instances, but doesn’t put in place a process to ensure proper access controls in the future.
“If people aren’t fixing things, often is it because we didn’t make it clear exactly what should be fixed.” Pundmann says. The specific steps needed to fix the root problem should accompany the report, she says. In the above example, this might be establishing a process to automatically notify HR and IT of an employee’s last day.
Audit reports should also specify the individuals responsible for addressing findings and a deadline for when the work should be done, Pundmann says. “Don’t just say ‘management will address,’ but name the person, and give a due date,” she says. “Make it clear what he or she should do, the deadline, and how to document it.”
Establish Partnerships
The work needed to increase the likelihood the audit recommendations will be implemented starts before the audit even begins. Before his team begins an audit, Stephen Young, vice president of internal audit at Chicago-based manufacturer MacLean-Fogg draws up a partnership agreement that lays out the terms of engagement, including the time and information Young and his team will need. “We try to make it clear that we’re trying to minimize the disruption,” he says. In return, the auditee agrees to reasonably provide the needed information and resources.
At the audit’s conclusion, Young and his team talk with the operational managers to reach agreement on the risks identified, the actions to be taken, the individuals who will take them, and the deadline. By acting jointly, “it’s not outsiders coming in and telling them what to do,” he says. “They have some ownership.”
If a manager disagrees with a finding, the auditors may take a closer look, Young says. Many times, however, the process owners have known improvements are needed, but haven’t had the time and resources to initiate them. “This gives them an opportunity to voice their concerns,” he says.
Foster Audit Transparency
Transparency is critical throughout an audit, says Phil Benvenuti, senior director of internal audit at software company Pegasystems Inc. in Cambridge, Mass. He and his team talk with management as they conduct their review, providing the managers, many of whom have worked in an area for years, an opportunity to offer input on their view of the risk an issue may pose.
Benvenuti and his team also ask for auditees’ input on how quickly they can act. That’s not to say they leave it entirely to the them, especially if the deadline proposed is deemed too lax. “If they say it will be four months, we may ask if three months is reasonable,” he says. If the issue is significant and they can’t reach agreement on the time frame, they may bring it to executive management.
Benvenuti sometimes will bring together two departments when it’s clear that addressing an audit finding in one area requires support from another, like information technology. “I’ll broker a meeting between the two groups and let them know the issue and the help we need,” he says.
Rick Walke, vice president of internal audit and compliance at Indianapolis-based Forum Credit Union, also works to partner with operational managers. This helps both in identifying the root causes behind any issues and in gaining buy-in to complete the actions needed to address the audit findings.
When an audit revealed, for example, that a few branches weren’t providing all the documentation required to open special account types, Walke brought together managers at various levels. During discussions, it became clear a discrepancy had developed between the policies in the procedure book and the way in which an updated, automated process worked. “As we move to automate more processes, we’re making sure we’re updating old procedures to match the automated process,” he says. Because operational management helped identify the root cause to the problem and develop a response, they were on board with the solution, he says.
Create a Remediation Process
Walke also tries not to nit-pick things when deciding what to include in the audit report. “We make sure the items we identify have a high impact to the organization,” he says.
To be sure, it’s possible internal audit and a line manager will hold varying opinions on the importance of an audit finding. This may reflect genuine differences of opinion. It also may be that the line manager isn’t comfortable having his performance evaluated. Or, it could be the manager is taking action that treads close to the edge of what’s proper and legal.
Whatever the reason, the internal auditor can ask executive management or the board to weigh in. In following up, the chief audit executive should remain both objective and tenacious in ensuring the finding is addressed. “Stick with it,” Austin says. For instance, if the manager isn’t taking the actions needed, the CAE can raise the issue with a supervisor, and then with an executive member, and on up the organizational chart, depending on the issue and its importance.
An established follow-up process should provide transparency, so all parties know how an issue will escalate and when. For instance, in Young’s organization, if an issue isn’t resolved 30 days after the deadline, and the client hasn’t received an extension, auditees know the CFO and vice president for the division generally will be alerted, he says. And some issues with immediate urgency will elevate much faster. When an audit identifies conflicts of interest, for example, it will need to be addressed immediately.
After sixty days of inaction, the company CFO typically is notified. Ninety days after the agreed upon due date, an alert goes to the company president. Everyone has agreed to the findings up front, and they’re copied on all follow up, Young notes. This keeps all processes out in the open. The follow-up notices are automatically generated, freeing staff time and minimizing the risk a deadline is inadvertently overlooked.
Companies with an established audit finding remediation process will have much greater success in ensuring findings don’t go ignored. A formal process for open issues will also ensure that internal auditors don’t have to play the role of the nudge, constantly nagging operational units to address findings.
Getting the Board Involved
At times, despite everyone’s efforts at partnership, transparency, and follow up, a manager still ignores a finding. Bethmara Kessler, a certified fraud examiner and regent with the Association of Certified Fraud Examiners, as well as a consultant, spent much of her career in audit and compliance. When her team ran into trouble getting management to act on a recommendation, she would sometimes talk with the audit committee prior to a board meeting and ask them to request a status report on all audit recommendations. “You can plant a bug,” she says. This gives visibility to the concerns, without “coming down with a hammer” on management.
Even before such a situation occurs, the chief audit executive should have established a reporting line to executive leadership that’s outside operating management, Austin notes. Having executive support not only lends an audit team credibility, but it allows the auditor to confidentially bring up concerns to leadership and obtain their assessment of the risk.
Potential Foul Play
Ignored audit findings could also be an indication that something more nefarious is at play. What if management’s foot-dragging on implementing the audit findings starts to feel like something other than a lack of resources or a dismissal of the risk in question? To start, don’t rationalize away your gut instinct, says ACFE’s Kessler. “Don’t ignore and push it aside.”
Instead, talk with the areas that handle compliance and investigations—typically, the general counsel or compliance, Kessler says. If they agree that something about the situation feels wrong, they can move the issue outside of audit and follow the organization’s protocols to initiate an investigation.
Ideally, the company will already have established procedures it can turn to in the event this occurs, says Deloitte’s Pundmann. “Think about it before it happens,” she says.
If the internal audit function is to provide value to the organization, it must be auditing what matters and what is related to the most pressing risks. So when problems are identified, it’s important that they are addressed. Creating a process for setting deadlines to fix open audit findings, and to elevate them when they are not, can go a long way to ensuring that they don’t go ignored, alleviating frustration for internal audit and safeguarding the relevance of the entire function.
Karen Kroll is a business writer based in Minneapolis, Minn.
One Reply to “When Audit Findings Go Ignored”