A key challenge exists between management’s writing of internal controls and an auditor’s assessment of those controls. The challenge relates to the level of detail, and it was highlighted when I recently taught a class on writing policies, processes, and procedures one day, and audit-report writing the next.
Often during audits, ineffective or non-existent controls are identified as the cause of business issues. In these cases, auditors’ written observations invariably include statements such as these:
- Control weaknesses were noted in…
- Control framework is inadequate for…
- Control enhancements are necessary to…
- Management should create internal controls for…
While management and the auditor may agree on the need for “control enhancements” as a solution for business issues, writing and revising controls—i.e., policies, standards, processes, and procedures—is easier said than done.
Here’s the dilemma for management: If controls are highly detailed, as Audit sometimes suggests, policies and procedures can become overwhelming and too complex, which limits the ability of users to understand and implement them. Moreover, granular policies and procedures that are too narrowly focused may not apply to unanticipated business situations. An audit would identify these situations as a “lack of control compliance” or “non-existent controls.”
What is the right level of detail to satisfy Audit and provide the appropriate content to users? This is where auditors can help.
Nobody has more experience in evaluating controls than an auditor, and that experience is a valuable asset. Instead of documenting generic recommendations in reports about improving controls, auditors can coach management on the specific areas where controls fall short. Because many audits are about assessing risk, auditors should define the exact details or statements that are necessary to ensure controls prevent it. With this coaching, management can zero in on the missing information, or overly complex information, that led to the issue identified by Audit.
Of course, controls aren’t developed just to appease Audit. An auditor should also consider management’s purpose: crafting controls that produce efficient and effective performance and operations.
In that regard, the following questions can help Audit guide management in determining level of detail for controls:
- Does the detail match the needs of the audience? For procedures, is there enough information for the least knowledgeable user (with the appropriate prerequisite knowledge) to understand and perform the task?
- Does the content address the most common scenarios that occur while also providing flexibility for unanticipated situations?
- Based on the detail, do the policies or procedures consistently produce the desired outcome?
- Are there any gaps in logic or design that could lead to mistakes? Is the context for the controls clear to the user?
- Are controls detailed enough to prevent risk?
Identifying issues is generally the priority of Audit. But determining the cause and making recommendations for fixing issues is where an audit report offers the most value. The more specific help auditors provide, the more value they bring to the organization. A significant piece of that help is taking an active role in working with management to improve internal controls.