Every auditor knows the battle around audit observations. The amount of time spent to write, the number of meetings held with the client to discuss them and again amount of time spent to re-write them. Follow these 10 steps to reduce the time spent drafting observations.
1. Get straight to the point – Start with the issue
State in the first sentence of the audit observation what the issue is:
“Employee user profiles in SAP are not annually reviewed. Of the 10 user profiles selected, 3 were test accounts, 4 were former employees, 1 was shared account.”
2. Beef-up the observation with symptoms caused by the issue
“Shared account was used to issue purchase orders worth 300K € during the audit period and make modifications to vendor master data”
3. Avoid ambiguous phrases, jargon and keep it simple!
Not good: “It was seen during the audit that due to usage of shared SAP account, there is no segregation of duty in place in the procurement department”
Good: “Three Procurement department employees use shared SAP account to create purchase orders and modify vendor master data”
4. Active voice > passive voice
Not good: “Review was not done by the IT department”
Good: “IT department did not perform review”
5. Get rid of the useless words!
Not good: “Review of open purchase orders as at 31 May 2017 noted that there were a 230 POs which are supposed to have been closed but are still open.”
Good: “As of May 31, 2017, there are 230 open purchase orders that should be closed.”
6. Identify and state the root cause
The root cause should provide the business with a deeper understanding of the issue and why it occurred. This is also the opportunity for internal audit to provide value to the business by stating the root cause in a tangible way and thus providing the client the starting point to fix it.
7. “So what”
Consider the impact of the issue on the organization. Frame the impact statement in terms the business cares about. In some of the organizations this is strictly driven by the company policies and in some by the possible risk.
8. Be consistent over the audit observations and reports
Consistency is the key! Once internal audit has decided a way to frame the observations, stick with it! Do not change the way observations are written because “this is a special case” -excuses.
Sounds stupid right? Still do it.
10. Make sure second set of eyes see the observation before sending it over to the client
4-eyes principle is never wrong. It amazes me every time how much difference the other person sees.