Internal Auditing and Fraud Investigation

Mark R. Simmons, CIA, CFE

Articles on Internal Auditing

Responding To Audit Reports - A Common Sense Approach?
By Ian Campbell, CIA CISA

EXECUTIVE SUMMARY

This document is meant to assist management with the audit report. Hopefully it provides food for thought, a document which assists you in clarifying your own thoughts.

Management Responsibilities

The draft audit report will be distributed to the affected Vice Presidents and senior line managers for comments. We ask all parties to;

Identify the FACTS

1) Review the document for completeness.

2) Review the document for factual errors, particularly tables.

Identify the ISSUES

1) Read the report from the point-of-view of the auditors. The auditors are attempting to present an independent point-of-view, to communicate something that they deemed important enough to be put in writing. Whether you accept their point-of-view is a decision to be made later.

2) Identify the issues the audit report is trying to bring forward. Look for the big picture. Try to identify interrelated issues. Audit report issues often cross vice-presidential areas.

3) If the issue is not valid then the recommendation is moot. Disagree and address the validity of the issue. Has the real issue been identified? If the issue is of lesser significance request that the issue be moved out of the audit report and into a management letter.

4) Right Issue - Wrong recommendation. Auditors make their living identifying problems, solutions are not always their forte. And solutions are a management responsibility. If you agree that a valid issue has been raised however you cannot agree with the recommendation, address the recommendation. If you have a "better idea", better solution to the problem, say it.

If the problem has been already corrected or a plan of correction has been developed, say it.

5) Out-dated Policies. Is there a problem with the policy which was used as the criteria? Auditors are required to use policies as the criteria. They do not write the policies. Sometimes the audit report may be used to change policies. Address the policy when necessary.

6) Issues missed by the auditors. The auditors might have missed an issue. Just because the auditors "missed one" doesn't mean that the issue should not be persuade and resolved within the confines of the Agency.

Think Through the RECOMMENDATIONS

1) Some recommendations appear overly simplistic.

For example, a report might say that management should perform monthly reconciliation's of revenue and cash. What the report might not have mentioned is that the computer support does not provide the necessary information to perform the reconciliation. A system enhancement is necessary.

Management Comment - We agree. To implement the recommendation it will be necessary to enhance the current accounting systems. As soon as the necessary modifications have been made management will perform monthly reconciliation's.

Auditors understand that change does not take place overnight. They appreciate the time and effort required to implement the recommendation. They are more interested in the plan and follow through.

2) Does a thread of common sense prevail? Try to sit back an analyze the auditor's recommendation and your response from a different perspective. Could you explain your position to an average laymen?

3) Do the decisions that you have made represent half-decisions or full-decisions? Are there assumptions used in your logic and what are the assumptions? Are you meeting the real need, considering all the options and thinking it through? Are the decisions based on fact applying integrity, intuition and insight?

4) Get to the point. Auditors prefer that management comments immediately follow the recommendation. You may explain your position at length however, summarize into a short concise management comment that can be published.

After the Audit - The Action Plan

1) Don't use the report to assess blame. The report is merely recommendations to correct problems. The report is not, was never intended to be and should never be used as an individual's evaluation of performance.

2) Audit reports are sometimes opportunities for some managers to demonstrate their skills. Problems occur all the time in large organizations, the measure of worth of management is not measured by the number of problems but by the responses to problems. This is called Leadership.

3) Do use the audit report to establish accountability directed toward a specific objective or goal. To accomplish the objective or goal there needs to be a "plan of action". The individuals accountable for the action should understand what needs to be accomplished, by whom and by when.

4) Set the right tone within the organization. Give recognition to those individuals responsible for successfully implementing the corrective action. After all, didn't they just demonstrate their skills, leadership and improve the agency? People are important.

---

About the Author, Ian Campbell, CIA, CISA

Member - IIA, Albany Chapter
Member - ISACA, Hudson Valley Chapter

Comments - contact the author at America On-Line (IanCampbel) or on the InternNet (icc95@poppa.fab.albany.edu)

Copyright © 1995 Ian Campbell, All rights reserved

Home | Bio  | Internal Auditing | Fraud Investigation | Request to Reprint

© 1996-2008 Mark R Simmons, CIA, CFE. All rights reserved. Updated 05-Jun-2008
Designed and maintained by Web Wise Concepts, LLC for http://www.facilitatedcontrols.com