The situation: An internal auditor makes a series of recommendations to an internal audit client, who refuses to implement one of the recommendations or address the finding.
The internal auditor’s view: The recommendation covers an important point. Her supervisor agrees that the risk of not implementing the corrective action or addressing it would be significant for the organization.
The client’s perspective: He concurs with the finding, but believes the corrective action would take too much time and use too many resources.
The outcome: After several unsuccessful attempts to persuade the client of the validity of the recommendation, the issue is elevated to the CEO. Lacking resolution with that step, the recommendation is sent to the audit committee. The internal auditor and her chief audit executive (CAE) attend the audit committee meeting to discuss the recommendation, gaining support from the committee and the chief financial officer. The issue is resolved (ideally, the client attends the audit committee meeting and hears the committee’s decision directly, but if that is not possible, the audit committee minutes can be used to inform the client) and a cordial working relationship continues.
Although the details of this scenario may vary, it likely describes a situation that is all too familiar to most internal auditors. The recommendations the internal auditor presents may not always be welcomed or feasible, but making those recommendations is integral to internal audit’s role. That role, as Michael Levy, director of internal audit at Student Transportation Inc. in Wall, N.J., describes it, is “to spotlight issues and ensure that the appropriate people are aware and informed.”
But raising awareness and sharing information do not always produce the needed results. An audit client may decline to implement even the most well-researched and clearly explained recommendation, leaving risks that may affect the organization’s ability to achieve objectives unmitigated. When this happens, Standard 2600: Communicating the Acceptance of the Risk directs the CAE to discuss the matter with senior management or elevate the issue to the board, if necessary.
What’s Behind the “No”?
As with many instances, when two parties fail to see eye to eye, inadequate or flawed communication may be to blame. In the case of unaddressed recommendations, perhaps the internal auditors did not fully explain the value of a recommendation, or they did not adequately define what “recommendation” means within the organization’s culture, or they did not describe the potential consequences of failure to implement the recommendation.
Or, perhaps it is not a case of inadequate communication, but too much of it. “Many times, auditors tend to include every detail of the audit in the report,” Levy says. “I find that executive management and the board are no longer looking for the ‘novel’ version of reports that has become common over the years.” Internal auditors must focus on creating well-organized reports that stick to the point, covering what the reader needs to know, not everything the auditor knows. Each recommendation should be supported by a full description of the related risk, which will help establish the importance of the recommendation and the potential implications if it is left unaddressed.
Kevin Alvero, senior vice president of internal audit at Nielsen in Tampa, Fla., recommends using a categorization approach to clarify communication with the client. “If you clearly categorize recommendations based on risk (high, medium, low), you greatly reduce the chances that the most important ones will go unaddressed,” he explains. “I think that is very intuitive to people: They understand that if they don’t address the high-priority recommendations, there is a risk of that issue going forward.” In an annual audit process, recommendations that appear multiple times may move to a higher risk category — a signal to management about their importance relevant to risk.
At Principal Financial Group in Des Moines, Iowa, Cindy Bolton, audit director, reports that implementation of an enterprise risk management framework has encouraged communication around risk and risk metrics by the chief risk officer (CRO) and all the risk officers throughout the business. “We have a lot of discussion about risk and controls from the second and third lines of defense, as well,” she adds, “and a lot of time working in partnership with the second line, so the message to the first line is one continuous stream.”
Besides communication, another possible reason for nonimplementation relates to resources. The benefits to be derived from the recommendation may not justify its cost, in the eyes of the client. Or the drain on other, nonfinancial resources may be prohibitive (although, if the recommendations are focused on issues that exceed the organization’s established risk tolerance, this should justify adding resources). Auditors have a responsibility to understand the business well enough to be aware of the financial impact of the recommendations they are making. “Otherwise,” Alvero says, “they are not fully serving the needs of the client.”
When building an understanding of an issue that will be included in the audit report, internal auditors need to consider the cost, impact, and significance related to the issue. This enables the auditor to balance the high cost to remedy and the possible low impact and likelihood of misstatement the issue may potentially have. Although the internal auditor should definitely take the lead in these considerations, it should not be a solitary exercise. The client should play an active role.
Avoiding the cost-benefit objection can be as simple as discussing with the client the feasibility of various approaches and devising a management action plan in conjunction with management. When those discussions are held, the result “is not ‘internal audit recommends and management responds,’” Bolton says. “Management is already involved.”
If the cost of a recommendation is unknown, an approach might be to divide it into two parts: management researching the cost of possible solutions and internal audit determining whether these solutions adequately address the recommendation. This enables progress to be made, rather than hitting a brick wall of “no” the minute the cost is considered. Another workaround for expensive recommendations is for internal audit to make additional recommendations (such as extra reviews and quality reviews) to satisfy them.
“Developing recommendations is one of the areas where we, as a profession, have an opportunity to act as consultants and not only add value directly to the organization, but also to our stakeholders,” Levy notes. “Many times, when recommendations are developed in a vacuum, without management’s input, the desired outcome is not reached.”
Communication and resources are not the only roadblocks to implementing recommendations. Kevin Patton, director of internal audit at The Ohio State University in Columbus, points out that a client’s adoption of a recommendation may be affected by changes to existing information systems or implementation of new information systems, which often take longer than estimated. “System issues seem to take more time to resolve than other comments, such as financial and operational,” Patton explains. “In those cases, we ask the unit how they are mitigating the risk and get an understanding of their processes.” In some companies, moving to a new platform could make a recommendation obsolete, causing management to decide a short-term fix is not worth the cost. As with costly recommendations, the auditor should understand the business well enough to be aware of systems plans before making a related recommendation.
Other possible situations that may affect the client’s willingness or ability to implement a recommendation include a change in business strategy, loss of staff or changes in staffing, or competing priorities in the client’s area. Ongoing communication with clients is critical to internal audit’s effectiveness in such circumstances. It will help ensure that the internal auditor is informed on the client’s issues and can function as a partner in addressing them.
The Fine Art of Follow-up
|To read the Practice Guide, Audit Reports: Communicating Assurance Engagement Results, visit
IIA Standard 2500: Monitoring Progress states that the CAE “must establish and maintain a system to monitor the disposition of results communicated to management.” Item 2500.A1 speaks of the CAE’s responsibility to establish a follow-up process to monitor and ensure that management actions have been implemented or senior management has accepted the risk of not doing so. Item 2500.C1 specifies that it is internal audit’s responsibility to monitor (to the extent agreed with the client) the disposition of results of consulting engagements.
Whatever the reason for failure to implement internal audit recommendations, that failure has the potential to expose the organization to risk. Therefore, internal audit has a distinct role in monitoring whether management implements the controls it agreed to. While the size and nature of the risk will influence the type and amount of follow-up activity, Following Up Recommendations/Management Actions, a 2016 paper from the U.K.’s Chartered Institute of Internal Auditors, outlines general post-recommendation activities that need to be made clear to the client before the audit:
- How outstanding recommendations/management actions will be tracked.
- How resolutions will be reported and validated.
- What follow-up action might be needed.
- How this will be carried out to provide assurance that identified risks are being addressed appropriately.
Warren Hersh, auditor general at New Jersey Transit in Newark, says a robust follow-up process must begin with the establishment of the department’s verification philosophy, which generally will follow one of two approaches: 1) actually performing a follow-up audit, testing to verify that corrective actions have been implemented; or 2) accepting the representation of management on the status of corrective actions. In Hersh’s experience, following the first approach takes significant resources and focus. His current department uses the second approach, with one variation. “If we have an audit that has significant findings that impact the key risks faced by the department, in addition to reporting to the audit committee, we automatically schedule a follow-up audit either later in the audit plan year or in the next audit plan year.”
Hersh’s team uses audit management software to monitor the status of corrective actions, and that status is reported at every audit committee meeting because it gets the attention of senior management.
At Ohio State, Patton’s team uses a formal follow-up review process for all recommendations that are included in the final report. The first phase is to follow up with clients every 90 to 120 days until the recommendations are resolved. A follow-up review report is issued to the same distribution list that received the final report. After the second follow-up, any remaining unresolved findings are escalated to senior university leadership for consideration and prioritizing with the unit. In fact, according to Patton, during the second follow-up review, the senior leader is responsible for obtaining an updated management response and resolution time frame to set the priority for the unit. If, after a third follow-up review, any unresolved comments remain, Patton discusses those in detail with the audit and compliance committee.
But there is another possibility as well. Management may decide to accept the risk and not resolve the comments. These situations also are elevated to the audit and compliance committee for discussion. Patton notes, “Of course we hope it doesn’t get to that point. And it rarely does for us.”
Principal Financial Group’s process for follow-up is similar to that of Ohio State, with progress checks quarterly. Bolton explains that recommendations are rated critical, high, moderate, and low. Anything moderate or higher receives additional testing to make sure it is implemented to internal audit’s satisfaction. Low items are not tested as vigorously: “We accept their word it’s done.” A quarterly report on the percentage completed and the status of follow-up items is issued to senior management and the audit committee.
Understand the Reason
Alvero points out the need to determine the reason for nonimplementation. Did management make a business decision, choosing not to take the recommended action based on the risk to business objectives balanced against other factors, such as cost and resources? Or did management simply ignore the recommendation?
“Making a business decision not to implement a recommendation is not necessarily a red flag,” he says. “It is not the same as ignoring a recommendation, which obviously would be a concern.” Investigation may be needed into the extent of the refusal to implement, because that is generally not a one-unit decision. In many companies, the business office, the CRO, the audit committee, and other individuals or groups, depending on organizational structure, would have to support the decision.
In some cases, limited resources within the internal audit department may affect follow-up efforts. In these cases, Hersh advises internal audit to prioritize the key risks and then focus on implementation of corrective actions for the more significant risks. He considers this necessary when assessing whether management has inappropriately accepted a risk, in internal audit’s opinion, by not implementing corrective actions.
Working Toward One Goal
Ultimately, as with so many business transactions, what is being done is often secondary to how it is being done. For its recommendations to carry weight and earn full consideration, internal audit must act as a trusted advisor to the business, establishing and demonstrating a mindset of cooperation and collaboration, not an adversarial relationship. As Bolton puts it, “We have different units, different priorities, different purposes, but ultimately we are one company. We are all working together, trying to do the right thing.”