The ultimate value of an audit is more the resolution of negative findings rather than its color. When no clear principles are defined for entity manager evaluation, they tend to fight the audit color and later have a low motivation to use audit report results.
Audits are useful to produce the external reporting required by the SOX laws. This is the primary reason to make them. They are also a unique occasion to bring value to the company through the resolution of negative findings. This is the core reason of this Blog. Internal audit can deliver value beyond producing some company external reporting about risk management.
If nobody clarifies how is used the audit and the later-on resolution of negative findings, the natural tendancy will be to focus on the audit color which is the immediate result. This will have several negative consequences.
First consequence: the actual improvement of the situation through audit recommandation and negative findings resolution will not be in the focus.
Those improvements need time and normally will produce results the following year of the audit. When they will happen, nobody will really care. It means the loss of following the real benefit of a COSO system which is the improvement of the company performance.
Second consequence: entity managers will be tempted to fight the audit negative findings and the readability of the report. They have several efficient ways do to so.
- Influencing the “color” of the audit: the general evaluation (color) of an audit is a general balance between good and bad findings. It is possible for managers to impact this balance by diluting bad finding. For them the key is to add more good findings. For auditors it is very hard to fight against adding those good findings as they are usually true facts. It can be also tempting for auditors to accept those new good findings if they believe it will help the acceptance of the audit.
- Influencing the general readability of the report: just by requesting some redesign in the report sentences or structure supposedly unclear. Entity managers can have a strong influence as they have large responsibilities in the company. They have the power to influence the general readability of the audit report.
Third consequence: unclear rules of entity manager evaluation can potentially be unfair for them.
- The entity manager may not be responsible of the current entity situation, especially if he just arrived. Still, a bad audit will not be good to him.
- He loose a way for a fair evaluation. The later on resolution of audits findings is really where the manager could show his competencies.
It is therefore necessary for board members to setup clearly how to use audits in the entity manager evaluation. Our recommandation here is that it should be first on the resolution of audit findings and only secondly on the result of audits. There are several benefits of this decision:
- Entity managers will less fear the result of internal audits. It will therefore stop the wrong process of fighting the audit.
- Entity managers will orient their actions towards the resolution of the audit findings, which is indeed the real internal goal a such COSO system: pushing performance and actions towards better activity and risks control.
This post is the second and last for senior management. Now this blog will open a new discussion about the challenge of international audits.