At the conclusion of an audit, the third party audit firm issues an audit report to the organization. If the report is unqualified, it is a great achievement for everyone involved in the audit program. Usually the client prime from the compliance team, who manages the audit and maintains engagement with the internal teams and external auditors gets the credit for the unqualified report, while the rest of the participants don’t really get recognized as much.
In most cases this is what happens.
- External auditors identify the exception with the control, which may or may not lead to qualification.
- Control owners are notified of the exception, most times the control owners immediately start working on remediation.
If you notice in the above steps that the compliance team prime has not really done anything heavy lifting has been done by the external auditors and the control owner teams. The compliance team prime is just acting as the project manager. Most of the guidance on how to remediate is provided by the external auditor and once completed is tested by the external auditor.
Hence my reluctance on giving the compliance team prime all the accolades for an unqualified report.
In my eyes the compliance team audit prime will be worthy of receiving the accolades if the following two processes are included in the Compliance Program.
Post Audit Remediation
Ideally if the compliance team is managing the compliance program well, this is what they should be doing:
- Once the current audit report has been issued a list of items that need attention should be prepared, and the items on this list can be of the following types:
- Observation/Opportunity for Improvement (OFI)
- Once the audit firm issues the Management Letter Points, it should be checked against the list and anything that is missing in the list should be added.
- A meeting should be conducted with control owner leadership usually at the VP level to bring awareness to them about the identified gaps and get their and their teams support in remediation.
- The senior leader/VP should ensure that they send an email to their teams, informing them to provide full support to the compliance team.
- The compliance team then meets with each of the control owners and identifies a deadline by which the remediation should be complete.
- A Project manager then should take over to ensure tracking and reporting is done upwards and downwards.
- As the remediation is completed, the compliance team must ensure they test the control to ensure it indeed will be able to pass external auditors scrutiny.
While the above activities are in flight it is key that the organization also embrace a continuous compliance program where:
- Audit evidence collection is happening throughout the year.
- The evidence must be collected and uploaded to the central repository by the control owners.
- Compliance team prime must review and sign-off on the evidence as meeting the control objectives.
- If control objectives are not being met, then work with the control owner(s) to implement remediation plan immediately.
If Post Audit Remediation and Continuous Compliance are practised as mentioned this is where the success of Compliance program surfaces and indeed there should be no shame in providing accolades to the audit prime and to the whole team involved in ensuring they meet the control requirements.
The Continuous Compliance ensures most of the evidence has already been collected which ultimately ensures control owners and audit primes don’t face audit fatigue and face less pressure from compliance perspective.