Audit recommendation tracking

Tracking audit recommendations can make the audit function respected and influential. Failing to track can turn audits into toxic waste.

Effective tracking keeps both management and auditors on their toes, even before an audit starts.

This article explains how tracking audit recommendations can work well. Like other Clear Lines articles, it starts with the why. Once the why is Clear, the how is pretty simple. There is one format that makes everything fall into place.

Tracking audit recommendations well is not about choosing the right systems and software. You probably don’t need automated support. Effective tracking is about maintaining accountability and clear expectations. Achieving those needs very little technology. You can use the methods in this article with a word processor, email, and a dependable filing system.

What are audit recommendations? What happens without tracking of audit recommendations What gets tracked The tracking cycle Forecast and target dates for implementing a recommendation When tracking ends: good and bad reasons to ‘close’ an audit recommendation Common problems and solutions in audit recommendation tracking The magic format Reporting to the audit committee The secret is management accountability- for the deficiency

Auditors Version 1.0 Beta

What are audit recommendations?

Audit recommendations describe a desirable change in the real world. Each recommendation is a proposed real-world change to what management does. The change is proposed to meet stakeholder expectations. Stakeholder expectations are represented by the audit committee, and by the auditor.

The primary outcome of an audit is assurance to the stakeholders, via the audit committee—or the opposite of assurance, a warning about a problem.

Whenever the audit cannot give assurance, there is an audit ‘finding’.

Before each recommendation, the audit report first describes and explains the gap between reality and expectation. That gap is usually called the audit ‘finding’. Unlike the ‘findings’ of a court case, audit ‘findings’ should be challenged. Also unlike a court finding, the audit ‘findings’ can change after a challenge.

A ‘finding’ is a problem or a deficiency. The problem need not be serious. For every ‘finding’, the auditor must make a recommendation. The recommendation is a ‘must’ because no-one takes the auditor’s ‘finding’ seriously if the auditor cannot show a way to fix it. There are exceptions.

Audit recommendations are a secondary outcome of an audit.

The Chief Audit Executive must track all recommendations anyway, even if recommendations are only secondary. Chief Audit Executive failure to track each audit recommendation all the way to a proper resolution can lead to a near-complete failure of the audit function.

Audit recommendations themselves are not mandatory directions for management. Management is accountable for closing the gap identified by the audit, or for showing that there is no gap to close.

It is mandatory for management follow through on any action commitments made at the time of the audit, or to show that they have done something better for stakeholders. That’s why tracking audit recommendations is so important.

Read more on what is an audit and what is an audit recommendation

Check the vocabulary for audit recommendations

What happens without tracking of audit recommendations

It is essential to track each recommendation from each audit.

The absence of tracking would weaken obligations on the auditor to ensure that original audit recommendations are justified and compelling.

On the management side, the absence of tracking is even more corrosive. Management might not find a reason even to challenge the audit recommendations, let alone to implement them.

Under the conditions left without tracking, there is little credibility attached to the audit function at all. Auditors will lose motivation. They may become careless, or overly pragmatic, at the expense of stakeholder interests that really matter. Management will certainly be dismissive, seizing on any opportunity to discredit the auditors. There will be opportunities for management to seize. At the same time, the problem with audits may never be named for what it is. Maybe nobody wins by calling it out. That does not mean conditions are tolerable. It means the audit function has failed.

Without tracking, audit recommendations operate as mere suggestions. Management may or may not implement them. Only management will know or care. Management will be accountable for acting on the audit recommendation only when there is another audit of the same area of activity.

Such conditions might be barely tolerable for annual financial statement audits, or other fixed regular reviews. The conditions will be tolerable only because the audit findings will keep coming back, fresh or escalated, until the problem is fixed permanently. Affected stakeholders will not be impressed, and the audit committee will not be happy.

Most audit work is very different. For most audits, the activities being audited are important to the stakeholders, yet the audits of those activities are not regular and repetitive. Management indifference will not be tolerable. Chief Audit Executive ignorance of what happened will not be tolerable either.

What gets tracked

Tracking audit recommendations is about management following through on the commitments they have made themselves. Tracking is not about the original audit recommendation, as framed by the auditor.

Management commits to a way forward in its response to the draft audit report. The management commitment may match the audit recommendation exactly, or it may be to a different way of addressing the underlying deficiency. The part that matters is that management is committed to fixing the problem, the problem identified in the audit ‘finding’.

The way forward to which management commits might be an adequate response to the deficiency, or it might not. Ideally the auditor will review the management response and raise any concerns about its adequacy, before finalising the audit report. If the auditor is not available to review the response, then the Chief Audit Executive must do it. At least one of them should be satisfied with management’s commitments in the response before the audit report is seen by the audit committee.

It is the management commitment to fix the problem that is subsequently tracked in audit recommendation tracking. To that extent, the words ‘recommendation tracking’ are misleading. Ultimately, the Clear Lines recommend tracking of assurances, as along with findings, recommendations and management actions.

The audit committee will be most concerned that the underlying deficiency is corrected, so the ‘finding’ is no longer in existence—whether or not the correction follows exactly the steps promised by management in responding to the audit.

It is better to give management clear permission to correct the deficiency in ways different from the auditor’s recommendation. It is also better to allow management to later correct the gap in ways different from the first management commitment, if there are benefits in doing so. When you are tracking audit recommendations on behalf of the Chief Audit Executive, you advise the audit committee to accept the recommendation as ‘implemented’ when the deficiency has been rectified. Your advice to the committee is less concerned with the specific means of rectification.

If management reports that the deficiency has been rectified, but in a way not suggested in the audit report, the audit committee will need more assurance that it was truly rectified. Assuring the audit committee will then usually demand further effort, from management and probably from Chief Audit Executive staff.

For less important deficiencies, there may be no commitment worth tracking, for instance if the audit report clearly says the ‘recommendation’ is only meant as a suggestion, with no accountable obligation attached.

The tracking cycle

Management are required to provide a progress report on implementing the open audit recommendation on a regular cycle. Usually a manager is asked for a report on all open recommendations within their responsibility at the same time.

The follow-up cycle might be quarterly, or tied to audit committee dates. But it must be boringly repetitive and predictable, even slightly annoying. There can be no surprises, and no room to move. Intervals should not be longer than a quarter, as there will be a tendency for memories to fade between follow-up cycles. A very short cycle might also create a problem, a tendency to trivialise each follow-up.

Successive management progress reports are visible to the audit committee, either directly or through summary reporting from the Chief Audit Executive team. The Chief Audit Executive team advises the audit committee with commentary and alerts about the progress of audit recommendations. The Chief Audit Executive team also advises management about how the audit committee is likely to view the progress report, and on how to report progress honestly and effectively. It is not unusual for management’s draft reporting to be obscure, off-topic or even incomprehensible for an audit committee audience.

When management believes the recommendation has been implemented and action is complete, the progress report says so. If the audit committee agrees, the committee ‘closes’ the recommendation and the tracking cycle ends. The Chief Audit Executive team will advise the committee on the closure decision, and will usually support or oppose it.

The challenge for the Chief Audit Executive team is to keep the original purpose of the recommendation in sight of management and the committee, and to maintain management’s accountability for achieving that purpose. The purpose is almost always to rectify a deficiency identified by the audit. Accountability is based on clear lines of sight between the management, the committee, and the real world. Clear and transparent communication is the key, not only to accountability, but to the ways in which the parties see each other and see themselves.

In many organisations, the Chief Audit Executive team have a surprising level of influence over the timeliness of corrective actions, and over the way in which the audit committee perceives management’s attitude and performance. The tracking cycle must be rigid and mechanical, but it must also be full of insight and art. Making it work can actually improve management’s performance and self-assessment, subtly enhancing the organisation’s culture.

Forecast and target dates for implementing a recommendation

When management gives its response to an audit recommendation, that response should commit to a date by which the deficiency will be fixed. Policy should require such a commitment, with variations for genuinely difficult cases.

If everyone is happy with that date, and the date is actually achieved, fantastic. If management forecasts that the date will not be achieved, or the date just passes by, the shortfall must not be ignored. The Chief Audit Executive may need to alert the audit committee.

Read more about target dates and extensions

When tracking ends: good and bad reasons to ‘close’ an audit recommendation

It is usual to talk about ‘open’ and ‘closed’ audit recommendations. New recommendations are always ‘open’, and they ‘close’ when implemented. The important level of ‘implementation’ is reached when there is no continuing deficiency.

Reality is more complicated than that. The key point about ‘closing’ an audit recommendation is that ‘closure’ is (only) a decision of the audit committee to stop tracking actions taken on it. The Chief Audit Executive team advises the audit committee on the closure decision, and ideally the committee does not have a reason to go against Chief Audit Executive team advice.

Closure is not itself an action, nor a decision, made by management. Management reports that the recommendation is implemented, the Chief Audit Executive reviews management’s report, then the report goes to the audit committee with a Chief Audit Executive commentary. The committee then decides whether they require further reporting or ‘tracking’. If they direct that there is no need for further tracking, the recommendation is ‘closed’.

Closure of a recommendation is a decision by the audit committee at a point in time. That decision can be reversed. Closure is not evidence of action taken by management, nor is it evidence that the deficiency reported in the audit has been rectified. The audit committee may ask for such evidence before (or after) closing the recommendation. It is better policy for the committee to rely on management’s declarations most of the time, with the real possibility that those declarations will be tested for truthfulness some time later. What happens after an declaration is found untrue is perhaps best left to the imagination.

Read more on management declaration vs. audit verification

The ideal basis for closing an audit recommendation is that management declares that the deficiency identified by the audit no longer exists, or that no further action is needed on that deficiency. Management should provide enough detail to make its claims both plausible at first sight, and testable in future.

In the messy real world, there are many other situations that can lead to a request to ‘close’ an audit recommendation. The Chief Audit Executive team must deal with these requests in a way that matches the long-term interests of stakeholders. Meeting long-term interests generally includes taking a firmly insisting that management meet stakeholder expectations, while acknowledging that the audit process is itself imperfect and questionable.

Read more on good and bad reasons to ‘close’ an audit recommendation

The Chief Audit Executive might anticipate audit committee ‘closure’ decisions, or even put them into effect, without any explicit direction by the audit committee itself. Such arrangements are sound and compliant with standards, so long as the Chief Audit Executive reports to the committee on the high-risk findings and recommendations that should be reviewed directly by committee members, and so long as the Chief Audit Executive follows the committee’s directions. The IIA standards require the Chief Audit Executive to report to the board where management has accepted risk that may be outside the organisation’s risk appetite. Inadequate management action on an important audit recommendation would often represent management’s acceptance of risk outside appetite. The Chief Audit Executive would be obliged to report to the audit committee in such a case. Similar rules apply to legal and regulatory breaches identified in audits.

Common problems and solutions in audit recommendation tracking

Most problems with recommendation tracking come from ineffective presentation of the original audit finding, along with inadequate challenges from management. The real-world deficiency might be over-stated, or badly explained. In either case management is left with scope and motivation to avoid acting on the recommendation.

The recommendation tracking process is part of the solution, even before the audit starts. The expectation of future tracking discipline has an effect during each audit, especially during the critical stage where findings and recommendations are given shape and size. Guaranteed future tracking drives more effective presentation of the audit findings, and motivates managers to challenge audit findings and recommendations constructively. The expectation of future tracking discipline comes mostly from the tracking discipline the same managers have experienced the recent past. If the manager is new to the audit experience, the tracking discipline can be explained at the beginning of the audit, leaving no room for doubt or dismissal.

Even if the audit finding, recommendation, and management response are sound, subsequent events and tracking can still go wrong. When they go wrong, the Chief Audit Executive team needs to recover the situation, no matter when and how things started to drift. Drifting and delay are deadly.

There are a few common scenarios in which a satisfactory closure to an audit recommendation starts to look doubtful. These common scenarios have remedies that can get the tracking discipline back on track. The remedy often involves consistent use of a magic format for the history of an audit recommendation.

Sometimes the remedy involves acknowledging past weaknesses in the audit function. Acknowledging and correcting such weaknesses can build strength for the future, for the whole enterprise. Denying such weaknesses sends the wrong message entirely.

Read more on the common problems and solutions in audit recommendation tracking

The magic format

There is a simple reporting format that makes obvious and transparent everything that matters during the tracking of an audit recommendation. Transparency is the key to accountability and action. The insights and art are also important, but insights and art are themselves enabled by the reporting format, so I call the format ‘magic’.

The magic format shows for each recommendation:

  • The audit finding or deficiency.
  • The auditor’s recommendation.
  • The original management response and the original forecast date for full implementation.
  • Each and every subsequent management status report on implementation, in date order, each with full accountability details and an updated forecast date for full implementation. If this section is long, repetitive, and annoying, so much the better. Long delays should be obvious on the page, and they should irritate.
  • The final audit committee decision to close the recommendation.

If there are twist and turns in the story, each twist or turn appears as a further entry within the series of management status reports. A common use of such an entry would be a change of responsible manager, resulting from staff movements or re-structuring.

Such a history is easy to maintain for each audit recommendation. Beyond being easy, it’s magic. The magic history format is complete and non-selective. It is seen in the same form by auditors, management, the audit committee, and the Chief Audit Executive. Everyone can see everyone else seeing the same thing.

When the Chief Audit Executive team asks management for a status report, the team simply forwards the complete history as it is, asking management for a statement that will be appended to that history in turn. The earlier history never needs to change. Management then knows that the history they see (and write) is exactly what will be seen by the audit committee.

Maintaining such a history for each recommendation does not require any automated support beyond a word processor.

Once you have such a history for each audit recommendation, the register of recommendations is simply a register of those histories. The central register can summarise simple attributes such as open/closed status, and the management position now accountable for that recommendation.

Trivial as it looks, use of this format can make all the difference between clear accountability and an unmanageable mess, in which unproductive game-playing is the norm.

The differences from other styles of tracking may also look trivial, but they can make all the difference.

Read more on the magic format

The Clear Lines argue for tracking assurances, along with findings and recommendations, although tracking of assurances is not a common practice. An assurance is the positive assertion about the audited activity that the enterprise and stakeholders would want to be shown true, typically corresponding to an audit ‘conclusion’, an ‘audit objective’ or a ‘control objective’. ‘Findings’ are usually exceptions and qualifiers to an assurance. In the magic format, the assurance would take first place, above the audit finding, acting almost as a heading.

Reporting to the audit committee

The audit committee will advise their own preferences. The forces driving an audit committee are the need for assurance, and avoiding excessive detail better kept between management and Chief Audit Executive team.

For the audit committee, more information is not always better. Operational, financial or technical detail that appears in committee papers is potentially seen as a transfer of responsibility from management to the committee, so committees generally want the least amount of detail, consistent with assurance.

In a low-trust environment, the committee may want to see all open recommendations and all management status reports on each one. They may even want some managers to appear before the committee to answer questions about progress on audit recommendations, particularly when progress looks slow.

In a mature high-trust environment, the committee may only ask to be told that the Chief Audit Executive is tracking audit recommendations and is comfortable with the results of tracking. Within high trust, the Chief Audit Executive may be left to close recommendations without audit committee review. Behind that arrangement, the audit committee can always reverse any decision to close a recommendation.

At a minimum, the Chief Audit Executive must:

  • Advise the committee that the implementation of recommendations is monitored, and give details if asked.
  • Report on any instances where management is accepting risk that may be outside the risk appetite of the enterprise.
  • Alert the committee to any developments that would work against committee assurance that the enterprise is actually meeting stakeholder interests.
  • Report instances of mis-behaviour by management, such as overt dishonesty, or refusal to report on the status of an audit recommendation.

This list of ‘musts’ isolates the specific Chief Audit Executive obligations around audit recommendations from general obligations on Chief Audit Executives. Formal standards set similar expectations, in a more legalistic and roundabout way.

The audit committee might also get some value from:

  • Numbers of open recommendations, compared with previous periods. Typically, such numbers are also broken down by responsible management position (organisation division/branch etc.), by the importance of the recommendation, and by timeliness categories (still on time, overdue, etc.). The absolute numbers are not meaningful on their own, but it is wise to keep any eye on trends and abrupt changes.
  • Alerts to instances when ‘agreed’ recommendations are not being implemented, or when implementation may be delayed beyond reasonable expectations.
  • Details and histories for those recommendations proposed for closure, even if other recommendation histories are not routinely submitted to the committee.
  • Aggregated numerical measures indicating timeliness of implementation, perhaps along the lines of ‘average time to closure’ or ‘proportion of open recommendations that have been open for more than one year’.

Consistent reporting to the audit committee shows transparency across time, as well as transparency between management and the audit committee.

The secret is management accountability—for the deficiency

For an audit recommendation to be effective, management must be accountable for the existence and resolution of the deficiency. Management must know that the deficiency and actions will be tracked to a resolution, no matter how long that takes, and that the accountability never goes away.

Management should understand the tracking process, and its rigidity, when an audit starts. That will help management to understand that they are accountable to the audit committee, even while the audit is barely underway. Managers who have been through previous audits should have had the tracking process demonstrated already.

The most vulnerable stage in the life of an audit recommendation is at the end of the audit, before it is finalised. Before the audit is finalised, management must acknowledge that the deficiency is real, important, and within their own control. They must then commit to a specific resolution within a defined time.

To reach the necessary state of commitment, management must be encouraged to challenge the reality, importance, and ownership of the deficiency identified by the audit, as well as the specific resolution proposed by the auditor. The auditor must respond properly to each challenge, which may mean providing supporting evidence, or making adjustments. It is not unusual that a particular recommendation is actually not within the control of the manager first identified, so there may be a need for re-directing it. All of this negotiation takes time, and it is easily cut short by a ‘need’ to finalise the audit expediently. But cutting out management’s challenges can easily open the way for delayed or inadequate correction of real-world problems.

The auditor’s assertions and management’s position must be visible to the audit committee, along with the management’s commitment to act. Accountability also requires that the assertions and management challenges remain visible in the audit report for the indefinite future, along with names, dates, and specific un-edited statements.

The tracking record after the final audit report must retain the link between the action commitment and the deficiency that required it. The original reason for the recommendation must not be allowed to slide back into the forgotten and disputable past. It is useful to forward management the original audit report each time an update on a recommendation is requested, along with the later history of management updates. That way there can be no excuses for forgetting, and management’s accountability for every statement about every recommendation is plain to see.

To ensure that management directly feel the accountability, requests for management updates should be regular and consistent, with no discretionary variations or gaps, and no indication of any scope for evading accountability to the audit committee. The magic format supports this form of accountability by putting the entire history of each audit recommendation into a single view. If it happens that the audit committee does not want to see the detailed record, it is still fundamental that the detailed record exists and can be produced at a moment’s notice.

Drill-down articles

What is an ‘audit recommendation’?

Before that, what is an ‘audit’? To whom audit recommendations are made Are audit recommendations mandatory?

Auditors Version 1.0 Beta

Declarations vs. independent verification

An adequate declaration Assessment of declarations Follow-up audits

Auditors Version 1.0 Beta

Reasons to close audit recommendations

‘Open’ and ‘closed’ recommendations – what is ‘closure’? The stages of ‘closure’ Proper and improper bases for ‘closure’

Auditors Version 1. Beta

Common problems and solutions

No real action has been taken, and nobody claims to have taken any. No-one is arguing with the recommendation, but responsibility is being pushed around like a hot potato, or is dismissed carelessly. The recommendation requires action from two independent managers, e.g. both the CFO and the CIO. There are repetitive promises of action that never happens. Management signals that they care, but it becomes clear to Chief Audit Executive staff that no-one is actually doing anything. Management say the recommendation has already been implemented, without reporting convincing details. The Chief Audit Executive is not convinced. Management status reports are off-topic. They may claim that the audit recommendation has been implemented, but the specific steps they report are not clearly a resolution to the deficiency identified in the audit. Implementation of the audit recommendation is tied to a ‘Project X’. ‘Project X’ is still in the promised future. In the meantime, the problem motivating the recommendation continues. The Chief Audit Executive’s request for a status report on the recommendation comes as an uncomfortable surprise to the managers directly responsible (those down at ‘ground zero’). When the Chief Audit Executive asks for an update, the person responsible recognises the obligation, but has no understanding of what is needed, what is involved, or why it matters. The Chief Audit Executive team is unable to provide a definitive list of all open audit recommendations for which one senior management position is responsible.

Auditors Version 1.0 Beta

The magic format for tracking an audit recommendation

Do this Don’t do this

Auditors Version 1.0 Beta

Target dates and extensions

Target dates are not forecast dates Extensions are problem A workable solution

Auditors Version 1.0 Beta

Index to the series Audit recommendation tracking