Home > Risk > Getting from recommendations to actions

Getting from recommendations to actions

November 17, 2021 Leave a comment Go to comments

I recently wrote about an inherent problem with (some) audit reports.

I discussed the fact that some auditors believe they can persuade management with an audit report to take action to correct a deficiency.

I pointed out that a report is far less persuasive than a face-to-face discussion, with both management and the auditor sharing and listening openly to each other.

One of the people who commented on the piece talked about a management failure: failing to follow through and take the actions they had agreed in the audit report. As I read and considered the point, I came to believe that the writer was talking about this:

  1. The auditor drafts a report, discusses it with management, and makes recommendations for corrective actions.
  2. Operating management reply in writing, which is included in the audit report, that they agree and will take defined actions by a certain time.
  3. The due date passes without the actions being taken.

The author of the comment said this was 100% a management failure.

I am not so sure.

There is certainly a failure of management to keep their commitment, and this needs to be discussed with them and probably their management. It may be indicative of another and more serious problem with management.

But sadly there is often an internal audit failure as well.

We might have one or more of these situations:

  • Management agreed on the facts, but not whether they indicated a risk of significance. As a result, even though they committed to taking action, they did not make it a priority.

Maybe they agreed because “the auditors tell us to do it”. They may fear disagreement and how it would look to senior management or the board.

When I was a vice president in IT, my information security team was subjected to an internal audit (deliberate wording).

One of the issues identified by the auditor related to the way in which we allowed our senior executives to dial in to our data center from home. (This was before remote access was through the internet. Back in those dark days, the executives used a modem to call a dedicated phone number attached to a security device that allowed them access after providing their userid and password.)

The auditor read in a book by IBM provided to him by his manager that the company needed to change phone numbers at least monthly. The “risk” was that a hacker could detect the phone number by attaching a device to the executive’s phone line and use it to gain access to our data center and its systems.

Even though the auditor agreed that a hacker would need a dial-in userid and password before accessing our operating system, a different userid and password for the operating system, and yet another userid and password for each application, he included this as a “high” risk in his audit report. He recommended that we change phone numbers every month.

In a meeting with the auditor, after he agreed with the facts, I pointed out the disruption that would be caused by constantly changing the dial-up phone number. Every month, our help desk would be besieged by angry and frustrated executives demanding not only that we provide them the correct number, but to stop the insanity.

Nevertheless, his manager insisted on including this as a high risk in the audit report.

I provided my response, disagreeing with the rating of high risk and explaining why this was the wrong action to take for the business.

I received a call from my boss’ boss, an Executive Vice President and direct report to the CEO. He told me that management never disagreed with the auditor. We had a “constructive” discussion about it, with neither of us willing to concede the point.

I have seen this before, where management is afraid of how it would look if they disagreed with the internal auditor. So, they agree on paper and delay in practice.

  • While management agrees to the auditor’s recommendation, they don’t see it as a priority. They have more important issues to address that require the same resources.

The auditor is happy that management agrees with the finding and recommendation. However, they don’t seek to understand management’s other priorities.

I had this with the same audit of information security.

The auditor had taken every item in our information security software implementation project plan and made it a recommendation. They did not indicate that we had already identified the need and it was on our schedule. Instead, they “recommended” (read as “insisted”) that we complete each item within a month or two, ahead of plan.

When I pointed out that we didn’t have the resources to move more quickly, let alone that it was high risk to move too fast, they stood their ground.

They agreed my team had properly prioritized each task in the project and that we couldn’t move faster. Nevertheless, that is what they recommended.

I asked that they say something about resources being limited, but they would not.

At the direction of my management, we agreed to the recommendation but continued to proceed at the pace indicated in our audit plan.

  • When I was with Tosco, we agreed to acquire refineries and other assets from BP on the West Coast. I asked my counterpart at BP for copies of any audit reports for those operations, which I received soon after.

One of the audits was of the refinery at Ferndale in Washington state. The auditor had made many recommendations, including one to remove access by receiving personnel to information about what had been ordered. As a result, they would no longer be able to check that the items received were the items ordered, including whether the quantities were correct.

The action was countermanded when more senior management got involved, after they read the audit report.

The auditors were not informed of the change in plans. They only found out when they followed up to confirm the recommended actions had been taken.

  • I have seen situations where management agreed with the recommendation but later decided there was a better response. They took business-appropriate actions in response to the risk, but they were not the actions recommended by the auditors.

I want to make a few points:

  1. Make sure, by listening openly and collaboratively to management, that you understand the true business risk and how significant it is to the business.
  2. Take the time to identify and address the root cause(s), not just the symptoms. Be brave enough to suggest that management hasn’t sufficient or the right people if that is the case.
  3. Discuss the options for addressing the risk, including how difficult and time-consuming they might be – and whether there would be other consequences. For example, would fixing one risk prevent management from having the resources to fix another one, or seize an important opportunity?
  4. Don’t ask management to do what you wouldn’t do in their shoes!
  5. Make sure management recognizes, truly, that it is in their own interests to take the actions. It will improve the likelihood and extent of their own success, as well as that of the organization. If they don’t believe it, they may not do it. They need to want to take the actions, they need to own them. They aren’t doing them just because the auditor said so.
  6. If they understand the facts and their implications but don’t believe it represents an issue deserving prompt action, why should we? Is our understanding and assessment faulty?

In other words, don’t just sell your finding. Make sure you have a committed buyer.

Management will 100% deliver on actions they believe are high priority and in their own interests.

They will dawdle if the only reason to take action is “the auditor told us to do it”.

I welcome your thoughts.

  1. Richard Fowler
    November 18, 2021 at 6:10 AM

    Norman, those are some fascinating examples. I can’t believe that an auditor would suggest changing the phone number to improve security. As if calling the help desk wouldn’t provide a hacker with the new number without even resorting to social engineering! In my 25 years of internal auditing across 7 companies, the process has always been to vet an issue and the recommendation with management to make sure we had our facts right, the risks identified and the root cause addressed. Honestly, I thought that was the way everyone did it! And it’s not that unusual for the auditor to learn that something had been overlooked in fieldwork resulting in the issue being retracted – and that’s much easier to do before the audit report is distributed.

  1. November 20, 2021 at 9:26 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: