The inherent problem with (some) audit reports
There are quite a few articles and blog posts that bemoan the situation where management fails to implement the recommendations in the audit report.
One example that merits our attention is by Richard Chambers, Whose Risk Is It, Anyway? When Management Says ‘No’ to Internal Audit.
I believe there is a fundamental problem that is simply not being addressed.
That problem is that auditors believe that one of the reasons for writing a report is to persuade management to take action,
Sorry, that is not realistic.
People are rarely persuaded to act differently by a report.
It is far better to talk to management, agree on the facts, and then see if you can agree on the severity of the situation. Only then, work as a trusted partner with management to agree on the corrective actions that are right for the organization.
The auditor needs to listen respectfully to management – something that many auditors do poorly if at all.
Don’t issue a report, even in draft, until after the auditor has had a meaningful discussion with management.
If there is disagreement on the facts, the auditor should understand why. It may be necessary to do more work.
If there is disagreement on the severity of the situation, the auditor needs to ask why management disagrees. What is their assessment and why?
The auditor needs to listen actively, with an open mind.
Management almost always will have a better understanding of the business, the risk to the organization’s objectives, and whether the risk (if any) should be taken – whether it is justified.
Once the auditor has shared even an initial draft, the potential for conflict has escalated. The auditor doesn’t want to change the report and management feels the auditor doesn’t understand and is not listening.
Not a recipe for a trusted relationship.
Once the facts and the severity are agreed, then attention turns to corrective action.
Again, it is far better to talk about this than make a recommendation and wait for a response.
I prefer to see if management has a suggestion first, but if they don’t the auditor may say (not write) what they believe will work. Both need to consider the effects of any action; sometimes there are undesirable side effects.
The desired result is action that will address the issue – the root cause of the issue at that – and makes good business sense,
It is far, far better to agree on “agreed action items” in a meeting with management and confirm them in the audit report, than to issue a report with recommendations and responses. (Worse is to issue a report with recommendations and ask management to reply with their responses. It is hardly working as a trusted partner!)
Including “agreed action items” in the audit report has been a best practice for more than 20 years, so why do people still talk about management not agreeing with recommendations?
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I don’t think you have covered this topic totally. Yes, we need to do all that you say, however, there are many reasons that line management does not wish to take action, e.g. lack of a budget. We then have to take the issue up the food chain, including to the Audit Committee. I have several times been able to get resources at the executive level or the Audit Committee that line management could not get by themselves. I believe that once I have presented my recommendation and management has also presented their views to the CEO and Audit Committee, they then accept the residual risk and I have done my job.
John, did you issue your report and only then escalate the discussion to executive management? I agree that sometimes the audit committee needs to get involved – but even then its a discussion; they are not persuaded by the report alone.
Before wrapping up the audit, all matters were discussed with line management to clarify the facts, get their input and share our suggestions for improvement. Usually this resulted in their agreement and an action plan to be developed. We then left a draft report with line management for their written responses/ action plans etc. We gave them a template that said: Agreed/Disagreed. Action plan. Date to be completed. After we received their written responses, if there was a major issue, we would explain that we needed to discuss it at a higher level and then do so. If it could not be resolved by the executives and the CEO then it would be reported to the Audit Committee and the executive responsible would have to explain why no action would be taken. This did happen but not very often as senior management would usually see the risk/opportunity and take action.
The talking must start at the beginning of the audit to agree the objectives and related risks/opportunities identified by management. Auditors can then assess whether these risks/opportunities are being properly managed to ensure the objectives are being achieved and have a further discussion to provide evidence where this is not the case. Management can then provide the actions they will take to ensure the objectives will be met. The report can then be written stating the action to be taken.
David, I agree except that management needs to be part of the discussion about “whether these risks/opportunities are being properly managed to ensure the objectives are being achieved”. They will have a better handle (I hope) on the risks and the effect of any poor controls. They will also be able to point to compensating or mitigating controls.
I like the auditor to participate in the determination of corrective actions. They should neither dictate them nor require management to come up with them by themselves – if for no other reason than they need to be able to confirm that they will address the risks satisfactorily.
PS – the risks and opportunities to be included should be those that can affect the achievement of enterprise rather than local objectives.
Norman, sorry I didn’t make it clear in my original post that the discussions are with the management not just between the auditors. I agree that an audit is a partnership from the beginning.
And yes the objectives are those of the enterprise.
Overall, my experience tells me that ‘management’ [whether middle or upper echelons] on average has a very *poor* understanding of the actual risks. Auditors happen to be better at that ..! Possibly because they’re trained to have risk in mind throughout their work. [Don’t get me started on the swarms of auditors that are mere drones (classic eaning), but still…]
Sounds like a teaching moment, Jurgen
Agree, it is the first choice approach generally what I always strived for and worked well. Never saw it as the role of the audIt committee to negotiate such disagreements. If you are a respected internal audit department this seldom occurs. The few instances where such an collaborative approach was not always possible to be achieved, outside of fraudulent circumstances, I found organizational culture, performance measures/ incentive systems or the inability to act due to lack of resources as the root causes.