5 steps to clearly communicating issues without exception
The issue with audit exceptions is that many audit functions include exceptions as the primary theme of audit report reportable items. Okay, there I said it. Now to provide an example.
I was recently reading an internal audit report from a governmental agency in which the auditors reviewed the bank reconciliation process. Part of the report issue read as follows:
During a review of the Bank Reconciliation process, the Auditors noted that:
- 12 of 25 bank reconciliations were not prepared in a timely manner
- The Controller did not review 15 of 25 bank reconciliations in a timely manner
- There was approximately $425,000 in outstanding items over 90 days old that were not identified, investigated or resolved
Some are, at this moment, saying “What is wrong with this? It presents the facts from the audit testing clearly and logically”. In my opinion, this type of reporting leaves our stakeholders in a So What! state. We’ve told them that, based on audit work, something is possibly wrong. However, we have not told them the extent of the wrong nor the significance to the process or organization as a whole. In other words, we have not provided them with reasonable assurance that the process is broken or unbroken.
Before we go any further, let’s define Issue and exception.
A deviation from the expected norm resulting from some sort of audit testing (i.e. detailed testing, walkthrough, etc).
A control breakdown within a process or function that may prevent the achievement of a goal or objective. An issue may result from a single exception or multiple exceptions.
So, here is a 5 step approach to providing stakeholders with better Audit Issues.
4. Just say it
5. Support it
To better understand the total environment under review, consolidate all audit exceptions into one exception log.
Use the exception log to evaluate items in aggregate. Attempt to identify commonalities in audit exceptions. This will help identify trends that may cross functions, sub functions, and departments. It also helps determine the true issue that led to the exception(s).
Separate yourself from the audit report. The audit report is based on work that you as auditors performed, however, it is not about you. Eliminate any language referencing the audit staff. For example, “The auditors noted” or “According to audit testing”. Who cares. We all know that what you are reporting is based on some sort of test work performed.
Just say it!
Describe the issue early. One of the first three sentences should state the issue in an easy to understand tone. Auditors take for granted that stakeholders can read exceptions and automatically understand the underlying issue. This is not always true. Spell it out up front. Again, the first 3 sentences should explain what is wrong. Our stakeholders are not mind readers.
Now that you have communicated the problem, support it with the exceptions resulting from the testing.
Consider the following rewrite:
The current bank reconciliation process does not adequately prevent or detect banking irregularities including errors or theft. This is due to the fact that (1) bank reconciliation preparation, review and approval is not timely and (2) reconciling items are not investigated and resolved timely. For example, for the six months ended (whatever date)
- 48% of bank reconciliations are not prepared in a timely manner
- 60% of bank reconciliations are not reviewed in a timely manner
- $425,000 in outstanding items are over 90 days
Using this technique, we have told our stakeholders now know that the bank reconciliation process is broken (the real issue). We have also provided specific evidence that led to the this conclusion (the exceptions). Please bear in mind that this is only one of the 4 elements necessary for a good complete audit issue. The elemetns are Issue, Cause, Effect and Recommendation. The issue is the only item presented here. We could also add more perspective to this issue by including dollar amount at risk and other pertinent elements that were not available for rewrite. Handling exceptions and issues in this manner will help provide stakeholders with a clearer perspective on the true risks facing your organization.
A sample Audit Exception Log can be found at the document sharing website Auditor Exchange.