Audit Response

What do you do with a response of "Management will look into this or will consider this recommendation"?

At our Bank, we ask for responses to include the action plan management will take and an estimated time frame (ie. We will implement this new procedure by 2nd quarter 2009). So I don't think I would accept that response. Management does have the right to disagree with the recommendation and accept the risk. In your case, they aren't really saying if they agree or disagree. They aren't committing to anything.

Do they need more time to think about it and research? I've had recommendations that are on-going for months and I just check in with them each quarter. They are usually longer term projects.

I would go back to them and just discuss what types of info you would expect to see in a response and ask them to add to their response as appropriate.

Good luck!

Would this not be up to the Audit Committee to decide? Once the audit department starts to decide what is or is not an acceptable response, IMHO they start to jeopardize their Independence.

I think the example of a response saying "Management will look into this or will consider this recommendation"? is not an AC decision.

That response = a no response in my mind. Management should either agree with the recommendation and provide an action plan or disagree and state that fact in the response. Then the AC can decide on the course of action.

"Considering a recommendation" means it will sit as an outstanding item for long periods of time. I know from personal experience.

I agree that this type of a response is just flat a no response (considering the personnel that gives this response). I may implement the requirement that management should include an action plan and time frame in their response.

Thank you all for your help!

Thank you Bankers Online for providing this forum!!

A response I received recently is "The records are there for the viewing." That was my whole point to the recommendation was the fact that no one was viewing them.

I will have to set some guidelines.

One more question: Currently I send management my recommendations via email after meeting with them and they type in their responses and email it back to me. Does this need to be printed and signed by management?

At our bank, we type up the report and send it to management for their response. They usually email back, however, we require it to be in memo format addressed to the Audit Committee. These responses then go with my report to the Audit Committee for review. We don't make them sign the response.

Thanks!

My own experience is that you need the AC behind you. I suggest discussing with the AC the requirement to provide an action plan and timeframe. If the requirement comes from them and you are just the enforcer, it may go over much better then if you just start demanding better audit responses.

Thanks MIBankAuditor. I may have to try that.

Once the internal auditor submits his report to the Audit Committee with recommendations, and the audit committee reviews the report.....and replies basically for "management to correct deficiencies in audit report"........does someone have a checklist or form outlining the way management is going to go about correction, who's in charge, timeframe, etc.?

Do you ask management to respond to your audit findings before or after the report goes to the Audit Committee?

I have the responses in the report prior to sending it to AC. The Audit Committee sees my finding, my recommendation and management's response in the report that they approve. I have written guidelines for management that describe an acceptable response - - - what will be done, who will do it, when will it be done, etc.

Now having said that....I can tell you that management has responded that they will accept the risk and the AC has told them, "No, you won't. Fix it." In that (rare) case, I bring the action plan (with the who, when, how) back to committee for approval.

All that information is requested and included in the report prior to the report being presented to the Audit Committee at our institution.

Ditto to the above responses.

Is the pushback to the issue or the recommendation? If the business does not agree with the issue, then it comes down to what is the standard that was not met. It is important to be clear on what the standard is and what are the consequences of not meeting that standard. If the issue is a violation of federal law that could result in fines and jail time, it becomes harder for the business to take a hands off approach to fixing the issue. Your report should be clear on the issue, the standard used to determine there is an issue, and the consequences that can or have resulted from the issue happening. This will also help the Audit Committee better understand the difference between an "enhancement opportunity" and a gap that must be actioned.

If the pushback is on the recommnendation, it could come down to the agreed roles within your bank. Is Audit tasked with determining exactly what must be done to close the gap, or with directing the business to close the gap in a way that is acceptable? The difference being how much input the business has on identifying the final solution.

I also agree with the previous response that sometimes the business doesn't know exactly what it will do and that it will take some time to figure it out.

In response to the poster who asked about following up, we had one who served auditor as follow up coordinator. Our audit workpaper system tracked recommendation/action due dates that facilitated this. When I served the role, each quarter I would run a report that identified all findings with action plan due dates that quarter and sent memos (email) to the appropriate VP's and controllers requesting the status of the action plan. After gathering the responses, a summary of past due action plans was sent to every VP, controller and the CEO.

The CEO strongly supported the audit department and VP's and controllers did not want to be on that "past due" list.