Common problems and solutions in audit recommendation tracking

No real action has been taken, and nobody claims to have taken any. No-one is arguing with the recommendation, but responsibility is being pushed around like a hot potato, or is dismissed carelessly. The recommendation requires action from two independent managers, e.g. both the CFO and the CIO. There are repetitive promises of action that never happens. Management signals that they care, but it becomes clear to Chief Audit Executive staff that no-one is actually doing anything. Management say the recommendation has already been implemented, without reporting convincing details. The Chief Audit Executive is not convinced. Management status reports are off-topic. They may claim that the audit recommendation has been implemented, but the specific steps they report are not clearly a resolution to the deficiency identified in the audit. Implementation of the audit recommendation is tied to a ‘Project X’. ‘Project X’ is still in the promised future. In the meantime, the problem motivating the recommendation continues. The Chief Audit Executive’s request for a status report on the recommendation comes as an uncomfortable surprise to the managers directly responsible (those down at ‘ground zero’). When the Chief Audit Executive asks for an update, the person responsible recognises the obligation, but has no understanding of what is needed, what is involved, or why it matters. The Chief Audit Executive team is unable to provide a definitive list of all open audit recommendations for which one senior management position is responsible.

What to read first: Audit recommendation tracking

Auditors Version 1.0 Beta

Check the vocabulary for audit recommendations

Symptoms and causes

Solutions for Chief Audit Executive staff

No real action has been taken, and nobody claims to have taken any. No-one is arguing with the recommendation, but responsibility is being pushed around like a hot potato, or is dismissed carelessly.

There are a couple of possible pathways to this situation.

One path is that the original finding and recommendation are not now appreciated and are not taken seriously. They were not taken seriously at the time of the original management response to the draft audit report. This lack of appreciation will usually be clear from conversations between Chief Audit Executive staff and responsible management. Show that tracking will be rigorous until the original finding is resolved. Allow new challenges to the original finding, and alternative action commitments to resolve the agreed version of the finding.

This re-negotiation catches up on steps missed during response to the original audit report. It also eliminates further excuses. Safe re-negotiation may require the subject-matter expertise of the original auditor.

The other pathway to this situation is that implementing the recommendation competes with achieving other objectives perceived as having a (much) higher priority for management. Equivalently, implementing the recommendation will involve a diversion of budget and scarce resources. Management may allude to problems bigger than the audit finding and recommendation. Invite management to change its commitment to implementing the audit recommendation, by demonstrating to the audit committee that it is not justified in the present circumstances. Give Chief Audit Executive support to any genuine case made by management, but also ensure that the audit committee sees any management back-tracking for what it is.
At the same time, ensure everyone understands the implication of the original audit finding or deficiency that led to the recommendation. Suggest ways in which the deficiency might be fixed or reduced without competing with other objectives. Assess any management objections to those suggestions, and advise the audit committee accordingly.

The recommendation requires action from two independent managers, e.g. both the CFO and the CIO.

There is no clear coordination. Each responsible manager reports waiting for the other to take action or to advise on a plan. Neither manager is strongly motivated to get on with implementation.

The best solution is to split the recommendation into two, such that each new recommendation is addressed to only one responsible manager. The split is best done while the audit report is being drafted, but it can be done afterward for tracking purposes.

Alternatively, establish coordination and an implementation manager, in the way that any change project crossing organisation boundaries has coordination and a project manager. The Chief Audit Executive should be represented at coordination meetings. Without Chief Audit Executive supervision, coordination and action may not happen, despite the agreed arrangements.

A third way forward is to re-assign the ‘joint’ recommendation to a higher-level manager to whom both of the responsible managers report. For instance, reassign the recommendation to the CEO. The higher-level manager (CEO) is likely to be highly motivated (embarrassed) by the obvious lack of coordination at the lower level, and may therefore pull everyone into line.

There are repetitive promises of action that never happens. Management signals that they care, but it becomes clear to Chief Audit Executive staff that no-one is actually doing anything.

Sometimes this situation may be hidden behind optimistic but inaccurate management statements such as ‘still on track’. In that case, management are reporting that they still intend to implement the recommendation on time, but have not actually done anything and don’t know exactly how it will ultimately happen.

Make the full history of management status reports visible to the audit committee. Ensure that the repetitive deferrals are obvious within the history. Make sure that management knows the audit committee will see the history in that format. The tedious length of such a history is the primary message.

In the background, it might be helpful to have some frank conversations with middle managers and ground-zero team members, to help everyone involved to see a realistic way of implementing the audit recommendation. These conversations can also impress upon everyone that audit recommendations are tracked rigorously, and never just ‘go away’. If the management commitment must be adjusted, allow that to happen, with an honest explanation to the audit committee.

Management say the recommendation has already been implemented, without reporting convincing details. The Chief Audit Executive is not convinced.

Management may refer to a previous communication that cannot now be found, or perhaps to ‘generally known’ announcement that the Chief Audit Executive team know nothing about.

Create recordkeeping practices in which there is very low likelihood of any communications not being found when needed.

Adopt a general policy that status reports on the implementation of audit recommendations must be made in a specific form, separately from other communications. Encourage management to attach supporting evidence to status reports, and keep the evidence attached. The audit committee will probably not see the attachments directly, and management should know that. Management should also understand that the Chief Audit Executive team does not ‘accept’ or ‘reject’ the evidence without a formal follow-up audit.

Management status reports are off-topic. They may claim that the audit recommendation has been implemented, but the specific steps they report are not clearly a resolution to the deficiency identified in the audit.

Typically, management will have identified the audit recommendation with their own ‘Project X’ and then proudly report ‘Project X’ complete. The problem is that ‘Project X’ is not a solution to the original deficiency.

Ensure that the original deficiency is prominent at all times during the life of the audit recommendation that followed from it. Remind management early that the audit committee cares about closing the deficiency, and may not care about ‘Project X’ or the specific solution.

Implementation of the audit recommendation is tied to a ‘Project X’. ‘Project X’ is still in the promised future. In the meantime, the problem motivating the recommendation continues.

‘Project X’ may include much more than the audit recommendation, and it will take a lot of time and money. Project X is subject to re-scoping, delays, and funding negotiations. By the time Project X is finished (or even started) it no longer includes implementation of the audit recommendation.

Alert management if the foreseeable timeline for Project X is too long in relation to the deficiency leading to the audit recommendation.

Keep the recommendation ‘open’ as long as the motivating deficiency exists in the real world. Make it clear to everyone that the recommendation is not ‘implemented’ simply because of something promised for the future in ‘Project X’.

In the meantime, make the deficiency behind the audit recommendation highly visible to both management and the audit committee. Remind everyone that the deficiency continues regardless of future ‘Project X’ promises, and the recommendation is not about ‘Project X’. Encourage interim solutions or alternative ways of reducing the deficiency. The audit committee will appreciate one of those.

If there is no interim solution, commit to monitor the scope, or even delivery, of ‘Project X’ for effective treatment of the deficiency.

The Chief Audit Executive’s request for a status report on the recommendation comes as an uncomfortable surprise to the managers directly responsible (those down at ‘ground zero’).

A likely back-story is that senior management originally agreed to the recommendation. They agreed mainly to end negotiations and nagging from auditors. The auditors may well have applied some pressure for a quick response. Senior management did not then incorporate the implementation activity in its real-world work program. That is, no real people or real dates were assigned to the implementation. Those same ‘real’ people are taken by surprise when the Chief Audit Executive asks for a progress report, on a real date some time later.

Outline the tracking policy and protocols when asking management for responses to draft audit reports (and at all later contacts).

As a standard protocol, require staffing and budget details to be included in the management response to each recommendation. Assess the realism of the details included by management before accepting the response. You may want audit committee backing for the protocol.

Confirm with the responsible team (at ground zero) that they have the implementation work in their real work program, with no ambiguity about when and how the work will be done.

When the Chief Audit Executive asks for an update, the person responsible recognises the obligation, but has no understanding of what is needed, what is involved, or why it matters.

A likely back-story is that management has included a re-interpreted or abbreviated version of the recommendation its work program. That short version of the recommendation is disconnected from the original audit report and senior management’s response to it. The task has been re-assigned, and perhaps re-interpreted, at least one time too many.

Ensure that the whole management chain, from the responsible senior executive down to ‘ground zero’, have the full explanatory text of the audit finding and recommendation. Ideally, they will have the whole audit report, confidentiality permitting. Keep making the finding and recommendation available to them at each contact. The audit report may not fit neatly into management’s regular record-keeping practices, so Chief Audit Executive staff can maintain the record.

Make contact with the newly responsible individual every time the task is re-assigned. Ensure that the new individual has a full understanding of the obligation and the reasons for it.

The Chief Audit Executive team is unable to provide a definitive list of all open audit recommendations for which one senior management position is responsible.

The Chief Audit Executive team is inadvertently signalling that audit findings and management commitments are not important enough to track rigorously.

The likely reason for this predicament is the absence of a controlled single register for audit recommendations to be tracked by the Chief Audit Executive on behalf of the audit committee.

The solution is to create a complete register once, and to maintain it reliably thereafter. The register contents can be dispersed across the files for each audit, so long as all of those files can be found immediately when needed, and each file contains neat and reliable recommendation records.


Parent articles

Audit recommendation tracking

What are audit recommendations? What happens without tracking of audit recommendations What gets tracked The tracking cycle Forecast and target dates for implementing a recommendation When tracking ends: good and bad reasons to ‘close’ an audit recommendation Common problems and solutions in audit recommendation tracking The magic format Reporting to the audit committee The secret is management accountability- for the deficiency

Auditors Version 1.0 Beta

Main article on Audit recommendation tracking

Leave a Reply

Your email address will not be published.

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.