Every audit report needs to communicate the true state of affairs, and that can be more than describing factual situations. Context is critical. All relevant facts need to be included.
I have seen a few candidates for this title, but one stands out. This is how I described it in my best-selling book, World-Class Internal Audit: Tales from my Journey:
… I was with a large savings and loan company (very similar to a mid-size domestic bank). After a few years in their internal audit department, leading among others the IT audit team, I had moved into IT management with responsibilities that included information security. Randy, one of my former IT auditors and a gentleman that I had hired and thought well of, was performing an audit of our information security program. He met with me to review his preliminary findings.
Randy told me that we had a serious control weakness in that we didn’t change the phone numbers people used to dial into the data center. They needed to be changed at least once every quarter; otherwise there was a risk that over time the numbers would become known by hackers.
I agreed with Randy that changing the phone numbers reduced the risk that they would be compromised. However, as I pointed out, once somebody called the number they had to provide a userid and password. They were at the gate to the castle, but needed a key to open the front door. After three attempts, the userid was locked. In addition, changing the phone numbers frequently had three results: first, users would write them down and keep them in an easy-to-find location – a security issue; second, users would forget the number and be unable to do their work without calling the security help desk for assistance; and third, all of this carried a cost that was probably higher than the value of any risk reduction.
The risk reduction would be minimal because even after somebody was able to dial in, enter a valid userid and the correct password for that userid, they needed to get past additional security defenses. They had opened the front door of the castle but there were still a portcullis to navigate and additional doors to each of our systems and databases. The operating system (IBM’s VM system) demanded a second userid and password. To enter an application, access a data base, or perform other functions, required at least one more – a third – access authorization.
I explained to Randy that the dial-up number was only the prelude to needing at least three additional levels of authorization before being able to steal data or damage our systems. In addition, I showed him an article about a tool used by hackers to automatically dial phone numbers until they detected the tone from a network modem – indicating a dial-up connection; the hackers could find out phone numbers even if we changed them! He agreed but said that changing the phone number was necessary.
By now, I was starting to lose my patience. I had hired Randy because he had a good combination of technical knowledge and common sense. Why couldn’t he see that this was a silly recommendation? So I asked him why it was necessary.
Randy’s answer: because a book by a notable IBM expert said you should change your dial-up phone numbers at least quarterly! Instead of using his common sense, he was relying upon advice from somebody who had no knowledge of our environment, the risks, and the costs.
I asked Randy to go back to his manager, a very experienced IT audit director who had been hired from outside the company to take my old job. Unfortunately, that individual told Randy to keep the point in. It was only taken out after the head of internal audit saw my response to the audit finding that explained how there was little to no risk but significant potential for business disruption and cost by changing phone numbers frequently. Incidentally, my manager (a senior vice president) and his manager (an executive vice president) were both quite concerned about the politics of disagreeing with an audit finding, but they trusted me to see it through.
Unfortunately, there was more to this report. I included this in my other internal audit best-seller, Auditing that Matters.
When I was a Vice President in IT with Home Savings of America, one of the functions that reported to me was the Information Security team. This was an area that I had built from nothing into a team of three experts who had implemented the ACF2 security system and several other measures. But, when we were audited after just one year of operation, the audit report gave us no credit for the work we had done; instead, it pointed out the areas we had yet to complete and concluded that security was inadequate.
The issues that the audit report raised were not only known to us, but were on the work plan that we provided to the internal audit team! All the recommendations in the audit report were already planned and had been included in our reports to senior management.
This report was of no value. It just made us angry.
What would have been useful would have been a report that informed management and the audit committee whether we were:
- Making the desired progress
- Adequately staffed and resourced
- Sufficiently supported by senior management
- Addressing the issues with an appropriate risk priority
- Completing each task with an appropriate level of quality
In other words, internal audit could have pointed out where we were on the path to effective information security that met the needs of the organization.
Such an audit report would have provided value to top management and the audit committee.
The IT audit manager believed that it was his obligation not only to report security weaknesses to the board, but to recommend that we remediate them on an expedited basis.
It didn’t matter to him that correcting the deficiencies was part of our implementation plan for the ACF2 product and we had reported the status to senior management. Those facts, that we were aware of the issues, had planned appropriate corrective actions, and made senior management aware of the situation, were not mentioned in the report.
Instead, the issues were described as internal audit ‘findings’.
I asked the audit team a series of questions:
- Do our implementation plan and the remaining action items adequately address the issues? The answer was “Yes”.
- Do we have the resources to take corrective actions faster? The answer was “No”.
- Have we properly prioritized the work of the information security team, including the work to be completed on the ACF2 project? The answer was “Yes”.
- Are you going to recommend that we get the additional resources necessary to complete the actions faster, as you have suggested? The answer was “No”.
As a result, the report to the board and top management was misleading. It was neither fair nor balanced. It described a situation that implied that we were not acting as we should, when in fact they agreed with everything we were doing.
This is a story that has a message.
Every audit report needs to communicate the true state of affairs, and that can be more than describing factual situations. Context is critical. All relevant facts need to be included.
Every audit report needs to tell a story about whether management has reasonable controls in place to manage risk at acceptable levels.
Every audit issue or finding has to be explained in terms not only of whether the risk is acceptable (and to which objective) but whether management is acting appropriately.
The IT audit manager responsible for this audit didn’t care about risk or balance. Frankly, not only was he very much a rules-based instead of principles-based auditor, but I suspect he was using the audit report as a way to make himself look better.
What do you think?
This happened to me. Have you seen similar reports?
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024