Raising An Audit Issue Is One Thing, Closing It Out Is Another
Steve Stanek, KnowledgeLeader contributing writer
“The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented on that senior management has accepted the risk of not taking action.” – International Standards for the Professional Practice of Internal Auditing: 2500.A1
Do an audit, reach findings, set action plans to address deficiencies, follow up. Sounds straightforward, but satisfactorily resolving audit issues can be complicated.
“Internal audit sometimes puts the cart before the horse,” says Larry Harrington, vice president of internal audit at defense contractor Raytheon Co. “Auditors sometimes think they must come up with the perfect recommendation. In reality, the best recommendations and action plans are developed by facilitating a dialogue with management and experts on the topic, to arrive at the most appropriate recommendation and action plans. Management owns the action plans so including them in the discussions reinforces their ownership.”
This is done at Raytheon, where they also maintain a database of action plans agreed to by management, according to Harrington. Management’s responsibility is to regularly review the database and note corrective actions that have been taken. Internal audit monitors the database on a monthly basis. Several weeks before a due date, the customer receives a friendly call to discuss progress on the action plan and ensure it will be completed on time. “This process often helps to expedite action plans that have been placed on the back burner due to other priorities and is a better approach than waiting until items are past due to follow-up. After all, internal auditors are here to create positive change, and these calls often help keep action plans on track.”
Raytheon’s chief executive also initiated a change to the standard monthly operational meetings to include one page devoted to any overdue audit recommendations.
“Part of what the database does is help keep action plans somewhat in the forefront,” Harrington says. “If the president must report each month to the CEO if he has overdue audit recommendations, this encourages the business folks to make sure they’re keeping pressure on the right people at the right time. This drives ownership where it belongs. We think this will help make sure action items get implemented timely.”
Raytheon had been outsourcing its internal audit function for the past five years, and several months ago it hired Harrington to bring it back in-house. Harrington reports to the CEO, and he attends all business reviews and strategy sessions.
“Internal audit must understand risks, and to do that it must have a seat at the executive table,” Harrington says.
Focusing on follow-through
David Walker, who teaches accounting and auditing at University of South Florida in St. Petersburg, FL., also serves on the audit committees of three public companies. He says reporting of deficiencies and follow-through on recommendations “has become a hot topic” in his classes because the reporting requirements of the Sarbanes-Oxley Act have focused corporations on those topics.
Sarbanes-Oxley, he says, has made follow-through on internal audit control matters more important from an audit committee standpoint as well. He recommends as a best practice the creation of a follow-through process, similar to that described by Harrington.
“A recommendation or issue should be raised, communicated, then tracked from that point forward,” Walker says. “The manager of the unit responsible would have to respond to the issue; perhaps an intermediate-term remediation would need to occur. There would need to be agreement on a timetable for completion of the remediation along with either follow-up testing or confirmation that the fix has solved the issue. From an audit committee perspective, that becomes a closed loop for each issue.”
Parveen Gupta, associate professor of accounting at Lehigh University in Bethlehem, PA., says use of technology is important to track action plans and check the status of remediation of audit findings, especially in large or complex organizations.
“On a conceptual level, if you’re using a software package, it could turn on various features that would generate some kind of audit report at a regular interval, like aging of accounts receivables,” he says.
He suggests the information to be tracked should directly relate to what would satisfy the requirements of PCAOB Standard No. 2, the standard on attestation engagements referred to in Section 404(b) as well as Section 103(a)(2)(A) of the Sarbanes-Oxley Act of 2002. It addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements.
“Relate it to management’s assertions, to causal categories, to various accounts, to the control owners,” Gupta says. “Then you’d want to have other information, such as target dates for resolution, and, if possible, an indication of what kind of deficiency is being addressed.”
A critical step, according to Gupta, is developing complete documentation to explain:
1) How an audit issue was found
2) The process that was used to find it
3) How the issue was communicated to the control owner
4) The recommendations to remediate the problem
Remediation and retesting
Depending on the seriousness of the issue being addressed, the internal audit department may want to “pay attention to some of the demographics that are collected,” Gupta says. “They may want to include remediation in the audit plan for the next month or quarter, or maybe a representation from the hard-and-fast rule is impossible, because of many variables that can come into play. control owner is good enough. Internal audit needs to remember when they do initial audit planning at the beginning of the year, they should plan for some time for some of these things. If they are taking the lead in testing, they need to create slack in the budget to handle this.”
He suggests that any issue with “more than a remote chance” of being escalated to a material weakness should be remediated and retested.
He also recommends that the board of directors or audit committee set policy for how much time should be given to fix problems, depending on whether the issue is low, moderate or high priority. He adds, though, that setting a hard-and-fast rule is impossible, because of many variables that can come into play.
Even low-priority items can become major concerns if multiple small control deficiencies in an area turn up.
“It is possible that all those small deficiencies collectively could rise to the level of a material weakness,” Gupta says.
Judgement comes into play here as well as with the evaluation of management’s response, he says. If the control owner is not cooperating, the underlying reason must be determined.
“Internal audit will need to take a little bit of a leadership role,” Gupta says. ” Ask why they’re not paying attention. Ask, ‘Do you think it’s not serious? Let’s chat about it.’ It’s a question of judging the intent of management. If you feel the intent is malicious, bring that to the directors. Otherwise go through the normal chain of management.”
Getting management involved
Another way to make sure management takes audit issues seriously is to make their response part of their performance evaluation.
“If you find certain control deficiencies, when the supervisor of that unit is evaluated, show the amount of time to fix the problem. That will get attention,” Gupta says.
Basil Woller, a director in Protiviti’s Houston office, says management should always be involved in developing an action plan.
“Management ought to be convinced that the actions will address the issue that was raised,” Woller says. “The second thing to keep in mind is setting reasonable or realistic time-frames. If you have a significant area that is complex, and the fix is not easy, it may go across functional departmental lines and take a collaborative effort.”
University of South Florida’s Walker also raises that point. “Sometimes you’re going to find an issue that will require a systems change,” Walker says. “The manager is going to depend on resources from an outside department. It’s important to list all the responsible parties and be sure the IT department understands the importance of their role in meeting deadlines and remediating the deficiency.”