Updated: Jul 16, 2019
Helping with audit recommendation implementation.
They're loathed by everyone. Loathed by recommendation owners who are charged with responsibility for implementing the agreed action. Loathed by the auditor responsible for making sure they are implemented on time. And loathed by management and committee members who constantly see the number of actions and their current status.
Audit recommendations are never really liked.
Working across various audit departments, it's evident that how internal audit is perceived and respected by the business, determines the likelihood, timeliness, and quality of audit recommendation implementation by the business.
One internal audit department had a very clear, but somewhat harsh approach. It was made clear by the Director that, under no circumstances, was the auditor to help the business with implementing recommendations. The business, equally, knew they were not to ask. The logic from the Director was that an audit report asks its recommendation should be clear and specific enough that the business should fully understand what is required of them, and what the risk is that's being addressed by the recommendation.
The theory held by the Director was very reasonable, however the approach to monitoring recommendation implementation was unorganised and dependent on the individual auditor associated with the report. Furthermore, the lack of communication with the business post the report being issued, often resulted in missed implementation deadlines, or rushed work on behalf of the business, meaning due dates would be extended, resulting in more work for the auditor and business.
The approach, ultimately, did not help the already distant relationship between the business and the audit team, nor was it helping the overarching goal that recommendation aimed to achieve.
A second approach was almost the complete polar opposite to the first. The businesses ability to implement recommendations was near non-existent. Recommendations were largely overdue, or accepted with lacklustre supporting evidence. As a result, audit team members were actively encouraged to "assist" the business in implementing recommendations, with many just performing the required actions alone. Although this helped the business achieve the desired goal immediately, the business would often become complacent and dismissive of recommendations, knowing full well audit will just resolve the issue alone.
This situation resulted in many issues. The most obvious are independence and self review threats. Particularly for cyclical audits, team members would in effect be reviewing recommendations implemented by either themselves or fellow team members. Secondly, it encourages diminished responsibilities, with the business not seeing themselves are responsible for the issue or even accountable for the recommendation or overall process.
Whilst this approach was great at keeping audit recommendation numbers low and overdue items to a minimum, it only resulted in future issues for the audit team.
Interestingly, the approach for following up on action items, whilst formalised, was rarely followed and extremely ad-hoc, confusing both the audit team and business alike.
Finally, a third approach provided a reasonable hybrid of the two previously mentioned. Although the internal audit function was managed by a private firm, the process for follow up was well defined. Furthermore, the process was communicated in detail to the business, with expectations set. The business was encouraged to seek advice and help where necessary, however still maintained responsibility for overall implementation. As recommendation follow up was only performed for times a year and 'audit champions' were assigned in business, all parties knew what timeframe was followed and what was expected if the business wanted the recommendation marked as 'complete'.
It's a fine line to tread between helping the business, or implementing their recommendations. Audit needs to be seen as a friend, not foe, but also cannot be seen as a 'fixer'; after all, those in the business should be better placed to implement any recommendations.
Whilst there are many ways to monitor recommendation implementation, it's clear that the method and process for monitoring also largely impacts the success and quality of implementation. This will be discussed more at a later date.
The Chartered Institute of Auditors (UK) released guidance last year on good practices for audit recommendation follow up. They too acknowledge that audit recommendation follow up is always a easier said then done. You can view the guidance here.
How far is too far when it comes to helping a business area implement their audit recommendations? What level of involvement have you seen which works well for both the business and the client?