While findings may be a normal part of an audit or examination, that doesn't make them any less daunting to navigate. Sometimes findings catch us off-guard. To quote one of my colleagues, "findings can be unclear, unusual, unreasonable, or even urgent." So, when you get a finding, how can you respond most effectively? Here are six tips.
1. Don't take it personally.
In most scenarios, a finding is not a personal reflection on you. While it may be if it has your name in it, statistically speaking, more often than not, a finding is just a finding.
Auditors and examiners write findings every day. Their audits are usually guided by work programs, and findings are based on things, such as laws, regulations, guidance, standards, or best practices. They write findings from their experience in the industry, as well as current technology or trends.
While I can't speak for every auditing firm in the world, in my experience, auditors have your best interests at heart. They aren't writing findings as "gotchas" or to make you look bad.
Findings exist to help make you and your business better.
2. Get curious.
Make sure you know what the finding means before you start trying to address it.
Sometimes, an audit or exam finding may say something as simple as, "[ABC] should be improved." In these situations, it can be incredibly helpful to get curious and dig a little deeper.
This can look like:
- Asking questions. "Why does [ABC] need improved?" or "What does 'improved' mean to you?"
- Reviewing available regulations and guidance on the topic.
- Asking your auditor or examiner for clarification or for the guidance or standard the finding is based on.
- Digging into the finding to locate the root cause.
For example, let's say you received a finding that says, "Security awareness training should be improved." If you were responding to this finding, the first thing you'd want to understand is: What caused the auditor to think the training was deficient? Maybe it was due to an inordinate number of clicked phishing links, or maybe it was because several employees had inadequate password security. Who knows? With a finding like this, it could be anything.
In short, you cannot adequately address a finding if you do not understand it.
3. Communicate clearly.
When you get a finding, keep lines of communication open and constructive. This includes communications with:
- The auditor. Do you understand the deficiency clearly? If not, is there additional information you need to provide to or receive from the auditor?
- Responsible parties. Has a person or team been identified as responsible for responding to the finding? If so, do they have access to the resources needed to complete the response process?
- Other personnel. Do any other personnel need to be made aware of the issue? Could the finding be an indicator of an incident? Could the finding have an impact on business goals or strategic objectives?
- Senior management & the Board of Directors. Does the finding's significance warrant escalation to senior management or the Board, or can it be included in regularly scheduled updates?
Continuing with our example, let's say you got to the root cause and the auditor's password scanner cracked upwards of 75% of the organization's user passwords. If this happened, you'd want to make sure you brought in the person responsible for password policy and training, maybe an internal auditor, and possibly a security technician to look for indicators of unauthorized access due to weak password use over the last year.
The goal is clear, open, and constructive communication. You might have been blindsided by the finding. It is now your job to make sure nobody else is blindsided by the weakness.
4. Document everything.
Documentation may not be the most glamorous part of responding to a finding, but it is one of the ways in which you can communicate clearly.
Most findings take time and multiple parties to address. To make sure everyone stays on the same page, create a spreadsheet (or better yet, use a finding tracking software) to keep tabs on your progress. At a minimum, you'll want to track things like:
- The finding details.
- A response target date.
- The primary contact for the response.
- The planned and implemented response.
- Relevant files and attachments.
- The date the response was completed.
- The date an independent party verified the response
For example, you might want to create a plan that says in the next 90 days, you will host a dedicated password training and work with IT to implement stricter password requirements. You may wish to attach the presentation slides you used and document the new password requirements (e.g., the length requirement went from 10 to 14 characters). All of this can and should be documented in your finding tracker.
Leave a good paper trail for others to follow. Make sure you can show your work to your auditors, examiners, senior management, and Board of Directors.
(Side Note: Documentation is an especially important process if you have decided to accept the risk of a finding. You might accept the risk if you disagree with the finding, you believe you have other compensating controls in place to mitigate the risk, or you feel the cost to mitigate further is greater than the cost of the risk itself. In any event, evidence (like meeting minutes) must be documented to prove you didn't just ignore the finding, but that risk acceptance is your form of response. If acceptance is your response, having good documentation will help you if the issue comes up again in future audits or examinations.)
5. Prove the issue was fixed.
If you took steps towards fixing a finding, make sure someone independently verifies that it was, in fact, fixed. This could be a person from another team, an independent internal auditor, a third party, or even the person who wrote the finding in the first place.
For example, you could work with your auditor to run the password scanner again and make sure the percentage of cracked passwords was (hopefully) much lower.
Now, if the response was not verified for some reason, go back to Tip 2 and get curious about why.
But once the finding response is verified, be sure to document the date and name of the person who verified it as part of your documentation process.
6. Celebrate your success.
A lot of people skip this step, but it is equally as important as the other ones on this list. You got a finding, you overcame it, and both you and your business are better because of it. So, celebrate. Get the response team together for lunch, send a note of appreciation to people involved, go get a pedicure if that's your thing. Bottom line, spread a little positivity. This is a long-term benefit because it makes the finding response process a little less scary next time you go through an audit or exam.
If you'd like help with your finding response process, check out Tandem Audit Management. This product was designed to guide organizations through the finding tracking and response process. With easy-to-read reports, presentation-ready documents, and a variety of access roles, this solution was designed with your team in mind. Check it out now at Tandem.App/Audit-Management-Software.