Even if the auditor does a great job of planning, conduct, analysis, and follow-up, the real value of the audit will be absent if the recommendations miss the mark.
Audit planning should be focused on two main objectives: identify the risk and design an audit program that will assess the risk. Risk affects the achievement of organizational goals and objectives. Capitalizing on positive risks will increase the achievement of these objectives. Failing to address negative risks will decrease the achievement of organizational objectives. Audit should consider whether the organiza6tion is exploiting positive risks and mitigating the impacts of negative risks.
The design of the audit program should ensure that the appropriate resources are applied to the audit objectives. Years ago, the notion of the integrated auditor was touted – an auditor that had a vast array of skills and knowledge. Fortunately, this was replaced by the integrated audit team – where the team collectively had the skill and knowledge necessary to perform the audit efficiently and effectively. I would be remiss if I didn’t mention that the use of data analytics should always be considered in the planning phase. Not only to identify and assess risks, but also to support the conduct, reporting and follow-up phases of the audit.
The audit program should be designed such that, if followed, will allow the auditors to conclude on the audit objective. Too often I have seen examples of where the audit workplan did not address all the objectives of the audit. For example, if you have “The accounts payable process supports the timely and accurate payment of approved invoices” as the audit objective, then your workplan should have steps to assess the timeliness, accuracy, and approval of invoices, not simply the identification of duplicates. The workplan steps must be supported by defined and accepted criteria; be executable by the audit team; and, when executed, allow the auditor to conclude on the audit objective(s). Further, the audit workplan should identify the root cause of the risk, control weakness, etc.
Given that the audit employed a clear objective – based on risk – and executed a well-designed audit program, the recommendations are the final important task to be performed. Recommendations should be SMART.
- Specific – the recommendation should provide sufficient information to allow management to understand the nature of the risk and what needs to be done to mitigate it.
- Meaningful and Measurable – to encourage management to act on the issue identified, the recommendation should identify the impact (the ‘so what’). In addition, there should be a process in place to allow the auditors (and senior management) to see the impact of the actions taken.
- Accountable and Attainable– the recommendation should identify the parties that have the responsibility and accountability for taking the necessary action. The recommendations must also be focused on actions that management can implement.
- Reactive –the recommendation should address the root cause, not the symptoms; and the actions taken by management should have a direct impact on the risk.
- Timely – the recommendation should be made in a timely manner. Sometimes this will mean raising the issue to management’s attention before the audit has even been completed rather than waiting for the official report.
- Take time at the beginning of the audit to consider the audit objective. Ensure that the audit objective will identify the root causes of the risks in the various business processes. Ensure that you have the proper criteria and audit steps to allow you to deliver on the audit objective.
- Ensure that your analysis allows you to identify the impact of the symptoms found so that you will be able to gain support for the recommended process changes. Maximize the use of analytics to improve the efficiency, effectiveness and scope of the audit and provide a quantified, defensible impact statement. And repeat the ‘why’ question to get to the root cause of the symptoms to eliminate future risks.
- Ensure that you recommendations are implementable, cost-effective, address the root cause, and identify the appropriate position that can act on them.