5 steps to clearly communicating issues without exception
The issue with audit exceptions is that many audit functions include exceptions as the primary theme of audit report reportable items. Okay, there I said it. Now to provide an example.
I was recently reading an internal audit report from a governmental agency in which the auditors reviewed the bank reconciliation process. Part of the report issue read as follows:
During a review of the Bank Reconciliation process, the Auditors noted that:
- 12 of 25 bank reconciliations were not prepared in a timely manner
- The Controller did not review 15 of 25 bank reconciliations in a timely manner
- There was approximately $425,000 in outstanding items over 90 days old that were not identified, investigated or resolved
Some are, at this moment, saying “What is wrong with this? It presents the facts from the audit testing clearly and logically”. In my opinion, this type of reporting leaves our stakeholders in a So What! state. We’ve told them that, based on audit work, something is possibly wrong. However, we have not told them the extent of the wrong nor the significance to the process or organization as a whole. In other words, we have not provided them with reasonable assurance that the process is broken or unbroken.
Before we go any further, let’s define Issue and exception.
Exception
A deviation from the expected norm resulting from some sort of audit testing (i.e. detailed testing, walkthrough, etc).
Issue
A control breakdown within a process or function that may prevent the achievement of a goal or objective. An issue may result from a single exception or multiple exceptions.
[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][divider]
So, here is a 5 step approach to providing stakeholders with better Audit Issues.
1. Consolidate
2. Evaluate
3. Separate
4. Just say it
5. Support it
Consolidate
To better understand the total environment under review, consolidate all audit exceptions into one exception log.
Evaluate
Use the exception log to evaluate items in aggregate. Attempt to identify commonalities in audit exceptions. This will help identify trends that may cross functions, sub functions, and departments. It also helps determine the true issue that led to the exception(s).
Separate
Separate yourself from the audit report. The audit report is based on work that you as auditors performed, however, it is not about you. Eliminate any language referencing the audit staff. For example, “The auditors noted” or “According to audit testing”. Who cares. We all know that what you are reporting is based on some sort of test work performed.
Just say it!
Describe the issue early. One of the first three sentences should state the issue in an easy to understand tone. Auditors take for granted that stakeholders can read exceptions and automatically understand the underlying issue. This is not always true. Spell it out up front. Again, the first 3 sentences should explain what is wrong. Our stakeholders are not mind readers.
Support it
Now that you have communicated the problem, support it with the exceptions resulting from the testing.
Consider the following rewrite:
The current bank reconciliation process does not adequately prevent or detect banking irregularities including errors or theft. This is due to the fact that (1) bank reconciliation preparation, review and approval is not timely and (2) reconciling items are not investigated and resolved timely. For example, for the six months ended (whatever date)
- 48% of bank reconciliations are not prepared in a timely manner
- 60% of bank reconciliations are not reviewed in a timely manner
- $425,000 in outstanding items are over 90 days
Using this technique, we have told our stakeholders now know that the bank reconciliation process is broken (the real issue). We have also provided specific evidence that led to the this conclusion (the exceptions). Please bear in mind that this is only one of the 4 elements necessary for a good complete audit issue. The elemetns are Issue, Cause, Effect and Recommendation. The issue is the only item presented here. We could also add more perspective to this issue by including dollar amount at risk and other pertinent elements that were not available for rewrite. Handling exceptions and issues in this manner will help provide stakeholders with a clearer perspective on the true risks facing your organization.
A sample Audit Exception Log can be found at the document sharing website Auditor Exchange.
[divider][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
Where is my sense of scale?
How many bank accounts are there in the company in total?
Was this a sample or a census?
What’s the total cash balance and volume of transactions in the company?
Is $425,000 a big number, a medium number or a small number?
What kind of transactions are run through the accounts and are there any commonalities? Who controls the accounts and are there any management commonalities?
Are the segregation of duties controls adequate for all accounts?
WHY are reconciliation controls so poor? Suck it up, be a man or a woman, and say that the controller is not meeting his responsibilities!!!!!
Did you pull the credit report of the controller and his staff? Do they have undisclosed personal financial troubles? We need to know it if they do.
Or is higher level management hobbling the controller by not allowing adequate staff?
Did you review the controller’s annual performance evaluation? Does it say the controller is doing a wonderful job? If so, senior management is asleep or incompetent.
This is a typical audit report and is completely inadequate to address the risks in today’s environment. At least, that’s what I think.
I agree. The report left the user without a lot of information. In the rewrite, it was difficult to provide a sense of scale because it was not included initially (i.e. I did not have the numbers). It would be great to stratify the sample population across the entire organization. Unfortunately, they did not.
I do believe that “sucking it up”, as you say, and truly informing management of the issues is really missing. Either the control is working or it is not. It is never personal. I have found that open and honest communications with clients is what makes these types of conversation productive…not sugar coating the issue. There is always a “way” to say everything. I believe that the first to third sentence should state whether the control is working or not.
Thank you for the commentary. I’m glad someone else believes in stating in opinion. I have had recent discussions with some in the profession who do not believe in issue or report ratings. It makes me wonder what the actual written issue look like.