Let us all recite it together. There are five elements to every finding — the 5 C's: condition, criteria, cause, consequence, and corrective action. If you've passed your Certified Internal Auditor (CIA) exam, odds are that mnemonic was one of the first things you memorized. In fact, there's a good chance that every internal auditor out there, even if they think CIA is just the beginning of a lunch order made up of a nice ciabatta sandwich with a kale and quinoa salad, knows the 5 C's because their audit shop has it built into its reporting process.
Personally, the word "consequence" has always troubled me. Not because there is a problem with the idea of consequence; merely that it is not a phrase or concept that rolls liltingly off the tongue in this context. I like effect or impact. But, then, that makes it four C's and an E or I, and then we find ourselves wondering if it is I before E except after C, and that just doesn't work at all. So, I can live with "consequence."
But there is an abomination upon the profession of internal audit related to the elements that I stumbled across again today. I have come across it many times in my travels, but this time it was espoused in an article from a fairly well-respected group that speaks to and for a portion of the audit community. (Don't worry, it was not The IIA.) It is an aberration of the 5 C's that not only ruins the concept of the having five C's, but also dangerously misstates what it is we should be doing for a living.
Take this vow. Never again say your findings include "recommendations."
If you issue a final report and it includes nothing but internal audit's recommended corrective action, then your report is not final and your work is not done.
(Warning: The next paragraph gets pretty darned basic. But it never hurts to go back to the basics. And, based on the fact that people think issuing reports with "recommendations" is okay, a visit to the basics appears to be just what is needed.)
Our job is to provide reasonable assurance that controls are in place to ensure objectives are met. A significant portion of our work revolves around identifying if those controls exist and, if they are lacking, ensuring that such controls are established. The cycle of our work (at the engagement level) is to determine the risks to the objectives, determine the controls that should be in place, determine which of those controls are actually in place, and, if there are any gaps between condition and criteria, ensure the gap is closed. To accomplish this, we must work with the client — them using their knowledge of the business and us using our knowledge of controls, risks, and process — to find how best to mitigate the risks.
Our job is not done until that effective corrective action has been agreed upon and, I would argue, already begun.
Let me repeat that (perhaps a little more succinctly):
Our job is not done until we have assurance things are going to be corrected.
Back in the early days of my career it was a simpler life. Little more was expected of internal auditors than to find problems, tell the auditees, and then move on to the next project. No corrective action, no recommendations, just ride off into the sunset for our next assignment. (Yes, it really used to be that easy.)
One of the first steps our profession took related to adding value was when we adjusted our way of thinking to join the client in taking ownership in making things better.
If all you do at the end of your audit work — when the report is issued as a "final" report — is provide a recommendation, you are no more than one or two steps removed from those Neanderthalic days of yore.
Here's the excuse I generally hear from those practicing the "recommendations approach."
"If we are forced to get an agreed-upon corrective action, then the audit will take longer to complete and everything will be delayed."
Quite simply, this is not a problem of getting agreed-upon corrective action, it is a problem with the audit department. It has not built the rapport necessary to work with the client throughout the audit. Or, even worse, the opinions of the audit department are not respected. Because, if they were respected, then the auditees — and in these situations, I think that is the right term — wouldn't be summarily dismissing the findings, brushing them and the department aside as a minor inconvenience to be shuttled away with a mere flick of the wrist.
If, by the time the audit report is completed, they cannot provide a final solution, then they will never think it is important enough to get done.
Audit departments should be discussing results with the client as they are uncovered. There should be a constant give and take about what has been found, what should have occurred, and what will be done. And there should be consensus about what will be done well before the first draft of that report is being drafted.
Yes, there will still be arguments/discussions about the content of the report — is the opinion right, is the wording correct, is this a little harsh, why was this included, etc. But the actual corrective action — what the client is going to do — should have been hammered out before one finger is put to keyboard to build the first draft of the report.
The Standards list corrective action as an element of every finding for a reason. And any report that only lists recommendations is a report — and an audit — that is only half done.