Unresolved audit findings often lead to repeat audit findings which call into question the strength of your business internal control system. A weak internal control system reduces the reliance placed on it by auditors in future audits and assessments and increases the level of substantive testing which invariably leads back to repeat findings and strains resources during audits.

The most effective way to resolve an audit finding is by implementing a Corrective Action Plan (CAP) which address the underlying risk(s) associated with the audit finding. If you choose not to implement a CAP however, there are two options to close the audit finding. The first is to accept the risk underlying the audit finding and its associated impact. The second is to eliminate or revise the offending control activity to the extent that there are compensating controls in place to address the core risk(s).

I should mention here that the corrective action planning process does not necessarily cover audit findings which require an adjustment to be passed e.g. in a financial statement audit. In that scenario, the adjustment will need to be passed regardless of any risk assessment performed to ensure that the financial statements are fairly stated.

Resolving findings with Corrective Action Plans

If the audit finding lends itself to resolution by corrective action planning, then the following steps will be helpful in ensuring that the risks which underlie the finding are mitigated and repeat audit findings are minimized.

1. Determine whether the CAP is still relevant

If there has been a considerable time lag between the initial development of the CAP and its implementation, you need to identify the underlying risk associated with the audit finding and determine whether the corrective action plan drafted in response to the risk exposure is still relevant. 

This is important because most CAPs are typically planned to be implemented between one to six months of identifying the audit finding. Further, depending on the nature of the finding and the resources required (e.g. budgetary constraints for the development of new systems), CAPs may be implemented even beyond six months or years after the finding was discovered.

Where the risk exposure no longer exists or has been altered e.g. as a result of changes to the audited process, then the audit finding can be closed or the CAP will need to be updated as appropriate. Consider the illustration below.

For illustration purposes only

1. Identify responsible parties and resources needed

Process owners within the audited area are key to the implementation of CAPs as they will perform the activities which constitute the CAP whether one-time or on an ongoing basis.  Process owners may be at various levels within the organizations depending on the nature of the CAP and the audited area however the CAP Owner should ideally be in a management position. 

The involvement of management in implementing CAPs is essential to communicate to employees (particularly process owners) management’s support of the new or updated procedures and ensure a smooth transition. Where resources including budgetary allocation are required to resolve the CAP (e.g. acquisition of new software to automate a process or training), management support and approval will be required to facilitate the process.

1. Implement the CAP

The process owner under the supervision of the CAP Owner needs to perform the specific set of activities outlined in the CAP. This could be as simple as updating outdated documentation requiring minimal effort and resources to a full-blown implementation of new systems, restructuring of divisions which may require human resources, time, and money.

1. Update related documentation

Having implemented the CAP, the related control activities need to be firmly established in policies, procedures including job aids and standard operating procedures to standardize them. This will provide a framework for the consistent performance of the updated control activity and minimize repeat findings. If necessary, the process owners directly involved in the audited area should be trained to handle the newly implemented or updated control activities.

1. Retest the audited area

Corrective action plans which have been implemented should be retested by internal or externally engaged auditors to determine whether the deficiency has been corrected and the underlying risk exposure has been mitigated leaving only the residual risks. You should consider retesting CAPs between six to 12 months after their implementation. Where deficiencies continue to exist, new or updated CAPs should be drafted, implemented, and retested

Resolving findings without Corrective Action Plans

In certain instances, management may decide that a CAP is not required to address the finding. This may be attributable to several factors including budgetary constraints; lack of human resources to perform certain control activities; complex operational or information system considerations, and revising or completely eliminating the offending control activity within the process area. If this is the case for you, consider performing and documenting the following:

1. Identify the underlying risk 

As established earlier, CAPs are designed to address the underlying risk(s) associated with an audit finding and to ultimately resolve the finding. Therefore if the CAP will not be implemented, then you should be fully aware of the risk exposure that the audit finding poses and determine how best to manage that risk. Failing to do this will at best result in repeat audit findings or worse deteriorate the control environment around the audited area which can be very costly.

1. Determine the risk response plan

Having identified the risk, you should determine an appropriate course of action in the absence of CAPs. Options here include:

• Revising or eliminating the control activity

To the extent that there are adequate compensating controls in place, the offending control activity may be revised or completely eliminated. Consider this example: In the Procurement related scenario discussed above, assume the following approval matrix exists within the procurement policy:

For illustration purposes only

Assume also that there were several transactions between 1,001 and 6,000 flagged during the audit which did not receive CFO approval. For a mid to large-size organization, transactions less than 5,000 could run in the hundreds, and given the responsibilities of the CFO, bigger ticket items are likely to be given priority over relatively smaller ones. 

The control can therefore be revised to raise the lower threshold of CFO approval to 5,001 and raise the upper threshold of the Financial Controller to 5,000. This will be appropriate if there is compensating control such as requiring respective divisional heads to approve transactions of up to $5,000 for their divisions prior to the Financial Controller’s approval.

• Accepting the risk

Consider this scenario: A start-up has the business owner, one operations manager, and three sales personnel running the entire business. In an audit, a finding around segregation of incompatible duties was identified because the operations manager tends to initiate and in the absence of the business owner, also approve transactions to facilitate urgent transactions.

A typical recommendation here will be for the business to hire an accounting or finance personnel or outsource certain aspects of finance and accounting to bring transparency within the process. Facing budgetary constraints, the start-up may choose to defer implementing the recommendation and accept the risk for the time being to focus on other priorities within the business if the overall impact is not deemed to be material.

1. Continuous Risk Assessment

The process area related to the audit finding needs to be reviewed periodically to identify adverse changes in the initial exposure level. In particular, you should be attentive to a deterioration of the control environment as a result of eliminating or revising the process or accepting the risk around that process.

In summary, organizations, even those of a similar size will have different internal control environments, corporate objectives, and risk profiles which will inform their approach to resolving audit findings. You should determine what works best for you and have the basis of your decision and related actions properly documented.