In my role I get to see other audit services and teams, and see how they deal with their clients. One of the great things about the internal audit profession is that there is no single ‘best’ or ‘right’ practice. This allows the profession to really meet our clients’ needs without being straight-jacketed by rules.
So one model I’ve seen recently in a number of internal audit functions is for the internal audit function to agree management actions in response to observations recorded in audit reports. These may or may not be accompanied with recommendations from internal audit or not.
So let’s think this through. It has some appeal. It forces engagement of the management team with auditors and their audit reports. It means that there is a set of actions that will occur. It means that audit committees only see agreed reports. It makes internal audit really think about the quality of their reports and their suggestions (if they are included in the report). It makes the management team think through their response, as they have to debate and discuss them with internal audit. It also potentially improves the implementation record of management in response to internal audit.
Yet it does have its downsides. I have found a really hard hitting or transformative audit report takes time to digest. Also strategic issues and risks are not always able to be responded to in short order, they take time. So forcing agreement through an internal audit-agreed management action right at the end of the audit doesn’t work. This means it can either hold up the report’s publication whilst disagreements and debate occur between the management team and internal audit, or it can force a lower level of ambition in what is agreed. It could make internal audit reports avoid difficult or challenging points altogether as there is a challenging process of closure needed; it’s easy to make a suggestion to sign a form, but much more difficult to posit a challenge to a strategic project or programme of the management team.
The most concerning element of the approach is that it could impact on internal audit’s independence. Internal audit has to agree and take some, if only vicarious, responsibility for management actions and their response. The management team could use disagreement to denude, or water down the report’s findings.
So I do think getting a degree of agreement with the management in response to internal audit is important. It’s not a particularly sensible position that internal audit has a diametrically opposed position to the management team constantly. I do, however, think the ability and willingness of internal audit to disagree with the management team is essential to the dialectic relationship needed for good internal audit. I also think that early and immediate agreement to points in internal audit reports is unhelpful. I think some space to provide an immediate response, then amend, discuss and change it later, is important. I find a management team’s consideration of internal audit reports prompts a sense of bereavement and cognitive dissonance with their established viewpoints. These take time to dissipate and adjust to. The best audit responses in my view come six months after the delivery of the audit report. Then the challenge, spotlight, and angst of being audited has faded. This means in six months’ time the management team has more space to respond and the nature of the response is more flexible.
I also think it presupposes that there is a response that makes sense at the point the audit report is delivered. At a point of the audit, if an audit report is focusing on stuff that matters and the big risks, then surely the issues and risks may be difficult to respond to. So does it make sense to agree a set of actions immediately the opinion is delivered? I don’t think, in all cases, it does. Perhaps the ‘action’ is to consider the position. But then the follow up, under the agreed management actionsmodel, is to check that the management team has ‘considered the position’. So this approach may actually prompt weaker management action, than leaving some time for the management team to respond might otherwise have done.
I do have difficulty with risk based internal audit forcing actions in any case. I think the most important thing is that actions mitigate risk. So why ask for management actions, unless they mitigate risk? So internal audit should not follow up the implementation of the management team’s actions, far rather follow up the mitigation of risk. This fixes an agreement of the risk as the point of focus, not the actions. So following up risks allows actions to adapt, move and respond, potentially improving the management of risk.
The overall aim of internal audit is to help to ensure risks to the achievement of the organisation’s objectives are mitigated to be within the governance-agreed risk appetite, or report to the governance structure if they’re not. So the management team should be owning their own risk, forcing internal audit to be part of this process potentially intervenes in the adoption of risk by the management team.
My view is that the agreed management actions approach does have benefits, but I think it: forces fake or lower quality agreement; limits the time for the management team to digest audit reports; does put internal audit’s independence at risk if done badly; loses the focus on risks as opposed to actions; makes follow up easy, but potentially less effective; and limits the management team’s adoption of their own risks.
How do you finalise your audit reports? Is there an ideal?