What happens when your audit clients substantially or fully remediate identified control issues prior to the final report distribution? Do you (1) remove the item from the report, (2) include the item in the report with the management action plan as if no action has been taken or (3) include the item in the report, credit management for issue remediation and discuss remaining historic risks?
All too often, when faced with this situation, auditors tend to either remove items from reports or include the item as if nothing has happened (i.e. no management action has occurred). I think it’s time for a different approach. When deciding which items to include in audit reports, auditors must evaluate historic risks. Allow me to explain.
Assume you are auditing a client’s database. There are several issues including unencrypted sensitive information (i.e. SSN#s, etc), weak passwords and overall items that reduced the strength of data protection controls. Once informed, management quickly hardened the database.
So, do you include the database weakness in the final report? In this instance, I would, however, I would also indicate that an appropriate action plan has been implemented. At the same time, I would educate stakeholders (report readers include Board members) about the historic risks. In this situation, we do not know how long the information was exposed and who possibly has the sensitive information due to the weak controls. Therefore, the risk of data leak from when the environment was not well controlled still exists. This technique is situation specific. It should be used only after evaluating each situation to determine if a reportable level of historical risks exists. Also, when using this technique, be sure to credit clients for actions taken.
To better illustrate the point. Many years ago, while auditing a database, I our team once discovered weaknesses similar to those listed above. Management quickly fixed the issues. Therefore, we did not include the item in the final report. Months later, it was determined that sensitive information was stolen from the database. We were directly asked about our audit of the area. Specifically if we noted any issues that may have lead to a breach. We informed executive management and other stakeholders that we had indeed noted some weaknesses. At this point, everyone wanted to know why they were not informed of this risk. This was a valuable lesson learned. Management fixed the problem, however, the historic risks remained.
In contrast, while auditing a cashiering function we observed that some tellers shared cash drawers. This is not good for obvious reasons. Management quickly fixed the issue and there were no instances of cash shortages for the previous six months. As a result, we did not include this issue in the final report for the following reasons: (1) the total dollar amount was minimal, (2) management correct the issue (3) there was no historic risk.
Conclusions
- The consideration of historic risk and what to include in the final audit report should be analyzed case by case.
- Use caution when deciding not to include in final audit reports
- Always consider historic risks.
Any thoughts? Do you consider historical risks when crafting your audit reports?
If you like this post, send it to a friend.
If you like this site, sign up for the RSS feed or monthly newsletter.
I think the appreciation is valid. However, if you have a methodology through which you give an opinion and have a qualification of a process, you must inform the Audit Committee about the findings, as well as the actions taken or to be taken by Management. I agree that it is important to understand how the historic risk will affect.