The audit report recommendations describe the actions you hope that management is going to take as a result of your findings. And if you do not clearly describe what you want, squirrelly behaviors can result. Here are a few fun things I have seen:
The client takes your recommendations literally—to the letter—and implements them with a smirk, realizing that you can’t pin them on it next year, because they did do what you recommended… technically.
Let’s say that you “recommend that management consider hiring a credit manager.” Next year, you return to follow up, and indeed the client considered hiring a credit manager—for about two seconds—and decided not to. Now what? You are going to have to write them up again!
Or once an audit team insisted that security guards purchase an expensive body scanner. The security guards resisted the recommendation for years because they felt like their procedures were more than adequate, but they finally acquiesced. They blew tens of thousands of dollars to buy the fancy body scanner and then had it installed in the center of the entrance hall so that the auditors wouldn’t miss seeing it. Then they directed employees to walk around the expensive machine so that they could be evaluated using the same old procedures! Nothing like making a fool of the auditor every single time they went through security!
The client implements your recommendation even though it is only for the auditor’s benefit. Auditors sometimes recommend additional procedures that don’t add value to the process, just so that our audit is easier. For instance, “We recommend that management provide documentation to prove X so that we can have a complete audit trail.” The first problem with this recommendation is a focus on us. PLEASE do not recommend a change for the sole purpose of making our lives as auditors easier. Have we lost focus on who is paying us here?
Secondly, adding additional, ultimately unnecessary controls can slow the client down and keep them from doing something really important (can you say “bureaucratic red tape!”), like getting the right product or service to the customer as quickly as they can.
The client doesn’t know who is responsible for doing it—so it doesn’t get done. If you are in the habit of writing in the passive voice, you can get into a lot of trouble when writing a recommendation. Here is an example of a passive recommendation: “We recommend purchase orders be approved.” See the problem? Who is the agent – or doer – here? Who is supposed to approve purchase orders?
You may come back next year to find them pointing to each other like the Scarecrow in the Wizard of Oz, with arms crossed, pointing at all the people they thought were going to approve the purchase orders. So confusing!
So, go ahead and name responsible parties such as, “The purchasing manager and the requesting manager should approve purchase orders.”
The client simply can’t afford it. One auditee’s software was so antiquated that a significant number of transactions slipped through the cracks. Every year we auditors recommended that they spend major bucks to upgrade the software, and every year they ignored us because they didn’t have the money. How ridiculous was that little dance?
Finally, after about four years of hounding the client on this software issue, we finally realized that transactions existed before computers(!) and focused on controls that would help them account for all transactions regardless of the software they used.
We looked closer at their processes and found simple things they could do to mitigate the risk that transactions would not be recorded. They did what we asked, transactions were properly captured, and as a result we were able to leave them alone for the rest of their lives (on this issue anyway).
That is the goal of a good recommendation, by the way—to write it once, persuade the client to actually do it, and then never bring that issue up again!
You can’t imagine how you are going to audit that. Have you ever followed up on a recommendation that was so vague that you had no idea what the auditor intended? Here are some examples: “We recommend that this process be improved.” “The need for this procedure should be emphasized.” “The supervisor should make this process a priority.”
One 300-person audit team had 1200 unresolved findings to clear because their former audit director didn’t like being specific in audit report recommendations and the auditee wasn’t exactly sure what do to to resolve the finding. What a silly, ongoing burden on the audit team and the client.
Make Sure that Your Recommendation is Auditable, Feasible, and Satisfactory
In order to avoid the silly results of bad audit report recommendations discussed above, make sure that your recommendations are auditable, feasible, and satisfactory.
Auditable. Ask yourself if your recommendation is something that you can easily follow up on next year. Remember your goal is to write up something once, have the client implement it, and then never have to write up the issue again.
As you may be the unlucky soul who follows up on your own recommendation, do yourself a favor and ask yourself, BEFORE you publish your finding, “What would you do to verify that the client has actually implemented your recommendation?” If you can’t easily think of some way to verify the recommendation with a test, rewrite the recommendation.
Feasible. Pause to ask, “Will the client ever actually do this?” If the answer is “no,” you need to rewrite it.
Or better yet, let the client write it! Your primary job is not to solve the problem, but to identify the risk. Present the risk to the client and ask them whether they are willing to tolerate it. If they or you are not willing to tolerate the risk, then ask them what they can do to mitigate the risk. Asking them to take the lead on resolving problems has another benefit – it preserves your auditor independence.
And, obviously, if the client comes up with their own recommendation, they are much more likely to implement it.
Satisfactory. Also pause to ask yourself, “If the client implements this recommendation, will I be satisfied? Will I be able to leave the client alone about this issue in the future?” If the answer is no, go back to the drawing board.
What does the GAO say?
As usual, the GAO has some wisdom to share about audit report recommendations: The GAO’s Yellow Book says:
9.23 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended.
9.28 Effective recommendations encourage improvements in the conduct of government programs and operations. Recommendations are effective when they are addressed to parties with the authority to act and when the recommended actions are specific, feasible, cost-effective, and measurable.
The Bottom Line
Here are qualities of good audit report recommendations —bottom line:
- Audit report recommendations should NAME NAMES or, more accurately, name positions and roles. Who is going to do this? Make it clear so that the client is clear about who will be held accountable for action.
- Write it so it is AUDITABLE. Please stop torturing future auditors with vague recommendations that you can’t prove were implemented (who, by the way, may be you or someone you love!).
- See if the client thinks it is FEASIBLE. In other words, is it in the realm of possibility that the client will implement this? One way to make sure of feasibility is to point out the problem, the risk the client is taking, and then ask the client how they are going to fix it, or if they even want to fix it. Say, “Here is a risk we have identified. Are you willing to accept this risk? If not, how can we mitigate this risk?”
- Make sure it is really going to SOLVE THE PROBLEM. Ask yourself, “If this client takes this recommendation, will I be able to leave the client alone from here on out?”
To find out more about how to write audit reports, check out the Audit Reporting Bundle.