Most internal auditors will agree that the audit report is the most relevant deliverable we prepare. It also is the document that we create under the greatest pressure and within the shortest allotted time. Ironically, the most important thing in the report is the only part that we do not write: management's remediation plans. However, this situation creates a unique opportunity for auditors to exercise our role of business partners and trusted advisors more than ever.
Think about the many times auditors have completed an audit and were ready to move to the next project (I can imagine your faces). We learned a lot about a new area, did so much testing, and spent a lot of time with management communicating the facts and discussing the audit recommendations to ensure they were reasonable and feasible. There were many conversations, but we had not yet received the action plans. I'm not saying it happens in every project, but it is more common than we wish.
Then, when we finally saw management's remediation plans, we were so tired that we were tempted to just paste them into the audit report and call it a day. Once in a blue moon (I am exaggerating), the action plans were within the acceptable criteria of being specific, measurable, achievable, responsible, and time-bound (SMART). Here are the most typical challenges — opportunities — that I find:
- The plans might not appropriately address the root causes of the issues. If auditors let that happen, the organization will waste resources and the same symptoms we just saw will be there when we go back to validate the improvements.
- Management's expected completion date is unrealistic. Sometimes, management is so engaged that it wants to fix the problems by yesterday. In those cases, auditors need to let management know that while we appreciate its commitment, we believe the proposed due date would be difficult to meet. We should tell management that we will back it up with the audit committee and executive management if they question the extended time. We do not want to come back to validate improvements and find that the issues have not been fully addressed.
- Management wants too much time to complete the plan. Sometimes management's remediation plan looks fine, but the actions would not be completed within a reasonable time. Auditors can't let that happen either. We must ask management what will be done in between to mitigate the risk. Otherwise, we need to advise management to provide an earlier due date.
After all the partnering with management, auditors may still find that its action plans are still unacceptable. That is when management is accepting a risk that would be beyond the organization's risk appetite or tolerance level. This should only apply to significant risks, including safety, security, reputation, ethics, laws, and strategic matters.
In this case, auditors must escalate the situation to the next level of management and all the way to the top until we obtain adequate responses. Ideally, we should be able to work it out as we engage with more senior people. However, it could be that action plans were not upgraded, and that is when we must have a conversation with the audit committee. I have experienced this a couple of times, and I feel that I could have done much better in partnering with management to avoid having to involve the board.
So, do not rush and try to do your best before going to the board — that should be your last resort. You may want to consider delaying the formal publication of the audit report until you have gathered adequate action plans. It takes a lot of time to build trust and respect — and more time to rebuild bridges.
Now let's go back again to our internal audit mission. In a nutshell, internal auditors protect and enhance organization value by ensuring that management's remediation plans are adequate. As a result, we provide management with actionable data to enable positive changes in our organizations.