What to read first: Internal auditing assures an audit committee
|Auditors||Version . Beta|
An audit ‘finding’ is generally a negative observation reported by an audit. In summary, a typical audit report says: ‘We looked at activity X for its Goodness, and found problems A, B and C’. A, B and C are the ‘findings’.
It is an established expectation, though not a fundamental requirement, that the auditor makes recommendations to management about how to ‘correct’ each of the ‘findings’ A, B and C. Some recommendations are very specific and prescriptive—sometimes too much so, reflecting the auditor’s limited perspective. Others are more wishy-washy, urging management to ‘look into the problem and evaluate potential solutions’, with no useful (or disputable) contribution from the auditor.
A draft of each audit report is given to management for response. The mandatory part of the management response is to indicate what will be done about each of the recommendations. Right?
Well, that’s true enough. But it’s also wrong.
Audits are about assurance, not change
When we understand the purpose of an audit as independent assurance, it becomes obvious enough that the recommendations are inherently less important than the findings. Auditors will generally agree that each recommendation is only one approach to solving a problem. The findings matter more: they are important facts.
But the findings are themselves only exceptions on the assurance. What really matters is the assurance itself.
So any genuine agreement with management must first focus on the overall assurance picture. The assurance will have a scope and limitations. The audit may have generated many positive observations and conclusions supporting that assurance. Those observations may or may not be in the audit report. As a manager, I’d really want to see them there, especially if my superiors were also going to see the report. A constructively engaged audit committee will probably want to see those positive observations as well.
An audit report should not only say ‘We looked at activity X for its Goodness, and found problems A, B and C’. That story leaves out the assurance statement entirely. Putting assurance first, the report should say ‘We looked at activity X for its Goodness. Activity X is indeed Good, so relax. During the audit we found problems A, B and C, which still allow acceptable Goodness, but deserve your attention anyway.’ In a less favourable case, the report might say ‘Activity X would be acceptably Good were it not for problems A and B. We also found problem C, which you will want to fix for other reasons.’ In this model of audit report, there should be details of problems A, B and C, including recommendations, but not before there are also details of the positive management practices Alpha, Beta and Gamma that enabled Activity X to be Good.
How the conversation goes
Once management have agreed to the assurance picture, and blushed slightly over Alpha, Beta, and Gamma, they must be asked to agree the exceptions to the assurance, the findings A, B and C. There should be agreement on the factual content, on the implications for the assurance, and on the presentation and signalling of the finding. Findings usually have ‘ratings’, often resembling a traffic light scheme. After all of the elements of each finding are agreed, the conversation can legitimately turn to the recommendations, and exploration of alternative ways forward.
At any stage of the conversation, management agreement might not follow. There might be a disagreement that turns into a negotiation of the audit report, or into an escalation of the disagreement to a higher management level. Escalation can go as high as the audit committee. Constructive disagreement should be encouraged. Disagreement can reflect sub-standard auditing or poor management behaviour, or both, but disagreement should be encouraged anyway. At the very least, it’s better to resolve disagreements early than later, after the audit committee has the report. It’s even worse to leave disagreements until the audit is long finalised, but the recommendations remain endlessly in the future for lack of genuine management commitment.
In my world, the bulk of the attention has been on the recommendations. Findings have attracted attention only when they look bad, even though I made a point of showing the source finding in every stage of recommendation follow-up. Assurances got hardly any attention all.
There are some excuses for this pattern. Within the audit administration framework, it is typically only the recommendations that are ever seen again after finality of the audit report. They are properly tracked and followed-up until implemented. So even the audit findings are seen primarily through the keyhole of the audit recommendations. What is not kept in sight is the scope and age of the assurance delivered by the audit.
But whether smart or odious, seismic or superficial, the recommendations should be understood as secondary to assurance .
Assurance, finding, and recommendation tracking
The Clear Lines accept that audit recommendations do need to be tracked until the end of time, if necessary, in sight of the audit committee. Indeed, that discipline supplies energy essential to an effective audit function. But the Clear Lines also urge that:
- Assurances are given central prominence in the audit report.
- The positive bases of the assurance, and any limitations to the assurance, are fully detailed in the audit report. ‘Positive bases’ can be represented as positive ‘findings’, in the same shape as negative findings.
- For each negative finding, there is a clear the implication for the assurance. The same can be done for positive findings. In both directions, the link is the motivating reason for a change, or a reason to retain an existing practice.
- Assurances and ‘findings’ are tracked after the audit in the same way as recommendations, ideally in a single administrative process visible to the audit committee. Tracking can include positive findings, if the format supports them.
- Management discussions on audits proceed top-down from the assurances, followed by the findings, and only ending with the recommendations. The auditor’s recommendations might not be revealed until there is agreement on the assurances and findings.
- As recommendations are implemented, the status of findings and assurances from the audit are updated, also in sight of the audit committee. As assurances and positive findings age, their fading currency is also recognised.
- Where ‘ratings’ for concern or urgency are used, they are attached to the findings, not to the recommendations. The importance or urgency of a recommendation is not necessarily the same as the importance of a negative finding, especially when there are multiple actions that might be taken on one issue. If you want to go all the way, also use positive ‘value’ ratings for the good management practices found in the audit.
A suggestion for Chief Audit Executives and helpers
If an audit struggles to report a clear assurance conclusion, it probably lacked focus and effectiveness in an earlier stage, possibly at all stages. That’s far from a rare situation.
You can use this link in reverse to sharpen focus and effectiveness. You can insist that every audit must begin with the end in mind, and that end is an assurance conclusion. You can require planned assurance statements within terms for audit engagements. You can make it understood that the assurance conclusion will be tracked for years, as applicable, along with each recommendation and finding. If you have assurances, you will want to use them in annual and strategic audit planning.
This combination of sharp focus and timeless accountability will energise your audit function, just as each audit engagement is energised, for both auditors and managers, by the understanding that its outstanding recommendations will be tracked until the end of time.
Previous article for Auditors
|Auditors||Version .1 Beta|
Main article on Internal auditing is independent assurance
1. There are legitimate exceptions. Some ‘audit’ engagements are specifically set up as consulting activities, rather than for assurance. The purpose of the consulting activity may aim to solve a known problem, or to find practice improvements for an activity. In a consulting engagement, recommendations may well be the main output. However, such an engagement could be taken by consultants other than internal audit, or by internal staff acting in a different capacity. Such engagements demand subject specialist expertise more than they demand formal independence. In the Clear Lines, the key characteristic of ‘audit’ is formally assured independence, not ‘being terribly smart’.
An audit that generates a lot of beneficial change probably is highly successful and of high value, both in the choice of topic and in the execution. It is not true that an audit that verifies the status quo is a failure or low in value. Audits don’t have to create insights or change; their primary outcome value is independent assurance of management statements, explicit or implied.
An unsuccessful audit is one that can neither support nor contradict the intended assurance conclusion that justified starting the audit in the first place (or any other useful conclusion). The lack of an assurance statement in the audit report can result from a failed audit, but might also result innocently from confused expectations or unhelpful reporting conventions.