Making recommendations that make sense

I have seen / read multiple articles about audit trends, techniques, processes, etc., but rarely ever they touch on our recommendations to the auditee. That is my motivation to write down my thoughts on this part of the auditing process, which I consider critical.

Although auditors spend a great deal of time and energy walking through processes, analyzing procedures and transactions, and identifying control weaknesses, the real value we add to organizations resides in our recommendations. Management expects auditors to leverage our business knowledge and ability to perform root cause analysis to suggest process improvements that will mitigate risks, that will improve process efficiencies, and that are aligned to the business objectives in the short and long terms.

Audit groups can decide on the extent of recommendations to address the identified issues. Potential approaches can vary from “Just fix it” to very detailed list of steps, depending on the company culture, risk appetite, audit group maturity, and other factors. The objective of this article is to provide the reader with guidance on how to provide management with recommendations that show the consultant aspect of our profession.

1st The root cause

Yes, we have a finding, but what about it? There are issues that are easy fixes, for instance “the report did not include an acknowledgement signature”. The obvious thought could be “Well, sign it!”. Although this could be considered as an effective solution, if we don’t identify the root cause, it is highly likely that the situation will occur again in the future. Potential causes for this could include:

·      No person was appointed as signature responsible

·      The person who used to sign left

·      There is no procedure indicating who is responsible

·      Accountability is not clear

·      No priority was assigned to the task

Another example: “Manual Journal Entries (MJEs) are not approved by a supervisor”. The auditor must gather and write down all the facts. In this example the following could occur:

·      There is no formal procedure or policy to enforce approval

·      Supervisor left the position, and a new person has not yet been appointed

·      Accounting MJE requestor and approver are the same

·      Only specific MJEs are required approval

Per conversations with auditees, and per process walkthroughs, the auditor has a privileged position to identify the issues triggering factors. Once noted, these need to be discussed with management to ensure alignment.

2nd Write down the finding

Once the auditor encounters a control weakness, the focus must be on the facts, without judging the situation or its circumstances. The auditor must stay objective at all times in evaluating the situation and the impact on the process performance, taking into consideration the business objectives and risk appetite.

Based on the information gathered and the identified facts, the auditor can write down the issue. For instance, “From a sample of xx MJE’s, representing x% of the population and y% of the value, it was noted that yy MJE’s did not have an associated formal approval due to ________. MJE approval oversight may cause ________”

3rd The recommendation

Audit recommendations consist of guidance that highlights actions to be taken by management. When implemented, process risks should be mitigated, and performance should be enhanced. Depending on the company culture, and the issue impact, recommendations can be more or less detailed. Auditors must find a balance between being too simplistic and write down a whole procedure. Also, the relevance of the finding will define the tone of the report (e.g., “Management should / could / must take the following actions…”)

Types of recommendations

Depending on the relevance and complexity of the noted issues, the level of the corresponding recommendation(s) may vary. Here, I have tried to establish some categories:

Straight actions – When there is a accurately identified root cause, the auditor can advise actions that are achievable. In certain cases, those can be implemented during fieldwork and this situation can be pointed out in the report as “addressed”. For example, “The AP clerk should be trained on how to process XX payment types boking to ensure the right coding is used”. In this case the recommendation is very specific. Still, it is up to management to decide the means and timing to achieve this goal. If this training occurred during fieldwork, the issue can be categorized as “addressed”.

Generic – There are instances where more than one business group is involved in the resolution of an issue, and it will take join efforts to define the actions to address it. As this is a more complex situation, the auditor can provide guidance in the recommendation. For example, “Supervisors should inform HR and IT simultaneously of any changes in their organizations to ensure appropriate user profiles maintenance. A formal procedure must be defined to ensure this is accomplished. In addition, IT may propose tools to expedite this process and keep data restricted to as-need only basis”. In this case the auditor leaves the options open but minimum requirements are established.

Detailed – When the organization culture is in a learning curve stage, and the auditor has a Subject Matter Expert (SME) level on the audited process, a specific recommendation can be provided. For instance, “A procedure on deferred revenue management and booking must be defined. At a minimum the procedure should include: a), b), c)… Once defined, the procedure must be formally approved by all relevant stakeholders and training should be provided to all relevant parties involved with the process. The procedure should be incorporated as part of the on-boarding training for Finance new employees. Training records ought to be kept on file to ensure compliance with this requirement”. In this example the auditor recommendation provides sufficient guidance to management to ensure all compliance requirements are taken into consideration.

4th Management Action Plans (MAPs)

Coordinate efforts with stakeholders. As mentioned above, the auditor is in a unique position to work through silos and identify process breakdowns impacted by communication, lack of formality, undefined accountability, resources availability, insufficient segregation of duties, redundancies, etc. As an internal consultant, the auditor, in addition to support management to recognize these instances, is also an agent of change with a process improvement mindset. From the beginning of the audit process, it must be clear for the auditee that examiners are on the same ship as they are, and that the overall objective is to improve the level of comfort that stakeholders have with the company performance in terms of internal controls. Being an ally with management will facilitate the auditors’ work by easing the communication and helping support feasible and practical recommendations.

When management receives the audit report, they are required to provide the set of actions that will address the audit findings. These actions are commonly known as Management Action Plans.

MAPs characteristics.  In general, I recommend auditees to follow the SMART methodology:

S – Specific: To the extent possible, ambiguity should be avoided. Defined actions should be specific. For instance, “personnel will be trained” is not as specific as “Procurement personnel will be trained in XXX procedures”

M – Measurable: You cannot manage a process that cannot be measured. Keeping this in mind will allow process owners to identify process related measures. For instance, “By June, 80% of the Procurement area personnel will be trained in XXX procedures, and by December all personnel, including new employees, should have completed training.”

A – Achievable: Attainable, should be able to be brought about and reached successfully for the group and the overall organization. As an example, “All Manual Journal Entries (MJEs) will be reviewed and approved by a supervisor”. This is very difficult to achieve since in a mid-size company a position would have to be created just to comply with this given the volume. However, “All MJE’s above the company defined threshold will be reviewed and approved by a supervisor”, is an action that addresses risk and that can be achieved with reasonable effort.

R – Relevant: Consider whether the recommendation is aligned with the overall business goals. For example, “All Anti-Money Laundering (AML) procedures will be made available for all bank personnel” may not be as effective, since there may be procedures that are more applicable to private banking than retail, for instance.

T – Time bound: Actions should be performed in a specific timeframe, otherwise there is chance they will not be executed. Timely execution should be revised during the Follow-up process as needed. MAPs can include specific dates “By mm-dd-yyyy this action should be executed”, but approximations are also acceptable “By Q2 action actions will be implemented”

Keeping these definitions in mind, will allow the auditor to support management efforts to create and deliver the required MAPs that can be subsequentially verified for effectiveness. 

5th Follow-up

The role of the auditor does not end in the Audit Report delivery. Once the time established in the MAPs has elapsed, the auditor must verify that the committed actions were implemented and that they address the identified risks. Only then the audit cycle is completed.