What to read first: Audit recommendation tracking
|Auditors||Version 1.0 Beta|
Check the vocabulary for audit recommendations
There is a simple solution to many problems encountered while tracking audit recommendations.
The simple solution is this format for the history of any audit recommendation. This is the format seen by management at each request for a status report. Management clearly sees that they are appending a record to the recommendation history. The audit committee sees each recommendation history in the same format.
|Audit identifier | Recommendation identifier|
|Assurance compromised by the Finding :… (this is an optional tracking entity favoured by the Clear Lines)|
|Finding (deficiency):… (this section should include an explanation of the finding’s consequences or importance)|
|Management response within the audit report (management status report zero)|
|Management status report 1:…|
|Management status report 2:…|
|… (repeats as many times as it takes)|
|Management report of completion:…|
|Audit committee agreement to close (e.g. identified by meeting date)|
Between the management status reports, there can be other important statements by the audit committee, Chief Audit Executive staff, or potentially other parties.
Each management status report must have:
- An author, identified by both role (to make the story coherent) and by name (for personal accountability). The first two records come from the audit report, so a personal name is not necessary.
- The date on which the author made the statement. For the first three records, all copied from the audit report, the date is the issue date for the audit report.
- Text that makes understandable sense when seen in this format. A good length for the text is 3 to 20 lines. If the text simply confirms that previous commitments are being fulfilled and there is no change to expectations, one line is enough, something like ‘Still on track as reported previously’.
- A date on which the recommendation will be implemented to resolve the deficiency, as forecast at the date of the statement. If management is reporting completion, the date is the past date on which implementation was complete.
Don’t do this
The magic format might not include surprises and novelty, but it is easy to get the format wrong. The ‘magic’ format is functionally different from:
- Any format in which the original finding and management commitment are abbreviated or hidden. Giving the original audit finding and management commitment the most visible placement drives genuine resolution of deficiencies found in audits.
- A spreadsheet with a row per recommendation and a column per reporting cycle, or any similar compacted tabular records. The small but critical differences between the magic format and compact tables care: accountable authorship for every word; no constraints on space per management status report; no constraints on the length of the history that will lead to history being hidden.
- A record for each recommendation that is updated at each reporting cycle, hiding past updates. Losing sight of the past updates is a problem because it progressively dissolves accountability for the recommendation and for accumulating delays.
- An online corporate system in which management enter their status report directly when prompted. While online systems can be used well, they are expensive and inflexible. More importantly for governance, the lack of visible human involvement hints to management that no real person is taking an interest what they are doing. Automation can indeed save time, but if an audit recommendation matters, it is worth visibly spending Chief Audit Executive staff time on tracking it. It is also a good idea for the Chief Audit Executive team to help with drafting each management status report, or at least to give feedback on drafts. An online system is unlikely to support those conversations explicitly.
|The Clear Lines achieved considerable success with a simple end-user database that was populated by Chief Audit Executive staff copying text from the emails sent to and from management. The magic format was built into the database. That success was mainly due to the magic format, clear thinking, and orderly processes. The database technology support added only minor net value, beyond supporting clear thinking. As end-user databases are problematic, and automation is not wholly positive, the Clear Lines have moved on and now suggest avoiding automated systems, unless a really good one is already available.|
Main article on Audit recommendation tracking