At the conclusion of an audit, findings and proposed recommendations are discussed with management and subsequently management action plans are developed to explain how the agreed recommendations will be implemented.
Auditors should take care to communicate with the various stakeholders how their recommendations will help fix gaps and mitigate risks. The stakeholders will evaluate whether the recommendations being provided are worth the investment of time and resources required to implement them (cost vs. benefit). Competing priorities, budget limitations and other factors may prevent managers from implementing agreed actions in the agreed time line or as previously designed to mitigate the risk.
Types of Recommendation
Broadly, a recommendation is either a suggestion to fix an unacceptable scenario or a suggestion for improvement. Most internal audit reports provide recommendations to fix unacceptable scenarios because they are easy to identify and are less likely to be disputed by the process owner. However, recommendations to fix gaps in a process only take the process to where it is expected to be and not where it could be. Internal audit’s value lies not only in providing solutions to existing issues but in instigating thought provoking discussions. Recommendations also can include suggestions that will move the process or the department being audited to the next level of efficiency. When recommendations aimed at future improvements are included, internal audit reports become a tool in shaping the strategic direction of the department being audited.
Sources of Information
An auditor should draw recommendations from both inside and outside the organization. Internal sources of recommendations are easier to locate; however, they require a tactful approach as process owners may not be inclined to share unbiased opinions with internal audit team. External sources may not be as easily accessible — an internal audit function should invest in providing its staff with access to research libraries and professional networks to facilitate access. It is a good practice to jot down recommendation ideas as soon as they come to mind, even though they may not find a place in the final report. Even if internal audit testing does not result in a finding, the auditor may still recommend improvements to the current process.
Articulation of recommendation
Internal audit team should spend sufficient time brainstorming potential recommendations and choosing their wording carefully to ensure their audience have complete understanding. Recommendations should be written simply and should:
vAddressthe root cause if a control deficiency is the basis of the recommendation.
vAddressthe department rather than a specific person.
vIncludebullets or numbering if describing a process that has several steps. vPositionthe most important observation or risk first and the rest in descending order of risk. vIndicate a suggested priority of implementation based on the risk and the ease of
implementation.
vIndicateany repeat findings. If the recommendation needs to be modified, provide an updated recommendation in the report.
vExplainhow the recommendation will mitigate the risk in question.
vListanyrecommendations separately that do not link directly to an audit finding but seek to improve processes, policies or systems.
Feedback from Management
Recommendations will go nowhere if they are not valued by management. Therefore, the process of obtaining management feedback on recommendations is critical to make them practical. Ultimately, process owners may agree with the recommendation, agree with part of the recommendation, and agree in principle, but technological or personnel resource constraints won’t allow them to implement it. They also may choose to revisit the recommendation at a future date as the risk is not imminent, or disagree with the recommendation because of varying perceptions of risk or mitigating controls.
Management responses should be added to the recommendations with identified action items and implementation time lines whenever possible. Whatever be the management’s response, a recommendation should not be changed if it dilutes internal audit’s objectivity and independence and becomes representative of management’s opinions and concerns. It is internal audit’s prerogative to provide recommendations, regardless of whether management agrees with them or not. Persuasive and open-minded discussions with process owners are important to achieving agreeable and implementable recommendations.
Conclusion
The journey of a potential suggestion to a recommendation is complex and is influenced by every stakeholder and constraint in the audit process ; be it the overall tone of the organization toward change, its philosophy toward internal audit, the scope of the internal audit, views of the process owner, experience and exposure of internal audit staff, or available technology. However, an internal auditor must realize that every thought may add value to the organization and deserves consideration within the internal audit team. Internal audit departments should deliberate about the process and ask at the end of every audit: Does it align with the organization’s strategy and direction? Is it up to par with what is seen elsewhere? What is its relevance today and in the future?
