Even if the auditor does a great job of planning, conduct, analysis, and follow-up, the real value of the audit will be absent if the recommendations miss the mark.
Audit planning should be focused on two main objectives: identify the risk and design an audit program that will assess the risk. Risk affects the achievement of organizational goals and objectives. Capitalizing on positive risks will increase the achievement of these objectives. Failing to address negative risks will decrease the achievement of organizational objectives. Audit should consider whether the organiza6tion is exploiting positive risks and mitigating the impacts of negative risks.
The design of the audit program should ensure that the appropriate resources are applied to the audit objectives. Years ago, the notion of the integrated auditor was touted – an auditor that had a vast array of skills and knowledge. Fortunately, this was replaced by the integrated audit team – where the team collectively had the skill and knowledge necessary to perform the audit efficiently and effectively. I would be remiss if I didn’t mention that the use of data analytics should always be considered in the planning phase. Not only to identify and assess risks, but also to support the conduct, reporting and follow-up phases of the audit.
The audit program should be designed such that, if followed, will allow the auditors to conclude on the audit objective. Too often I have seen examples of where the audit workplan did not address all the objectives of the audit. For example, if you have “The accounts payable process supports the timely and accurate payment of approved invoices” as the audit objective, then your workplan should have steps to assess the timeliness, accuracy, and approval of invoices, not simply the identification of duplicates. The workplan steps must be supported by defined and accepted criteria; be executable by the audit team; and, when executed, allow the auditor to conclude on the audit objective(s). Further, the audit workplan should identify the root cause of the risk, control weakness, etc.
Given that the audit employed a clear objective – based on risk – and executed a well-designed audit program, the recommendations are the final important task to be performed. Recommendations should be SMART.
- Specific – the recommendation should provide sufficient information to allow management to understand the nature of the risk and what needs to be done to mitigate it.
- Meaningful and Measurable – to encourage management to act on the issue identified, the recommendation should identify the impact (the ‘so what’). In addition, there should be a process in place to allow the auditors (and senior management) to see the impact of the actions taken.
- Accountable and Attainable– the recommendation should identify the parties that have the responsibility and accountability for taking the necessary action. The recommendations must also be focused on actions that management can implement.
- Reactive –the recommendation should address the root cause, not the symptoms; and the actions taken by management should have a direct impact on the risk.
- Timely – the recommendation should be made in a timely manner. Sometimes this will mean raising the issue to management’s attention before the audit has even been completed rather than waiting for the official report.
- Take time at the beginning of the audit to consider the audit objective. Ensure that the audit objective will identify the root causes of the risks in the various business processes. Ensure that you have the proper criteria and audit steps to allow you to deliver on the audit objective.
- Ensure that your analysis allows you to identify the impact of the symptoms found so that you will be able to gain support for the recommended process changes. Maximize the use of analytics to improve the efficiency, effectiveness and scope of the audit and provide a quantified, defensible impact statement. And repeat the ‘why’ question to get to the root cause of the symptoms to eliminate future risks.
- Ensure that you recommendations are implementable, cost-effective, address the root cause, and identify the appropriate position that can act on them.
This article has 2 Comments
Dave, great recommendations. Some of my thoughts and criteria that you may also consider. As Dave stated, make your your recommendation to address the risk that does not exceed the cost of the risk to mitigate. When I would recommend a potential control to address a risk, I would also ask the auditee if they have a better control that would mitigate a risk. In addition, I would ask the auditee to provide me a target date as to when they would implement the agreed upon recommendation and in the followup audit, I can refer to whether or not it was implemented by this target date. In the event the auditee does not agree to address implementing any control to address the identified risk, I ask the auditee if they are willing to accept the risk and if so, I would include this within the audit report. Stating this to the auditee usually has the auditee reconsider accepting a risk and then consider an action to mitigate the risk.
George – excellent points. First, I work with the client to determine if the level of risk is acceptable or not. If it is acceptable, I encourage them to provide a written response that indicates that they understand the risk and are accept it. Often they are surprised that audit is not ‘forcing’ a recommendation on them. I say it is a ‘recommendation’ and they have the ultimate decision. If they are not willing to accept the risk, I try to work with the client to determine what they feel will address the risk – as long as it address the root cause. This way they have ownership in the recommendation. I also encourage them to consider operational constraints when arriving at a target date.