So, I thought I'd share.
Close the loop - Audit reports are, almost by definition, alarming things. However, highly effective reports ring the alarm bells, explain which barn is on fire, then talk about how the fire got put out.
They close the loop.
I know it sounds simple, but it is commonly missed opportunity. In my experience, audit committees and senior executives appreciate being told about an issue and then being told how it was handled. It means they don't have to take action, beyond monitoring the situation and asking for updates. It also means that they will get alarmed and active, when you bring them something that truly warrants their involvement.
This is a matter both of process and of report writing.
It is a matter of process, because to be able to do this, you must have actually worked with your audit client to get him/her to pick up a bucket and fill it with water. I have known a number of audit units that create findings, shoot them at their audit clients, and sit down to write the report. Any audit client worth their salt will want their side of the story in the written record. Now you've got potential conflict and disagreement. No one is focusing on making things better. And, your Audit Committee is wondering why you can't handle these things yourself.
It is a matter of report writing, because all too often I see auditors simply leave closure out of the report. They worked very hard with the audit client to come to a workable solution and they forget to talk about it. Sometimes I've found this to be the result of auditors who have a "gotcha" approach. However, more often it is just poor story telling.
Anticipate Questions - This is not an easy thing to do, because it requires placing yourself in the shoes of your audit client's superior. However, it is a skill-worth-paying-for and good auditors, who want to become great auditors, will focus on this.
For example, you've written a report with a finding regarding unauthorized access. It seems that for a number of months the Security Unit has been granting access to an important system based on the user's supervisor's approval. Evidently, the system owner hasn't been getting notified or asked for their approval. Worse, "super user" access has been granted to a few individuals. The "risk" statement in your finding talks about the potential for data being viewed or changed by inappropriate users. And, you've followed the tip above and closed the loop by describing what was done.
Not quite finished yet, though.
A really effective finding would anticipate the next question. Which I estimate would regard the scope of damage the unauthorized super users might have caused.
Perhaps you were able to find logs, which would have recorded any "super user" activity (and which couldn't be altered.) In that case, you allow the senior IT executive to sleep at night by saying so, somewhat comfortable that you've determined that no inappropriate activity was likely to have taken place.
Conversely, you may have found that no logs exist that describe what the "super users" might have done. In that event, it is your obligation to anticipate the question and make a statement that it is impossible to know. Niether the IT executive nor the Finance executive are sleeping now, which is probably appropriate.
Either way, you've delivered a more effective finding, because it targets the energy of the leadership.
Compliment - Finally, I find including in a report a brief statement of appreciation and compliment about the cooperation of the team and their leadership to pay significant dividends. It seems minor, and often can feel forced, but it has always been worth doing for me.
Something along the lines of,
The Internal Audit team wishes to express their appreciation and thanks for the degree of openness and cooperation received during this review. We found the staff and leadership of the unit to be genuinely interested in improving controls and making the organization more effective.
Another example,
While this report could include lengthy descriptions of the many strengths we identified, its purpose is to convey ways in which the unit can improve its level of internal control. Therefore, by design, the report focuses on areas of potential improvement. This concentration on areas of improvement should in no
way be construed as a diminution of the quality of the unit.
Strangely, while everyone knows this statement is somewhat perfunctory, it helps them save face. And as an auditor, when you help a manager save face you have the grounds for a relationship. Having an extraordinary network of relationships is how great auditors become amazingly effective auditors.
-- Prescott Coleman, CIA, CISA
No comments:
Post a Comment