Got an Audit Finding? Craft Your Written Response Carefully
This may be hard to swallow, but audit findings are really about improvement, not judgment. A finding isn’t a report card that details your organization’s demerits, and it’s not a statement that says your management team is failing at its job. Findings and management letters are, in fact, essential byproducts of the audit process. They reveal helpful information you can use to protect your organization from risk and tighten controls.
It may be tempting to respond to a finding with indignation and defensiveness, but that approach doesn’t do you much good. Yes, findings are public information and you want to protect your reputation, but graciously acknowledging the issue, accepting responsibility, and outlining a corrective plan all go much further in building a collaborative relationship with regulators and earning public trust. A position of cooperation serves your organization best.
Considerations when crafting a written response to a finding
There are three very common audit findings, and if you’ve recently received one, it probably falls into one of these categories:
- Findings related to deficiencies in internal control over financial reporting as required by Statement on Auditing Standard (SAS) 115 or the Government Accountability Office’s (GAO) Government Auditing Standard (GAS). These findings are often identified through a test of design or effectiveness over internal controls and must be reported.
- Single audit findings related to internal controls and compliance requirements from federal funding under the Uniform Grant Guidance. These findings are similar to financial statement findings but relate to compliance with federal regulations.
- Management letter that may detail an area of concern not quite deserving of a finding and offering business advice or opportunities for continuous improvement. These are private, unpublished documents.
You fundamentally have three ways of responding:
Agreement and corrective action plan
If you agree with the audit finding, simply say so, then move on with a corrective plan of action. Identify the individual responsible for the plan and the anticipated completion date. You can take more time to thoroughly resolve complex findings, but it’s best to pledge an earlier completion date for simple issues. Show that you are committed to fixing the issue sooner rather than later.
Your corrective action plan should identify how the changes will prevent reoccurrence in the future and what remedial controls will be implemented in the interim. Overall, your response should provide enough detail to satisfy anyone reading it that your plan is sound and specific. Your auditors must conduct follow-up procedures in the next audit period, so be sure to document any corrective actions and steps taken during the year.
When you disagree with the finding, proceed with caution. If you dispute it or offer the defense that no issues have historically been reported in previous audits, you raise a red flag with oversight agencies, especially if the finding is related to federal funds. And if you express disagreement, your auditor must respond with further explanation of the finding, essentially rebutting your statement, which may serve to strengthen the case for the finding and invite further regulatory scrutiny.
Each finding includes a process stage that allows you to clarify or remediate it and identify the laws, regulations, standards, or best practices that your organization should better comply with. That occasion will be your chance to debate or express your opinion; in other words, your written response isn’t the best place to argue the facts of a finding.
Of course there are times, though, when your disagreement is valid and substantiated. Make your case thoroughly and clearly, providing specific, solid evidence for your challenge to the finding. Be dispassionate, respectful, and matter-of-fact in your tone.
You aren’t required to respond, but your silence could be viewed as failing to take the audit process seriously and showing resistance to feedback. Some people may question your organization’s sense of stewardship, responsibility, and accountability.
When an auditor issues a finding under government auditing standards but does not receive a management response, the report must indicate that management was provided a reasonable time for response and state overtly that you elected not to comment. In such cases, governance or oversight agencies may ask you why you chose not to provide a written response and inquire about what your organization is doing to address the finding. If that happens, you’ve essentially deferred your response, and now you’ll have to give it directly to a regulating body rather than the auditor, sparing yourself no effort and inviting further review. This isn’t recommended.
How we can help
A thoughtful, written response to an audit finding or management letter shows that your organization is open to constructive review, willing to take positive action to strengthen controls, and strives to be a good steward of the public’s resources and trust. CLA’s federal and state and local government, nonprofit, and higher education industry professionals can help you identify the best course of corrective action, build a solid control environment, and effectively communicate your plans to auditors and members of your organization.