Don’t Lose Sight of Your Internal Audit Findings
By Sarah Nord
“It’s NOWHERE!” My youngest son loves to say this whenever he loses track of some precious object. His stuffed pig, his shark-tooth necklace, his lunchbox—whatever he misplaces, he will tearfully insist that “it’s nowhere.” And in the most serious voice I can muster, I will remind him that the object is, in fact, somewhere. It does still exist; he just can’t find it at the moment.
This “nowhere” expression came to mind on a recent call with one of our energy-sector clients on the topic of audit findings. Here’s how he described the challenge:
“All internal audit shops have the same problem: You have a finding, and it disappears into the night.”
This client was quick to point out that findings don’t actually disappear. They do still exist. You may simply lose sight of them, and this lack of visibility can lead to serious problems—particularly if the responsible party is not motivated to resolve the issue. (Check out an article by Mike Volkov on the Corruption, Crime and Compliance blog for an extreme example.)
Whether it’s an audit recommendation, a failed control test, an incident report or a third-party weakness, the risk of the “vanishing issue” is real. To get to the root of the problem, it’s important to understand why an issue may get lost:
Reason #1: Dusty Binder Syndrome
You’re probably not storing issues in an actual dusty binder. However, if you document them in spreadsheets, slides or Word docs on a shared drive or some individual’s computer, they may very well be collecting digital dust. The more issues you’re dealing with, each with their own responsible parties, the more difficult it becomes to keep track of all the moving pieces and manage these issues to resolution.
Reason #2: Lack of Agreement
Issues also get lost in the shuffle when there’s lack of agreement on priority, urgency or validity. I recently read an article from Mike Jacka, titled “You Are NOT Here to Help Me,” where he points out an uncomfortable truth about audit findings:
“We tend to forget that every time we identify an ineffective or inefficient process, whether we like it or not, we are telling someone — and in some instances, multiple someones — that they did not do a good job. We can express that inefficiency or ineffectiveness any way we want — and the successful auditor is the one who has learned to express these concepts in the least accusatory way. However, no matter how it is expressed, we are saying that someone didn’t do their job — they didn’t execute the process, they didn’t oversee the process, or they just didn’t design a very good process in the first place.”
When we stop to think about the psychology behind issue identification and response, it’s no wonder this work is so challenging. Getting all stakeholders to accept an issue and agree on how to move forward is no easy feat. And when people don’t agree, activity can grind to a halt.
Reason #3: Day Jobs
Perhaps the most obvious reason why findings “go dark” is that people are simply busy. If resolving an issue is outside the scope of our day-to-day responsibilities, we may not get to it for a while. We may not provide regular updates on progress. And depending on the severity of an issue, we may forget about it entirely unless we’re reminded to act.
So now that we’ve identified some of the reasons why findings get lost, what should we do about it? Here are a few ideas:
Collect Findings in an Accessible Repository
The first step is to move findings out of spreadsheets, documents and emails and into a central database. This information should be readily accessible to stakeholders on a need-to-know basis. Details to collect include (at minimum):
- Finding description
- Root cause (if identified)
- Date of identification
- Person who identified the issue (unless reported anonymously)
- Responsible parties
- Impacted parties
- Severity (low, moderate, high, critical)
Document Issue Response
The findings database should also capture the recommended and actual response plan. For example, if the internal audit department recommends certain actions to mitigate an issue but the responsible party chooses to take only partial corrective action, document the actual plan and the justification for it. These details can easily get lost in our memories, which inevitably leads to confusion if we don’t capture a historical record of decisions.
Use Smart Automation to Spur Activity
With all pertinent details captured in a central database, the real work begins, and this is often where findings get lost in the shuffle. To keep them front and center, we need an automated method to send reminders and collect updates from responsible parties. However, it’s important to note that automation is not the only answer. You’ll always have situations where you need to chase people down for information, no matter how many auto-reminders you send. In reality, an automated system allows you to streamline the issue management process with motivated stakeholders, leaving you more time to handle more challenging cases with personal outreach.
Escalate Findings As Needed
When we document findings and response activities (or lack thereof) in a central repository, we gain an added benefit when escalation is needed. Our findings database presents a full picture of issue details, communications, acknowledgements and agreed-upon actions, and this data helps us identify when we may have reached an impasse with responsible parties. We can see when a finding is going “nowhere” and when higher-level management may need to get involved. Those conversations are much easier to have when good-faith efforts are well documented.
Capture the Close
When a finding is managed to conclusion, be sure to document those outcomes and mark the finding “closed.” This clears it out of the work queue and focuses our attention on issues that need further action. The beautiful thing about your central repository is that findings in a “closed” state remain in the historical record, easily accessible for future reference.
Even with all the best tools in place, the work of identifying and managing findings to conclusion will never be easy. But perhaps that’s why the work is so satisfying for people with a problem-solving state of mind. If we can use smart technology to shine a light on findings and keep them from going “nowhere,” that’s half the battle. The rest of the work is where our communication, analysis and critical-thinking skills truly shine.