What to read first: What is an ‘audit recommendation’?
|Auditors||Version 1.0 Alpha|
Check the vocabulary for audit recommendations
Recommendations resolve deficiencies
The primary purpose of audits is to generate independent assurance, or the opposite of assurance, warnings. External audit reports on financial statements are generally only a statement of independent assurance.
Recommendations are a by-product of the audit process. If the audit does not provide unqualified assurance, the audit must fully explain the deficiency resulting in the lack of assurance. If there is such a deficiency, and the auditor is sufficiently informed to declare it, the auditor will also have capacity to advise management on how to fix it. Management is not expected to accept the existence of the deficiency, without the auditor’s explanation of what to do about it.
The audit recommendation is the auditor’s advice to management on how to rectify the deficiency.
In external audits on financial statements, the recommendations are made to management privately, separate from the published audit report that contains the statement of assurance. The private document containing the recommendations may be called the ‘management letter’ or ‘closing report’. There are usually at least some deficiencies and recommendations, even if the published audit report is unqualified assurance on the financial statements.
Levels of deficiency
Recommendations can arise from different levels of deficiency discovered during the audit. A deficiency is not necessarily serious, in the way that missing money is a ‘deficiency’. This series uses the word ‘deficiency’ to include any gap between management actions and the expectations of stakeholders. Both sides of the deficiency are defined and assessed by the audit, and can be disputed. Some levels of ‘deficiency’ include:
- The activity being audited is definitely not consistent with stakeholder expectations.
- The auditor is unable to see sufficient evidence that the activity is consistent with stakeholder expectations.
- The audit discovered breaches of mandatory requirements (law, regulation, or mandatory external obligations). All such breaches must be reported, even if the audit provides positive assurance on the activity itself.
- The activity is not being carried out as well as stakeholders might expect, even if it is effective and compliant.
- The activity is effective and efficient for its primary purpose, but some secondary outcomes are not being supported optimally. Secondary outcomes might include, for example: records management; support for corporate standardisation, centralisation, or decentralisation; preferred employment and procurement practices; industry or sector cooperation; or broader stakeholder relations.
- The activity is not being done in a way that the auditor considers to be better practice, whether or not the benefits of change are clear and quantifiable.
These ‘levels’ do not form a neatly ordered and mutually exclusive classification scheme for deficiencies. There is no single classification scheme for audit recommendations that automatically leads to optimal tracking.
A deficiency at any of these levels can result in an audit recommendation. If the audit report suggests that any of these deficiencies exist, there should be an audit recommendation addressing each one. Lower-level deficiencies and recommendations can be discussed outside the formal audit reporting process, without formal accountabilities.
Resistance is common
There is usually some resistance to implementing audit recommendations. Management may have a different opinion. Equally, management may agree with the audit, but find implementation difficult for reasons out of their practical control.
Resistance or delay can follow simply from the fact that things were being done a certain way, for reasons that were persuasive up to the time of the audit. If the audit recommends something different, those persuasive reasons will continue to work against the change. For these reasons, the Chief Audit Executive monitoring process must be firm and consistent, and conflicts need not be interpreted as personal power-plays.
|Auditors||Version 1.0 Beta|
Main article on Audit recommendation tracking