control, and governance
How do I ... Write Useful Audit Recommendations?
One of the best ways internal auditing can add value is by providing recommendations that not only correct problems, but also address the cause of those problems. This is the difference between "cleaning up the spider webs" (simply fixing the current problem) and "killing the spider" (addressing the root cause to mitigate future occurrences).
Generally, problems arise because of a breakdown within the internal control system. As stated in The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework, internal control is a process aimed at achieving objectives related to (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations. Internal auditing is responsible for evaluating the controls and making recommendations for improvement when controls are not working as intended.
Within each objective, internal controls address five interrelated areas:
Usually, the cause of a problem stems from a breakdown in one or more of the five COSO internal control components. The key to preventing problems from recurring is to determine their exact source and then issue a recommendation that addresses the specific cause. For example, assume that a review of accounts payable procedures indicates that the internal control to prevent duplicate payments is embedded in the programming of the accounts payable system. If the auditors discovered that the duplicate payment was due to a flaw in the accounts payable programming system, they would likely recommend that the director of information technology (IT) review the system's programming to locate the error and correct it. This recommendation would impact all future payments processed through the system by ensuring the error that caused the duplicate payment is fixed.
Control breakdowns can stem from a wide array of circumstances, and the variety of recommendations to correct them can be equally broad. Audit practitioners must have the breadth of knowledge and experience to recognize these breakdowns and provide remedies that reach beyond short-term solutions. By "killing the spider," auditors can help the organization achieve lasting, value-added improvement.
Adapted from "Killing the Spider," by Jonnie T. Keith (Internal Auditor, "Back to Basics," April 2005).
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.