I had an interesting debate recently with another CAE over recommendation.
In his organization, they do not give recommendations in Internal Audit Report. I was insisting on giving recommendation as it is suggested by IPPF. He had challenged me to provide IPPF reference specifying that in an assurance assignment recommendation has to be given. I took up his challenge and this is what I have found.
In two standards 2110 and 2410, recommendation is accompanied by “appropriate” and “applicable” respectively.
- In 2110, recommendation can be given for improving governance processes.
- In 2410, only applicable recommendations to be part of final communication of engagement results.
Regulated and non regulated organisations
You can classify organization into two categories, organizations in regulated industries and other organizations.
In a highly regulated environment, where regulators have spelt out exact specification for organization conduct and reinforced them with regular supervision, organization are not interested in auditor’s recommendations. In these organizations, a large number of recommendations can be summarized as:
- Process manual to be adhered to.
- Provision of Training.
- Strengthening Supervision.
In this environment, organizations are not interested in recommendations, they are interested in whether the process followed in its entirety, whether the control defined to ensure process is working in its entirety are working as specified.
Internal auditors are risk and control experts and not business experts.
There is another category of organization which believe that internal audit are experts in risks and controls. However, they are not experts in business operations. (if they are, then their better use would be in business operations). These organization wants business operations to provide action plan to address the risk raised.
5C Model of Internal Audit Reporting
The famous 5 C model of internal audit report contains the “Corrective action” and not recommendations .
Condition: What is the particular problem identified?
Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark.
Cause: Why did the problem occur?
Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding?
Corrective action: What should management do about the finding? What have they agreed to do and by when?
Conclusion:
- I got convinced recommendation is something which an auditors desires. However, it may be not be welcome in all cases. It would be best for a CAE to discuss and agreed upon the audit report format.
- Absence of recommendations in internal audit report will not be treated as non-conformity with IPPF.
Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
References – IPPF extracts
2110 – Governance
The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for:
- Making strategic and operational decisions.
- Overseeing risk management and control.
- Promoting appropriate ethics and values within the organization.
- Ensuring effective organizational performance management and accountability.
- Communicating risk and control information to appropriate areas of the organization.
- Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.
2410 – Criteria for Communicating
Communications must include the engagement’s objectives, scope, and results.
2410.A1 – Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)
