During discussions, it became clear a discrepancy had developed between the policies in the procedure book and the way in which an updated, automated process worked. When an audit revealed, for example, that a few branches weren’t providing all the documentation required to open special account types, Walke brought together managers at various levels. This helps both in identifying the root causes behind any issues and in gaining buy-in to complete the actions needed to address the audit findings. Rick Walke, vice president of internal audit and compliance at Indianapolis-based Forum Credit Union, also works to partner with operational managers. “I’ll broker a meeting between the two groups and let them know the issue and the help we need,” he says. If the issue is significant and they can’t reach agreement on the time frame, they may bring it to executive management.īenvenuti sometimes will bring together two departments when it’s clear that addressing an audit finding in one area requires support from another, like information technology. “If they say it will be four months, we may ask if three months is reasonable,” he says. That’s not to say they leave it entirely to the them, especially if the deadline proposed is deemed too lax. He and his team talk with management as they conduct their review, providing the managers, many of whom have worked in an area for years, an opportunity to offer input on their view of the risk an issue may pose.īenvenuti and his team also ask for auditees’ input on how quickly they can act. Transparency is critical throughout an audit, says Phil Benvenuti, senior director of internal audit at software company Pegasystems Inc. “This gives them an opportunity to voice their concerns,” he says. Many times, however, the process owners have known improvements are needed, but haven’t had the time and resources to initiate them. If a manager disagrees with a finding, the auditors may take a closer look, Young says. By acting jointly, “it’s not outsiders coming in and telling them what to do,” he says. In return, the auditee agrees to reasonably provide the needed information and resources.Īt the audit’s conclusion, Young and his team talk with the operational managers to reach agreement on the risks identified, the actions to be taken, the individuals who will take them, and the deadline. “We try to make it clear that we’re trying to minimize the disruption,” he says. Before his team begins an audit, Stephen Young, vice president of internal audit at Chicago-based manufacturer MacLean-Fogg draws up a partnership agreement that lays out the terms of engagement, including the time and information Young and his team will need. The work needed to increase the likelihood the audit recommendations will be implemented starts before the audit even begins. “Make it clear what he or she should do, the deadline, and how to document it.” “Don’t just say ‘management will address,’ but name the person, and give a due date,” she says. In the above example, this might be establishing a process to automatically notify HR and IT of an employee’s last day.Īudit reports should also specify the individuals responsible for addressing findings and a deadline for when the work should be done, Pundmann says. The specific steps needed to fix the root problem should accompany the report, she says. “If people aren’t fixing things, often is it because we didn’t make it clear exactly what should be fixed.” Pundmann says. Management fixes the five specific instances, but doesn’t put in place a process to ensure proper access controls in the future. internal audit practice, provides an example: an audit finds that access to computer applications for 5 of 20 former employees wasn’t terminated in a timely manner. Once an audit concludes, auditees need to know the specific actions to take to address the root causes of a problem. Letting auditees know, for example, a previous audit helped a department cut expenses or improved its performance can help convince them the work required to complete an audit pays off and that the audit findings are meaningful. “The findings should have proximity to things that are important to the entities’ objectives,” says Phillip Austin, national assurance managing partner with BDO.Ĭommunicating the value of an audit is just as important. That’s especially true if management believes the report focuses on immaterial and irrelevant items, so, in their eyes, it’s not worth diverting resources from other priorities. Managers may feel-rightly or not-they lack the resources needed to implement the recommendations. Time and budget constraints often come into play. To start, it helps to understand why operational managers sometimes ignore audit findings.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |