What would you do as CAE if you were forbidden from writing a formal audit report?
Let’s think about this challenge, as it may help us pinpoint the value of these documents.
X
Consider our customers in management first. What do they need to know and how can we best communicate (as the IIA Standards dictate) the results of our engagements?
The first opportunity comes during the audit when potential issues are identified. The auditor should discuss them promptly with operating and other management as appropriate. This enables the auditor to:
- Share the results of testing of controls
- Discuss what they mean, such as whether any controls are not functioning consistently as designed
- Obtain agreement on those facts, or hear why management believes the auditor to be mistaken and perform any additional work that may be appropriate
- Discuss with management whether there is a risk to the business and the achievement of objectives, including which objectives may be impacted
- Agree on the severity of the risk and whether corrective actions are required
- Discuss the options for addressing the issue(s) and which corrective actions, if any, are justified
- Get to where management owns the issue and commits to taking the actions
- Agree that management will, by the closing meeting, confirm what will be done, by whom, and when
It…
