Listen to and work with management on “findings”
I was a vice president in IT when there was an internal audit of information security, one of my responsibilities. It came while we were in the midst of implementing the ACF2 security system.
The draft “findings” that were presented to me were like this:
We found that security over xxxxx has not yet been implemented. This represents a significant risk that should be addressed promptly.
The auditor acknowledged in our meeting (just the two of us) that:
1. We had told him about the security gap. It was not something he had “found”.
2. Our project plan already included the necessary action.
3. We didn’t have the resources to complete the action earlier than in the plan. Internal audit refused to recommend that we hire additional staff or consultants to accelerate the project.
4. The plan correctly prioritized all the actions we should take to complete the ACF2 implementation. In other words, the actions scheduled before this one were of a higher priority.
5. Our reports to top management already communicated where we were and what remained to be done.
However, the audit manager decided that the report should go out with the language in the draft. None of the five points would be mentioned. I was told that we could include them in our management response.
So I drafted a response that said all of that. I tried to tone it down, despite my anger, by including my thanks for raising the issue. But it was still a refutation and any reader might and probably would see it as confrontational.
My management told me to change it and simply agree that we would take the actions as soon as possible.
This is not how internal auditors should work.
As CAE, my team would see situations like this.
Our report would explain that there was a risk to the business, that management was already working on it and taking the necessary actions, and they did not have the resources to make the corrections faster.
While we might recommend adding resources if we felt they were justified by the risk, we might also state that we agreed that the level of resources applied was appropriate.
This approach has multiple benefits:
1. It is honest, balanced, and fair. It gives credit where due, not just blame.
2. It helps our customer understand the situation instead of trying to figure out who is right when the management response is not “We agree and are taking the actions as described.” Even that response may hide the fact that management doesn’t really agree, but is going along because its easier that way. This is the root cause of many delays in implementing recommendations that appear to have been agreed.
3. It promotes a healthy relationship between IA and operating management.
4. It promotes the right action for the business. Management is not under pressure to make changes just because the auditor said so.
5. The corrective actions get done because management is fully on board and owns them.
This is just one of the reasons why I hate the practice of sending a report out, even in draft, and asking management for a response.
Work with them in partnership and agree on the situation, any risk to the business, and what should be done.
Report agreed action items, not recommendations and responses.
Make it easy for the board and top management to get the assurance, advice, and insight they need!
We are, or should be, on the same side.
I welcome your thoughts and comments.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Totally agree!!!!
Tks for the article. The auditor should have documented point 1,2,4 and 5 as observations in his audit report. The auditor may not be in the position to provide explicit recommendation like stating additional resources are required but state this action not completed will delay and may increase the risk.
The learning point is that when the auditee management provide management response with actions like above, there should be gate control where the action lies with the management to approve the resources. In that case the auditor should interview the management , record the observations, state the findings and who is the action owner.
Practically the auditor will like to interface with the auditee management and not the Board/C level.
Agree but do not agree … As an internal auditor I faced many situations where auditees forced us to do management job. For example, we recommended the SOP for some processes . At initial response Auditee agreed but in the follow-up audit, they demanded us to draft the SOP or help to draft the SOP for them. In this scenario sometimes it is difficult to make them understand the job of internal audit. and they replied that you are just blaming us but not helping 🥹
The auditor showed they were uninterested in giving management credit for work they had already done. It would have been more productive if they had acknowledged that in their final report.
However, I don’t understand why you dislike when the auditor sends a draft report to management requesting a response. Perhaps the draft isn’t being discussed first? The auditor and auditee should be having discussion throughout the audit as well as discussions on the draft report. This ensures buy in from management so that recommendations are actually implemented.
I wonder what your thoughts are, if the private sector implemented gold standard meetings with their auditors like the public sector has. They are used to talk about developing issues.
Brings auditors objectivity into question and as stated lose trust of management. Don’t add any value to organization operating like that either way. I don’t see this situation often generally need to assess quickly how significant potential open risk is, if action plans are on track/well founded and provide support or guidance in closing quicker if significant else resources better deployed elsewhere. Interesting comments that can’t make recommendations on resources, that is a discussion topic on its own.