This is the seventh in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: recommendation. The focus will be on the use of data analytics to assist you in determining the recommendation.
In simple terms, the recommendation is the action that management should take – putting in a control, changing a business process, etc. If the other components of the finding were done correctly, it should be the easiest to define. Nevertheless, I have seen many people make fundamental mistakes in developing a recommendation.
- Not linked to the audit objective. All recommendations should be linked back to the original audit objective. However, there will be times when unexpected events arise and demand audit attention. This could be learning of a fraud or circumstances that were not included in the audit objectives but cannot be ignored. For example, I was conducting an audit of an application system that was being developed to manage major capital projects. The focus was on whether the IT system would meet the requirements, be delivered on time and on budget. During the onsite work, I was told about fraudulent contracting practices in another area. The information provided was enough to indicate that it was highly likely that a fraud was occurring, but it was not within the scope (or objectives) of my audit. In this case, I reported the allegations to my senior management, and they kick-started a second audit in the area with the focus on contracting practices.
Unfortunately, I have also seen instances where the audit team develops recommendations that are not covered by the audit objectives. For example, when looking at the contracting practices with an audit focus on consistent with the contract rules and regulations, a recommendation related to ‘timing’ was introduced at the reporting stage. The audits thought that it was taking too long for the procurement division to issue a contract. The problem with doing this is often closely related to problem #2.
- No criteria. In the contracting audit, the team determined that it was taking an average of 30 days to issue a contract. They felt that this was delaying the purchase process and affecting operations. Sounds like a reasonable start on an impact statement, but the observation was based on audit’s feeling that 30 days was too long. They had not developed, and vetted, criteria for this observation.
- Not supported. The audit objectives and criteria are in place to support the observation, but there is insufficient evidence to support the recommendation. When challenged, I have been told by auditors that they felt “X” was the case, and management did not disagree when it was raised in the debrief meeting. The IIA standards are clear, sufficient evidence and analysis must be done to validate the finding. The work should be robust enough that another auditor, performing the same te4sts would arrive at the same conclusion.
The are options that can be considered when properly validated and supported observations arise during an audit. The initial audit objective can be modified to include addition sub-objectives: if these are supported by criteria. The modified audit objective and criteria should be approved by client management and, depending on the seriousness, my need audit committee approval as well. Another option is the issuance of a management letter addressing the issue. The advantage of a management letter is that it can be timelier than a revised audit objective. This may be advantageous when dealing with a serious control weakness which may have an environmental or health and safety impact. It other cases, it is useful to deal with extraneous finding because management is not required to provide a response (management action plan). The third option is launching a separate audit. This has happened to me a few times when I was doing the first audit in an area, such as a new acquisition, and casting a wider net than usual. Basically, doing a risk assessment of the entity while conducting an audit in a specific area. However, it was clear to client management that we were using the audit to update our risk-based audit plan to include the newly acquired area.
Given the importance of the recommendations, from an audit reputation and other factors, the review of the audit by the team lead, manager, and quality assurance function should include a mapping of the Objectives to the Criteria; the Criteria to the Tests to be performed (Analytics); and the Recommendations to the Audit Objective and the Criteria.
This type of review should be done at the end of the planning phase to ensure that the audit work program is addressing all the audit objectives.
This is the seventh in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: recommendation. The focus will be on the use of data analytics to assist you in determining the recommendation.
In simple terms, the recommendation is the action that management should take – putting in a control, changing a business process, etc. If the other components of the finding were done correctly, it should be the easiest to define. Nevertheless, I have seen many people make fundamental mistakes in developing a recommendation.
- Not linked to the audit objective. All recommendations should be linked back to the original audit objective. However, there will be times when unexpected events arise and demand audit attention. This could be learning of a fraud or circumstances that were not included in the audit objectives but cannot be ignored. For example, I was conducting an audit of an application system that was being developed to manage major capital projects. The focus was on whether the IT system would meet the requirements, be delivered on time and on budget. During the onsite work, I was told about fraudulent contracting practices in another area. The information provided was enough to indicate that it was highly likely that a fraud was occurring, but it was not within the scope (or objectives) of my audit. In this case, I reported the allegations to my senior management, and they kick-started a second audit in the area with the focus on contracting practices.
Unfortunately, I have also seen instances where the audit team develops recommendations that are not covered by the audit objectives. For example, when looking at the contracting practices with an audit focus on consistent with the contract rules and regulations, a recommendation related to ‘timing’ was introduced at the reporting stage. The audits thought that it was taking too long for the procurement division to issue a contract. The problem with doing this is often closely related to problem #2.
- No criteria. In the contracting audit, the team determined that it was taking an average of 30 days to issue a contract. They felt that this was delaying the purchase process and affecting operations. Sounds like a reasonable start on an impact statement, but the observation was based on audit’s feeling that 30 days was too long. They had not developed, and vetted, criteria for this observation.
- Not supported. The audit objectives and criteria are in place to support the observation, but there is insufficient evidence to support the recommendation. When challenged, I have been told by auditors that they felt “X” was the case, and management did not disagree when it was raised in the debrief meeting. The IIA standards are clear, sufficient evidence and analysis must be done to validate the finding. The work should be robust enough that another auditor, performing the same te4sts would arrive at the same conclusion.
The are options that can be considered when properly validated and supported observations arise during an audit. The initial audit objective can be modified to include addition sub-objectives: if these are supported by criteria. The modified audit objective and criteria should be approved by client management and, depending on the seriousness, my need audit committee approval as well. Another option is the issuance of a management letter addressing the issue. The advantage of a management letter is that it can be timelier than a revised audit objective. This may be advantageous when dealing with a serious control weakness which may have an environmental or health and safety impact. It other cases, it is useful to deal with extraneous finding because management is not required to provide a response (management action plan). The third option is launching a separate audit. This has happened to me a few times when I was doing the first audit in an area, such as a new acquisition, and casting a wider net than usual. Basically, doing a risk assessment of the entity while conducting an audit in a specific area. However, it was clear to client management that we were using the audit to update our risk-based audit plan to include the newly acquired area.
Given the importance of the recommendations, from an audit reputation and other factors, the review of the audit by the team lead, manager, and quality assurance function should include a mapping of the Objectives to the Criteria; the Criteria to the Tests to be performed (Analytics); and the Recommendations to the Audit Objective and the Criteria.
This type of review should be done at the end of the planning phase to ensure that the audit work program is addressing all the audit objectives.

And at the reporting phase to ensure that all objectives have been addressed and that recommendations are supported.

After all the planning and work done during the conduct, the recommendations should be supported and provide value to client management.