I recently wrote about an inherent problem with (some) audit reports. The fact is, some auditors believe they can persuade management with an audit report to take action to correct a deficiency. But a report is far less persuasive than a face-to-face discussion, with both management and the auditor sharing and listening openly to each other.
A reader who commented on the piece talked about a management failure: failing to follow through and take the actions they had agreed to in the audit report. As I read and considered the point, I came to believe the writer was talking about this:
- The auditor drafts a report, discusses it with management and makes recommendations for corrective actions.
- Operating management reply in writing, which is included in the audit report, that they agree and will take defined actions by a certain time.
- The due date passes without the actions being taken.
The author of the comment said this was 100% a management failure.
I am not so sure.
Who’s to Blame for Lack of Follow Through?
There is certainly a failure of management to keep their commitment. This needs to be discussed with them and probably their management. It may be indicative of another and more serious problem with management. But sadly there is often an internal audit failure as well.
We might have one or more of these situations:
When Management Is Afraid to Disagree With the Auditor
Management agreed on the facts, but not whether they indicated a risk of significance. As a result, even though they committed to taking action, they did not make it a priority.
Maybe they agreed because “the auditors tell us to do it.” They may fear disagreement and how it would look to senior management or the board.
When I was a vice president in IT, my information security team was subjected to an internal audit (deliberate wording).
One of the issues identified by the auditor related to the way in which we allowed our senior executives to dial in to our data center from home. (This was before remote access was through the internet. Back in those dark days, the executives used a modem to call a dedicated phone number attached to a security device that allowed them access after providing their user ID and password.)
The auditor read in a book by IBM provided to him by his manager that the company needed to change phone numbers at least monthly. The “risk” was that a hacker could detect the phone number by attaching a device to the executive’s phone line and use it to gain access to our data center and its systems.
Even though the auditor agreed a hacker would need a dial-in user ID and password before accessing our operating system, a different user ID and password for the operating system, and yet another user ID and password for each application, he included this as a “high” risk in his audit report. He recommended that we change phone numbers every month.
In a meeting with the auditor, after he agreed with the facts, I pointed out the disruption constantly changing the dial-up phone number would cause. Every month, our help desk would be besieged by angry and frustrated executives demanding not only that we provide them the correct number, but to stop the insanity.
Nevertheless, his manager insisted on including this as a high risk in the audit report. I provided my response, disagreeing with the rating of high risk and explaining why this was the wrong action to take for the business.
I received a call from my boss’s boss, an executive vice president and direct report to the CEO. He told me that management never disagreed with the auditor. We had a “constructive” discussion about it, with neither of us willing to concede the point.
I have seen this before, where management is afraid of how it would look if they disagreed with the internal auditor. So, they agree on paper and delay in practice.
When Internal Auditors and Management Don’t Agree on Timing
While management agrees to the auditor’s recommendation, they don’t see it as a priority. They have more important issues to address that require the same resources.
The auditor is happy that management agrees with the finding and recommendation. However, they don’t seek to understand management’s other priorities.
I had this with the same audit of information security.
The auditor had taken every item in our information security software implementation project plan and made it a recommendation. They did not indicate that we had already identified the need and it was on our schedule. Instead, they “recommended” (read as “insisted”) that we complete each item within a month or two, ahead of plan.
When I noted we didn’t have the resources to move more quickly, let alone that it was high risk to move too fast, they stood their ground. They agreed my team had properly prioritized each task in the project and that we couldn’t move faster. Nevertheless, that is what they recommended. I asked that they say something about resources being limited, but they would not.
At the direction of my management, we agreed to the recommendation but continued to proceed at the pace indicated in our audit plan.
When Auditors Are Unaware of Changes
When I was with Tosco, we agreed to acquire refineries and other assets from BP on the West Coast. I asked my counterpart at BP for copies of any audit reports for those operations, which I received soon after.
One of the audits was of the refinery at Ferndale in Washington state. The auditor had made many recommendations, including one to remove access by receiving personnel to information about what had been ordered. As a result, they would no longer be able to check that the items received were the items ordered, including whether the quantities were correct.
The action was countermanded when more senior management got involved, after they read the audit report.
The auditors were not informed of the change in plans. They only found out when they followed up to confirm the recommended actions had been taken.
When a Better Response Is Found
I have seen situations where management agreed with the recommendation but later decided there was a better response. They took business-appropriate actions in response to the risk, but they were not the actions recommended by the auditors.
Make Sure You Have Leader Commitment
I want to make a few points:
- Make sure, by listening openly and collaboratively to management, that you understand the true business risk and how significant it is to the business.
- Take the time to identify and address the root cause(s), not just the symptoms. Be brave enough to suggest that management hasn’t sufficient or the right people if that is the case.
- Discuss the options for addressing the risk, including how difficult and time-consuming they might be — and whether there would be other consequences. For example, would fixing one risk prevent management from having the resources to fix another one, or seize an important opportunity?
- Don’t ask management to do what you wouldn’t do in their shoes!
- Make sure management recognizes, truly, that it is in their own interests to take the actions. It will improve the likelihood and extent of their own success, as well as that of the organization. If they don’t believe it, they may not do it. They need to want to take the actions, they need to own them. They aren’t doing them just because the auditor said so.
In other words, don’t just sell your finding. Make sure you have a committed buyer.
Management will 100% deliver on actions they believe are high priority and in their own interests.
They will dawdle if the only reason to take action is “the auditor told us to do it.”
I welcome your thoughts.
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.