Fixing Audit Issues When Action Plans Aren't Feasible (Hint: It's About the Risk!)
You Made It Through!
You did it! You have made it through another audit relatively unscathed, and with a detailed (and not too terrible) report in your hand (well, in your inbox, anyway).
You have plenty of time to work on remediating the issues, as the due dates are a year out. For now, you are going to put this report in your (electronic) drawer, and plan to revisit it after your vacation / busy season / your kid’s travel baseball team season / whatever.
A Few Months Later
A few months pass and you remember about the audit report. You think, “ok, now it’s time to get started on these action plans!” You open the report again and get ready to get your implementation groove on.
But, after refreshing your mind on the action plans, you pause and think back over the last few months at the company:
Your most senior team member resigned and you lost that headcount.
Your budget has been cut.
There is turnover in leadership and new strategic objectives.
You start to realize that there is no way in the world that you will get the resources and support for what you planned to do, which means… gasp! The action plans that you agreed to are no longer feasible!
Some Choices That Might Work
You know that you have to do something about these audit issues. But, what can you do?
You think of a few things that might work:
Throw the report back in the drawer (or into the fireplace!) and forget about it (we call this the "lack of object permanence" approach – if I don't see it, it ceases to exist!)
Quit and flee the country. Fiji is nice this time of year.
Scratch out the title of the report and change it to “Creative Writing Exercise.” (Done! No action plans to implement because it was all imaginary!)
Blame it on gremlins. Claim that mischievous gremlins caused the audit issues and that there's nothing humans can do about it.
You leave your desk to head home, checking flights to Fiji on your phone.
So, What Do We Really Do?
If you haven’t guessed, none of these are the right answer, although I have seen leaders do these and other things when faced with action plans that they can’t action (except maybe the gremlins).
But, before you go commit business record fraud by crossing out the title of an audit report, let’s discuss what you can actually do in these situations.
Audit Committees Are Chill About Updated Action Plans
I think it is important to talk a little about how the Internal Audit team reports on open audit issues to the Audit Committee, especially those with updated action plans. I think this will make you feel better:
Updated action plans are generally ok. Business changes quickly and a year can be a long time. The Audit Committee understands this.
Changing or updating action plans, due dates, etc. is actually pretty common. For example, one time my team identified an issue related to certain types of contracts. By the time the remediation was due, the company had strategically moved away from those contracts, so the specific action plan was moot.
A good Audit Committee just wants to ensure that risk is managed appropriately and that issues are being addressed. Since they rely on the Chief Audit Executive and/or CFO to validate this, the specific form that the mitigation takes does not matter to them (unless it bumps up against something else that they are looking to do as a Board).
It Goes Back to Risk
So, how exactly does one change their action plan if the original plan is no longer feasible?
The answer is: go back to the risk.
What is the risk that Internal Audit is asking you to mitigate by these action plans?
If it is not clear in the report, call Internal Audit and ask them to discuss it with you. You may end up making a best friend forever; internal auditors love business partners who ask them about risk (seriously, knowing that management actively wants to address audit issues really pushes their happy buttons!).
Let’s Update an Action Plan Together!
To illustrate this, let’s make up a scenario. We will assume that you have already become BFFs with the Internal Audit team and have a good understanding of the identified risk.
For this scenario, let's say the risk is:
“High expense report errors are causing budget discrepancies, leading to inaccurate financial reporting and potential compliance issues.”
Let’s say that the original action plan was:
“Implement a new expense management system that automates and streamlines the expense reporting process.”
(You were so sure at the time you agreed to this that you would have the resources to do it! It was going to be amazing!)
Now that you know what the risk is and that the original action plan isn’t feasible, you and your new BFF can start discussing a different action plan to address the same risk. For example:
“Redesign and simplify the existing expense report forms to reduce confusion and provide clear instructions.”
“Conduct brief training sessions, highlighting common mistakes and providing tips to avoid them.”
“Introduce a monthly review process where managers audit a sample of expense reports, providing feedback on errors and how to correct them.”
While these three steps may not be a shiny new system, I have implemented these practices myself, and I can promise you that doing these few steps will exponentially reduce the number and amount of expense report errors.
And, in this scenario, what does a reduction in expense report errors do?
Let’s say it together: “reduces the risk of inaccurate financial reporting and potential compliance issues!”
[cheers and applause]
I knew you had it in you!!
At The End of The Day
At the end of the day, aligning risk with the organization's risk appetite is the goal. As long as you are able to develop an action plan that does this, such as the one in our example, you are golden! So, keep your eyes on the prize, tweak your plans as needed, and remember to keep your focus on creative problem-solving.
One Final Note
Decisions on action plans, how Internal Audit reports to the Audit Committee on open issues, the repercussions of unaddressed issues, and so on, are all dependent on a lot of factors and can be very nuanced. Company culture, the strength of the Board and the Audit Committee, the reporting structure of Internal Audit, how regulated your industry is, etc., can all impact your outcome. Some companies may even accept gremlins as a scapegoat, you never know!
