What to read first: Audit recommendation tracking
|Auditors||Version 1.0 Beta|
Check the other vocabulary for audit recommendations
Before that, what is an ‘audit’?
Audits are performed independently of the management hierarchy. The auditors work for other stakeholders in the enterprise, or for one important stakeholder. A ‘stakeholder’ is someone affected by what the enterprise does, and with some right to influence the enterprise. The obvious stakeholders in any enterprise are those who put money into it, but there are always others, such as employees.
External audits are performed on behalf of the shareholders and other external interests directly, independently from the board or audit committee, and independently from the management hierarchy. External audit reports are often public, though there may be many outcomes of external audits that are reported only to the board or only to management.
Within the Australian Government, external audits are performed on behalf of the Parliament, which represents the electorate. Australian Government external audit reports are published online, in full.
Audits by regulators such as the taxation office, safety authorities, or by client enterprises, may also be called external audits.
Internal audits are performed on behalf of the board or audit committee. Both aim to represent the whole stakeholder community, though indirectly and imperfectly. The advantage of internal audits is that they can investigate and report on any aspect of the enterprise. External audits are necessarily more restricted, and they are usually scoped by laws and regulations.
|This series, and most of the Clear Lines, use the word ‘audit’ in this narrow sense. The word ‘audit’ is often used in other ways. Sometimes it means a stocktake, reconciliation, or inspection, conducted by someone within the management hierarchy but separated from the original activity. In healthcare, an ‘audit’ can be research based on records rather than on current patients. An ‘audit’ (more often an ‘audit log’ or ‘audit trail’) can also be an automated record of activity, not routinely evaluated by anyone, but available if necessary. These other classes of ‘audit’ are not covered in this article.|
Read more about why there are always recommendations
Check the other vocabulary for audit recommendations
To whom audit recommendations are made
Audit recommendations are made to the executive management hierarchy of the enterprise.
Internal audit recommendations are usually addressed to a specific position within the executive management structure, preferably no more than two management levels below the CEO. Sometimes the recommendation may require action from two or more positions, such as from both the CIO and the CFO. Life is easier if the audit makes separate recommendations to each position.
External audit recommendations may not specify a responsible position within the management structure. If no position is identified, the CEO must respond to the recommendation and implement any necessary action. In practice, the CEO usually delegates all the activity to an appropriate internal position, including the conversations with auditors, but remains formally responsible. All formal written communications with the auditor pass through the CEO.
|It is possible, though unusual, for audit recommendations to be made to the board, or to the audit committee. Auditors’ recommendations made to an audit committee are best treated separately from ‘audit recommendations’ made to the management hierarchy. This series applies only to recommendations made to the management hierarchy, that is the hierarchy from the CEO downward.|
Are audit recommendations mandatory?
Recommendations themselves are not mandatory. Management is accountable for closing the deficiency or gap identified by the audit, or for showing that there is no gap to close.
It is mandatory for management to follow through on any commitments made at the time of the audit, or to show that they have done something better for stakeholders.
If keeping commitments has not been mandatory in the past, the Chief Audit Executive must make it mandatory. The Chief Audit Executive can do that by tracking actions on each audit recommendation, and by reporting to the audit committee when action commitments are not being met.
Executive management is not required to agree with the audit’s assessment of the original gap. Even less is management required to implement the audit recommendation. Management can and should challenge both the gap and the recommendation, based on evidence and analysis. The auditor must respond to such challenges. The process will have been successful if the final agreed position has a high degree of support from both management and auditors, and the audit still tells the committee what it needs to know. In many cases management and auditors will agree from the beginning, especially if the audit has been done well.
As the agreement is approached, the auditor may change the finding and recommendation in the report. Whether or not the auditor changes the report, management formally responds to the recommendation in their own terms.
The management response appears in the final audit report. That management response will contain management’s commitments to action.
The Chief Audit Executive then tracks the management actions on those commitments.
Management’s accountabilities are to the board. Management is not accountable to the auditor or to the Chief Audit Executive. The accountability to the board runs through the audit committee, via the Chief Audit Executive. If management does not respond to the audit in a way that satisfies the committee, the committee can bring about consequences for management. Specifically, if the audit committee is not satisfied with an executive’s response, the committee can take up its concerns with the CEO. After that, the CEO becomes accountable to the audit committee for improving the management response. The CEO cannot generally afford to appear un-cooperative at that point, because the audit committee reports to the board.
|In the public sector, the CEO and Board roles might be combined. On paper, that might seem like the worst possible idea for governance. In practice, the CEO also has a high level of accountability to the Government Minister, Parliament, Public Service Commissioner, Auditor-General, budget agencies, and many others. As a result, the public sector CEO is on a shorter leash than any board. The audit committee may be subordinate to the CEO on paper, but the audit committee has direct communication paths to all of those other stakeholders when necessary. The audit committee is also accountable to each of those stakeholders in the event of an important irregularity.|
Management should not be placed under pressure to implement an audit recommendation at the expense of more important stakeholder interests. Audit recommendations are only important to the extent that they represent a deficiency relative to stakeholder expectations. Audit recommendations may well be compelling and urgent, but many are not. Having regard to the totality of stakeholder interests, management might sometimes delay or decline implementation, for good reasons. It is not in anyone’s interest if management expedites implementation purely to report completion and silence audit nagging.
For these reasons, it is best not to use numerical measures of recommendation closure as direct performance indicators for managers, or for auditors. A manager’s response to audit recommendations should be considered as part of overall management performance, without direct reliance on numerical measures.
|Auditors||Version 1.0 Alpha|
Main article on Audit recommendation tracking