For example, the recommendation might read: “Supervisors should inform HR and IT simultaneously of any changes in their organizations to ensure appropriate user profiles are maintained. As this is a more complex situation, the auditor can provide guidance in the recommendation, but probably not a detailed plan of action. Generic: There are instances where more than one business group is involved in the resolution of an issue and it will take joint efforts to define the actions to address it. If this training occurred during fieldwork, the issue can be categorized as “addressed.” Still, it is up to management to decide the means and timing to achieve this goal. In certain cases, those can be implemented during fieldwork and this situation can be pointed out in the report as “addressed.” For example: “The AP clerk should be trained on how to process certain payment types to ensure the right coding is used.” In this case the recommendation is very specific. Straight actions: When there is an accurately identified root cause, the auditor can advise specific actions that are achievable. ![]() Here, I have tried to establish some categories: For example: “Management could / should / or must take the following actions…”ĭepending on the relevance and complexity of the noted issues, the level of the corresponding recommendations may vary. Also, the relevance and seriousness of the finding will influence the tone of the report. Auditors must find a balance between being too simplistic and providing overly detailed procedures that attempt to do management’s job. Depending on the company culture, and the issue impact, recommendations can be more or less detailed. When implemented, process risks should be mitigated, and performance should be enhanced. MJE approval oversight may cause _.” 3) Make the RecommendationĪudit recommendations consist of guidance that highlights actions to be taken by management. For example: “From a sample of xx MJE’s, representing x% of the population and y% of the value, it was noted that yy MJE’s did not have an associated formal approval due to _. The internal auditor must stay objective at all times in evaluating the situation and the impact on the process performance, taking into consideration the business objectives and risk appetite.īased on the information gathered and the identified facts, the auditor can write down the issue. ![]() Once an internal auditor encounters a control weakness, the focus must be on the facts, without judging the situation or its circumstances. ![]() Once noted, these need to be discussed with management to ensure alignment. Per conversations with auditees, and per process walkthroughs, the auditor has a privileged position to identify the factors triggering issues and get to the root cause. Only specific MJEs are required approval.Accounting MJE requestor and approver are the same.The supervisor left the position, and a new person has not yet been appointed.There is no formal procedure or policy to enforce approval.In this example, the following could occur: There is no procedure indicating who is responsibleĪnother example: “Manual Journal Entries (MJEs) are not approved by a supervisor.” The auditor must gather and write down all the facts.No person was appointed as signature responsible.Potential causes for the real problem could include: ![]() The obvious thought would be, “well, sign it!” While this could be considered as an effective solution, if we don’t identify the root cause, it is highly likely that the situation will reoccur in the future. For example, the finding: “The report did not include an acknowledgement signature,” is easy enough to remedy. Yes, we have a finding, but what about it? There are some issues that seem easy to fix, but more problems may be lurking under the surface. Here, I’ll consider some approaches to provide management with recommendations that best demonstrate the consultant aspect of our profession. Potential approaches can vary from “just fix it” to providing a very detailed list of steps, depending on the company culture, risk appetite, audit group maturity, and other factors. Internal audit teams must also decide on the extent of recommendations to address the identified problems. Management expects auditors to leverage our business knowledge and ability to perform root cause analysis to suggest process improvements that will mitigate risks, improve efficiency, and that are aligned to the business objectives in the short and long term. While auditors spend a great deal of time and energy scrutinizing processes, analyzing procedures and transactions, and identifying control weaknesses, the real value we add to organizations resides in our audit recommendations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |