So your audit report has been issued. Sure you may have received some issues, findings, or control weaknesses in either a letter to management or in the audit report itself, but the auditors are gone. Well don’t celebrate to much to fast. If your audit gave you a clean bill of health you can throw the party, but remember you must remain diligent on your controls. After all, the auditors may be done for now but they will come back. If you did have items noted to your management or in your report you have more work to accomplish. You may or may not agree with your auditors but when the next audit comes around one thing is certain, prior audit findings will be scrutinized.
Depending on your environment or the type of audit, audit findings may trigger some ongoing monitoring by the auditors. Other times you are left to adjust your environment while the auditors are absent. Regardless, simply disagreeing with your auditors and taking no actions at all will be disastrous. You may recall in a previous post I talked about tone at the top as a control. This is one of those areas auditors look at critically, because if you just leave audit findings in a report, tucked away in a drawer they will have little confidence you have a well controlled environment. How then do you approach addressing you auditors concerns?
The first and best advice I could give is start right away. If your auditors were good and alerted you early to what they found you could even begin to address the issues before your auditors leave. When things are fresh in your mind you are better equipped to tackle them. Waiting for a week, a month, or a few months down the road could be the difference between getting repeat issues or an off the record “Atta boy” from the next auditors. This means you need to really understand what your auditors meant in their findings. One caveat, auditors can not tell you how to do something (unless they are regulators) as their independence could be compromised. They can however tell you generally what they would expect to see for the issues be resolved. This is important to understand because if you miss the mark, you will have done the work in vain.
Next, take the time to re-evaluate your entire control environment. You are wondering why I would recommend you do that, after all the auditors told you where to look. Depending on the type of finding you either had a catastrophic failure of multiple controls and the single one identified by the auditors was just the tip of the iceberg. On the other hand you may find just one control failed and you didn’t have any other controls to prevent a complete failure. Either way, looking at the overall environment may be critical in solving the problem. Lets look at a catastrophic failure. Was the control failure caused by a series of events that could not have been foreseen, something that only occurs once every hundred years? If that is the case the cost/benefit of correcting the failure may not be worth the effort. What if the catastrophic failure occurred because those people performing the controls don’t understand their responsibilities. That is an entirely different story, one which may play out audit after audit. Each of these should addressed very differently.
In the case of a single control failure, why did you only have one control? There may be a rational and completely justifiable reason, or you may have overlooked the possibility the control may fail due to the design of the control. I remember auditing a the payroll at a small city which had a small finance department staff. There was a payroll control which indicated any staff member submitting for overtime needed to have approval from payroll officer, but that a lack of approval did not prevent the pay from being distributed. I think we can all see the flaw here, and may even question whether this is a control since it doesn’t prevent an action. Regardless, the payroll officer went on vacation and a water main broke requiring several employees to work overtime. With my luck as an auditor I happened to pick a payroll transaction during this time period and discovered the complete failure of the control. In response to the audit finding, the control was modified to add a back up to the payroll officer but the pay still could be distributed without the signature.
Whether a catastrophic failure of many controls, or a failure of a single point control, understanding how the entire control environment is critical. Not only can you correct issues the auditors found, you may find potential areas of future weakness and correct them before they fail. There is an art to getting through an audit, but sometimes the masterpiece isn’t completed until you clean up all the paint drips.