One of the hardest arguments I ever got into with an auditor who worked for me regarded "cause."No writer likes being challenged in their logic, particularly after a hard week on the ground in the offices of a unit of the company, but the organization deserves that we treat "cause" as tremendously important.
And so we did.
IIA Practice Advisory on Standard 2410-1 suggests that audit findings be comprised of the following:
- Criteria: The standards, measures, or expectations used in making an evaluation and/or verification (what should exist)
- Condition: The factual evidence that the internal auditor found in the course of the examination (what does exist).
- Cause: The reason for the difference between the expected and actual conditions (why the difference exists).
- Effect: The risk or exposure the organization and/or others encounter because the condition is not consistent with the criteria (the impact of the difference). In determining the degree of risk or exposure, internal auditors should consider the effect their engagement observations and recommendations may have on the organizations operations and financial statements.
It is also customary to add Recommendation to this list to arrive at the Five Part approach to writing audit findings.
Most auditors and consultants I've trained have little trouble with defining "what is" and comparing it to "what should be," but "why it was that way" frequently presents difficulty.
When editing audit reports and finding this section missing, I'd frequently get responses like,
- "They just weren't doing it."
- "The manager isn't very good"
- "I don't know why, I forgot to ask."
Of course, the problem with these responses is two fold.
First, if you don't know why something is or isn't taking place, it will be simple luck that your recommendation actually fixes it.
Second, without a defined cause it becomes impossible to gauge the cost-benefit of accepting the recommendation.
To illustrate, if the reason the manager didn't do something was because they weren't trained properly, then it becomes possible to assign a cost to your recommendation. Retraining the manager costs $X.XX compared with saving $X.XX in risk (or whatever).
Likewise, if the manager chose to ignore the control because of resources or a disregard for the importance of the risk, it becomes reasonable to explore whether their managerial choice was the right one. Removal of extraneous controls is as valuable a service of Internal Audit as adding new ones. An auditor would seldom go down that path, unless they had first chosen to pursue the question of "cause" with alacrity.
One of the best ways to combat lazy "cause" statements come from the Executive Vice President of Educational Marketing Group and she refers to it as The Last Why. It's a quick and dirty model for determining cause and it is as effective as it is simple.
It goes like this. You take the first "why?" and ask "why is that the case?" and then you do it again.
So, when the auditor says, "they just weren't doing it," the response to that is a simple, "really, why?" Then keep silent. Perhaps the answer will then be, "because they didn't know about it." To which, the response is again, "really, why?" And so on, until you get to the "last why."
The Last Why is the actionable answer. You know you've arrived at it when you've finally got something that can be done. For example, perhaps the "last why" in the above scenario is that trainings of this kind only take place twice a year and this manager was hired right after the last one.
Now, we've got something we can work with.
If the risk is great enough, you can recommend that the training cycle be changed or that interim briefings take place for new managers, or a dozen other things - most of which you'd be guessing at if you'd stopped at an earlier why.
--Prescott Coleman, CIA, CISA
Posts
2 comments:
Again, great guidance. My staff will have another "FW:" e-mail in their inbox Monday with a link to your entry. I think auditors often omit a root cause for a # of reasons. Its often time-consuming/expensive to determine it, the process often ends up becoming personal, and/or the auditor simply isn't experienced enough to navigate to the last why. The criteria/condition/issue (non-compliance with something) is easiest to write. The recommendation to do something about it is next in line. But the cause - and especially the "last why" - lags a distant 3rd to the other components in terms of easily ID'ing, proving, documenting, selling, and writing it.
Thanks for your kind words, and I couldn't agree more. The reasons for stopping at the "first why" that you lay out are spot-on.
The idea that the why-discussion can become personal is very true. It is why I place so much importance on hiring and training auditors to have great interpersonal skills. The ability to make an audit client glad for tough news is one of the first tests for being given the Auditor-in-Charge role.
Post a Comment