The magic format for tracking an audit recommendation

Do this Don’t do this

What to read first: Audit recommendation tracking

Auditors Version 1.0 Beta

Check the vocabulary for audit recommendations

Do this

There is a simple solution to many problems encountered while tracking audit recommendations.

The simple solution is this format for the history of any audit recommendation. This is the format seen by management at each request for a status report. Management clearly sees that they are appending a record to the recommendation history. The audit committee sees each recommendation history in the same format.

Audit identifier | Recommendation identifier
Assurance compromised by the Finding :… (this is an optional tracking entity favoured by the Clear Lines)
Finding (deficiency):… (this section should include an explanation of the finding’s consequences or importance)
Recommendation:…
Management response within the audit report (management status report zero)
Management status report 1:…
Management status report 2:…
(repeats as many times as it takes)
Management report of completion:…
Audit committee agreement to close (e.g. identified by meeting date)

The black sections come from the audit report, preferably verbatim. Allowing for a verbatim quote could mean editing the audit report findings and recommendations during drafting, to ensure the words work when quoted in this form in subsequent recommendation tracking. The management reports should come verbatim from the responsible manager, but may be drafted with audit assistance.

Between the management status reports, there can be other important statements by the audit committee, Chief Audit Executive staff, or potentially other parties.

Each management status report must have:

  • An author, identified by both role (to make the story coherent) and by name (for personal accountability). The first two records come from the audit report, so a personal name is not necessary.
  • The date on which the author made the statement. For the first three records, all copied from the audit report, the date is the issue date for the audit report.
  • Text that makes understandable sense when seen in this format. A good length for the text is 3 to 20 lines. If the text simply confirms that previous commitments are being fulfilled and there is no change to expectations, one line is enough, something like ‘Still on track as reported previously’.
  • A date on which the recommendation will be implemented to resolve the deficiency, as forecast at the date of the statement. If management is reporting completion, the date is the past date on which implementation was complete.

Don’t do this

The magic format might not include surprises and novelty, but it is easy to get the format wrong. The ‘magic’ format is functionally different from:

  • Any format in which the original finding and management commitment are abbreviated or hidden. Giving the original audit finding and management commitment the most visible placement drives genuine resolution of deficiencies found in audits.
  • A spreadsheet with a row per recommendation and a column per reporting cycle, or any similar compacted tabular records. The small but critical differences between the magic format and compact tables care: accountable authorship for every word; no constraints on space per management status report; no constraints on the length of the history that will lead to history being hidden.
  • A record for each recommendation that is updated at each reporting cycle, hiding past updates. Losing sight of the past updates is a problem because it progressively dissolves accountability for the recommendation and for accumulating delays.
  • An online corporate system in which management enter their status report directly when prompted. While online systems can be used well, they are expensive and inflexible. More importantly for governance, the lack of visible human involvement hints to management that no real person is taking an interest what they are doing. Automation can indeed save time, but if an audit recommendation matters, it is worth visibly spending Chief Audit Executive staff time on tracking it. It is also a good idea for the Chief Audit Executive team to help with drafting each management status report, or at least to give feedback on drafts. An online system is unlikely to support those conversations explicitly.

The Clear Lines achieved considerable success with a simple end-user database that was populated by Chief Audit Executive staff copying text from the emails sent to and from management. The magic format was built into the database. That success was mainly due to the magic format, clear thinking, and orderly processes. The database technology support added only minor net value, beyond supporting clear thinking. As end-user databases are problematic, and automation is not wholly positive, the Clear Lines have moved on and now suggest avoiding automated systems, unless a really good one is already available.

Parent articles

Audit recommendation tracking

What are audit recommendations? What happens without tracking of audit recommendations What gets tracked The tracking cycle Forecast and target dates for implementing a recommendation When tracking ends: good and bad reasons to ‘close’ an audit recommendation Common problems and solutions in audit recommendation tracking The magic format Reporting to the audit committee The secret is management accountability- for the deficiency

Auditors Version 1.0 Beta

Main article on Audit recommendation tracking

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.