Just wanted opinions of others as to responses that one gives regarding an audit. For example, most auditors will "recommend" or "suggest" that you do this or that or change this or that. Generally "requirements" occur when there is perhaps a regulatory violation or policy/procedure violation. Naturally you will address "requirements" but what are others feelings on "recommendations" or "suggestions"? In my opinion the recommendations/suggestions should be the discretion of the person/department to whom the audit is being conducted. I know there is probably a wide variety of opinion on this matter and little to nothing in actual writing as to the "how" in responding to audits.

Are you asking how a department head should respond to an audit recommendation or how an auditor should phrase the recommendation?

If the department head (or management) elects not to implement your recommendations they should put that in written form with an explanation of why they would not be doing so.

As far as how I make the recommendation, I put it in writing and address it to the department head and/or management. I make sure to provide a thorough explanation of why my recommendation would be beneficial.

Why have an auditor then? One of the functions of any auditor should be not only to audit for compliance with regulatory requirements, but to ensure that the company is functioning in an efficient and effecitve manner. In order to ensure this, audit recommendations are sometimes made regarding internal controls or even enhancements to the process that might aid the company to function better. In my opinion, this should be the function of the auditor- not the auditee.

If you disagree with a recommendation, talk it over with the auditor - sometimes if the arguement is a good one the auditor will remove the comment from the audit report. If the auditor still feels that the comment is valid, then what we do is leave it up to our Audit Committee's discretion.

Hope this info helps.

The comment would be the issue to consider and the "suggested" or "recommended" action is the control that could be implemented to correct the comment or exception cited. If you have a better control to correct it you could implement that instead or you may want to document that the cost of implementing the suggestions outweight the risk created by the control weakness.

I include audit exceptions, weaknesses and general recommendations in audit letters.

Exceptions(legal & regulatory violations) and weaknesses (usually internal controls) must be addressed. If management does not like my recommendation to resolve the exception or weakness, then they must come up with a solution of their own - but they must address it. For general recommendations, management can take it or leave it.

Since we provide details on what will be audited, we cite the finding and require the responder (usually a branch mgr./supervisor) to provide details of how they will prevent the finding from occurring in the future. The response must include how they will coach, train, and measure performance, along with specific dates it will be done.

If it's from the external auditor (or internal auditor) and it's a significant control deficiency, then you don't have much choice but to correct the deficiency. Otherwise, I am on board with RR Sarah's comments. Why spend the time implementing every single recommendation if additional benefits are not derived and/or other existing controls and processes help eliminate the risk? (But a response is warranted regardless if the recommendation is implemented or not.)

[original poster commenting] Lots of opinions provided here and a bit of confusion. An audit was done, no regulatory violations were found. Any audit will most likely always have recommendations or suggestions. There were some recommendations and suggestions that I opted not to fulfill, and gave reasoning as to why I felt the recommended/suggested items weren't necessary. The auditor didn't like the fact that I didn't fully do what the auditor wanted changed, so the auditor is going above me to higher authority so the auditor will get their way.

I'm not certain in which capacity you serve (i.e. department head, other?) or if this was an internal or external audit ... but it seems that a written response from the audit committee (or management) to the auditor would resolve the issue. And the written response would provide the bank's rationale for not implementing all of the auditor's recommendations. If that doesn't work, then it seems you have an overzealous auditor that needs to relax.

If the scenario you describe is between an internal auditor and department head, then it seems there is simply a difference of opinions, but the department head should still provide a written response to the audit findings. Regardless, in this situation, the audit committee (or management) should still be presented with the auditor's findings and the department head's response --- and they can reconcile the differences.