Most companies struggle with the findings external auditor like accountancy firms draw in their management letters. The accountancy firm always seems to be looking for new (IT) findings, whilst the process you conduct within the company is fine. Why should the IT department spend time in solving those management letter findings instead of proceeding with business-as-usual? Let’s share some thoughts.
The auditor is bullying us
Within many organizations, the external auditor comes with findings. Mid-size companies often have findings whilst they do not experience many incidents, and besides, when the company has proper financial results and IT is reliable, why is the IT auditor coming with their findings?
An external auditor mostly has the objective to try to rely on your internal control system. Instead of having trust in you as a person, they must obtain evidence and must be able to show for legal and governmental regulations that they rely on a company’s financial statements with a legitimate reason. When procedures are followed perfectly and there is no evidence an auditor cannot rely on internal controls. As an experienced auditor, I’ve visited a lot of companies and noted that companies have legitimate reasons for performing processes in the way they do. Unfortunately, due to a lack of evidence and procedures, findings raised. It’s not about bullying, it’s about the need to prove you are in control.
Describe what you do, and act as you described
So doing the job with your best intentions doesn’t seem to be appropriate for the external auditor. However, your auditor will be satisfied when processes are described illustrating how you perform your duties. Besides, when making some notes during your activities about what you did, an audit trail becomes available and an auditor can see how you actually performed your duties and he can verify you did it the way you described. When this is performed, you’re halfway to satisfying the auditor! Okay, to be honest, this can be the way to go within a small IT organization. For a big or mid-size organization, it is more difficult, since there are a variety of systems, managed in different ways by different people. The magic is about documenting procedures on an appropriate level, and it’s hard to determine the right level of describing procedures. An external advisor, like an IT auditor, can support in creating appropriate procedures and train in acting conform procedures.
Documenting each and every alternative and escalation, too many documentation to handle
This topic is often discussed between external auditors and IT departments. Because, when looking at e.g. changes, a personal productivity report may not have to follow the same procedures as when implementing a new cost calculation module or a quick infrastructural change when a cable gets broken. Although all those examples may require different steps, some can follow normal change procedures whilst others need to different steps. Instead of describing each and every step of the procedure, the procedure can mention an escalation or alternative route with a four-eye principle or specific approval from the board. Creative in the design of procedures can result in a nice framework that supports every activity within your work. The right level of procedural descriptions, that’s key in solving findings.
The auditor comes with new findings, I told you he’s bullying us
Auditors are required to keep up within a changing environment, and therefore need to comply with the permanent education requirements of the professional practices. This results in new insights that are used within the way of an audit, which can result in findings that were not discovered in previous audits. Another reason can be that incidents appeared or specific activities that did not occur before. Also, new findings can be discovered when an audit team changes. Auditing is a profession that relies on the expertise of the auditor. It can be that different auditors have slightly different experiences and slightly different opinions; however, they all need to act according to the professional practice regulations, and therefore, also trying to improve a company’s internal control framework.
The auditor is happy, but what is my benefit?
I can imagine it costs a lot of time in responding to the findings of auditors. In the beginning, it seems that once procedures are described appropriately the auditor spends more time and money when they start with sampling and request logs from historic events. Instead of applause and thank you for solving issues, they start to take more time and money to come with findings on historic events. Well, it is beneficial when there also are no or very limited findings on the test of operational effectiveness (the test on historic activities). Maybe to be more precise, it is beneficial for your colleagues. Now you have succeeded to satisfy the auditor, they can rely on your internal controls and can perform an audit by testing controls, instead of testing transactions. So, when you finally succeeded in following up on the findings of the external auditor, hopefully, the auditor will compliment you with your work, but most importantly your colleagues that have less time with the external auditor now you followed up on all (IT) findings.
Contrisity can support your organization in solving the findings of the external auditor. With the knowledge of what an external auditor wants to see and the experience of executing internal procedures, we know how to deal with these situations.
