How recommendations are perceived
“Irrelevant”, “impossible to implement”, “developed an ivory tower”, “they want us to do what?” … These are all quotes that internal auditors hear quite frequently when it comes to their recommendations. And sometimes those quotes are accurate.
As internal auditors, we are often focused on auditing and on being as complete as possible in our findings. Our recommendations often come as an afterthought, when we are writing the report. And that’s a problem. These recommendations are what our auditees will be working with when they scramble to the achieve compliance in those areas deemed inadequate by the internal auditor. If we want to include recommendations in our audit reports, we’d better make sure that they are adapted to the specific circumstances in which they will need to be implemented.
How to make recommendations more relevant
But are there ways to make this easier? I believe we have stumbled on one way to develop great recommendations. that are wholeheartedly embraced by our auditees and are implemented without any problems or comments.
Can I let you in on a secret? We’re not the ones developing the recommendations.
The recommendations are developed by the auditees in close cooperation with a number of experts. Internal audit is included in this group, but in a very specific role. We do not take the lead.
Now, I have a bit of luxury position in my organization. The organization set up a department charged with organizational development. The head of this department reports directly to the CEO. Their main responsibility is to ensure continued ISO compliance. These people have an in-depth understanding of the processes in our organization. They have an intimate awareness of what is realistically feasible in our organization.
The recommendation development process
At the end of the investigative phase of each audit we issue a – validated – draft audit report to the auditees. This report details our findings. At that point we do not issue any recommendations. We distribute this report to the department organizational development and the auditees. We invite the department organizational development to set up a meeting together with the auditees. This meeting should be aimed at developing specific and concrete responses to the findings. The internal auditors are invited to these meetings. We are not just there to assist the participants to think about practical solutions to the issues raised, although we may offer suggestions. Our main reason for being there is to ensure that the answer provides an adequate answer to the finding. If this is the case, we will formally recommend the application of the solution. In case we do not agree with the solution, we will either not provide a recommendation or provide a recommentation against the proposed solution.
Of course, what we are really doing is transferring the findings to the auditees. They join organizational development and our team in a joint effort to develop relevant, applicable, implementable recommendations that answer the findings. As this approach requires a deep commitment to listening to each other, we believe it will be highly successful in the long term. Our first experiences are very positive as it separates the often quite confrontational period of audit from the period of developing practical solutions to the problems that were identified.
What is holding you back?
This may seem simple. Actually, I believe that it is an extremely simple approach. But I do realize that not too many internal auditors are necessarily ready to reach out to their auditees. Audit reports are often considered to be the work and sole property of the auditor. However, if we as internal auditors want to add value, we need to dare integrate our auditees in the development of the specific solutions. It would be a fundamental misunderstanding to assume that because our auditees are “at the source” of deficiencies they would not know how to solve them. More likely, they were never before in a position to solve the issues and they learned how to live with them. Our value as internal auditors is not only in the findings, the clear and concise identification of those areas where the organization fails to meet its key objectives in terms of internal control risk management and governance. No, it should also be in the facilitation of the solution of the issues underlying those findings, by providing a fertile breeding ground of solutions to our auditees.
We need to understand that just because we were in a position to identify those weaknesses does not necessarily mean that we are the best placed to solve them. As stated before, we need to be willing to understand that people working in a certain process or a division under audit have been confronted with these problems before, quite possibly for a long time. They most probably have already thought of solutions of their own. They never got implemented because of work pressure, hierarchical issues and other challenges. Their solutions are potentially relevant solutions or at least solutions worth exploring as an answer to an issue.
I believe that combining the access to those solutions with the capabilities of a process development team in your organization can become a powerful answer to the findings of an internal audit. As internal auditor you should not be the one to come up with solutions all by yourself. First, this will create significant independence issues. Additionally, also will also require you to become an expert in everything pertaining to the activities in your work environment. Good luck with that. Having the humility to understand and acknowledge internal audit cannot provide answers to everything, that we meet people with practical experience in the area under audit and finding ways to make that happen will make us better, more relevant, more value for money internal auditors than ever before.