The audit cycle has several critical stages that if not managed properly, could compromise the quality of the rest of the work. Documenting control deficiencies or findings is one of those nebulous areas where auditors/reviewers must become: advisors, enforcers, and project managers to obtain management's buy-ins and secure the organization's control system. The International Standards for the Professional Practice of Internal Auditing from the Global Institute of Internal Auditors (IIA) includes important guidance to help us communicate our work. Specifically, Standard 2420: Quality of Communication states that communications must be accurate, objective, clear, concise, constructive, complete, and timely. These guidelines should always be top of mind when documenting audit work. Let’s review some lessons learned from many years of practice as an internal/corporate auditor and as an international consultant to audit/compliance organizations.
5 Key Issue Writing Best Practices
Be Strategic. – It is very important to be clear in documenting what is the issue. It is just as important to raise critical issues that impact the operating effectiveness of the system controls. Not all control deficiencies found during the audit are report material. Some observations are good for informational purposes.
Document facts, not feelings. – When documenting observations, remember the goal is to audit the effectiveness of the control, not the person in charge of the control. Focus on the facts and do not let your feelings find their way into your writing.
Support your finding. – Avoid bringing to management's attention findings that have little to no evidence of control failure. Ensure you gather substantial evidence to prove your case. Remember, 1 exception does not always escalate to a documented issue.
Highlight the Impact. – Be prepared to monetize the business impact of the issue being raised. Help management visualizes what could happen if the findings raised are ignored or pushed down the priority list.
Keep in mind the Big Picture. – It is important to pay attention to the details. However, remember that sometimes, the evidence points to the symptoms, the instances where controls failed. We should always understand the overarching disease. Aggregate the details found. Identify and communicate the macro issue, of course, supported by the details found on your testing.
Issue Recommendation Best Practices
Assign ownership. – Each recommendation must have at least one owner, concise action items, and an expected remediation date. Anything less than this will cause delays in the successful remediation of the observation raised.
Target the issue. – Every audit recommendation must be directly linked to a control/process tested during the engagement. Both management and reviewers need to present a clear connection between the observation found and the recommended next steps to remediate such deficiency. There is no room for ambiguity during this process.
Coach Management. – If requested, be prepared to guide management on how to properly implement the recommended solutions. Do not assume that management knows how to put it place the remediation required to mitigate the control deficiency. This is a great opportunity to remove your police/auditor’s hat and become a temporary business consultant for the greater good of the organization.
Ensure timely validation. – Strive to review management progress towards the recommended action plans when they say they completed the assigned tasks. Recommendations cannot be deemed as completed just because management “Finished” their work. It is the audit department’s responsibility to validate that the implemented action plan meets the expectations.
Manage follow-ups. – Scheduling your calendar to follow up on the action plan completion dates is just as important as documenting the issues and recommendations shared during the end of the fieldwork or the exit meeting. If follow-ups are not performed to track progress, all the work completed up until the issue’s presentation becomes futile, just busy work that eventually gets filed away until the area/business unit is audited again.
There are many more best practices not covered in this brief document. However, this list can be used as a foundation to reinforce your audit process and/or consider incorporating some additional best practices into your organization.
For more information, register at https://efficientadvice.com/subscribe. We are here to work with you. Let's make it better!