How to Remediate Your Audit Findings
So, your company has undergone a compliance audit, and — don’t faint from surprise here — it came back with a bundle of audit findings that you need to remediate. How does a compliance officer assure that all those cats are herded appropriately?
This is the part we seldom discuss in corporate compliance. Everyone talks about frameworks, mapping controls, and gap analyses. Then comes something along the lines of “and now you have a roadmap for remediation,” as if remediation is as simple as following the navigation screen on the dashboard of your car.
The reality is more difficult, of course. An effective remediation process that addresses audit findings in a timely manner is hugely important — to regulatory compliance, risk management, and even your organization’s strategic position in the marketplace. So let’s take a close look at audit findings and give this subject the attention it deserves.
3 Things Audit Findings Should Tell You
You can’t use audit findings to guide your remediation work unless those findings impart useful information. So, let’s begin there: what should audit findings tell you?
1. They should identify where your controls are weak
Audit findings should identify where your controls are weak and where your operations aren’t in compliance with some law, regulation, or industry standard.
For example, an audit of IT access controls might identify several instances where multi-factor authentication should be used, but isn’t. Or it could note which operating units within your enterprise allow simple passwords that violate your written policy for complex passwords. The finding might also specify any incidents of non-compliance with, say, the COSO framework for internal control or the PCI-DSS framework for security of payment card information.
2. They should include recommendations for remediation steps
Audit findings should also include recommendations for what remediation steps you should take. For example, the finding might recommend more frequent employee security training, or implementing multi-factor authentication for certain transactions or groups of employees. The findings won’t usually tell you how to implement those measures; that’s your problem to solve. They only recommend what you should do to strengthen a weak control or bring certain operations back into compliance.
3. They should describe the consequences of ignoring the problem
Ideally, audit findings will describe the potential risks of ignoring the problem: data breaches that might happen, financial costs incurred, legal violations that could put the business in jeopardy, and so forth.
More broadly, one could say that audit findings confirm or disprove your risk assessment and the effectiveness of your internal controls. That is, you believed your top risks were A, B, and C; and then you implemented controls X, Y, and Z to address those issues. Audit findings provide an objective assessment of whether those controls work as intended, and whether your risks are indeed managed as you want.
3 Steps to Get Rolling on Remediation Using Your Audit Findings
Once you have that pile of audit findings needing remediation, the work itself should follow several logical steps.
1. Assign responsibility for addressing the findings.
Meaning, assign the necessary remediation tasks to specific people in your organization, and be sure they know that the tasks have been assigned to them!
2. Assign deadlines for action so you can measure progress.
Every remediation step should have a deadline attached to it, and you’ll need a procedure to confirm on those deadlines whether the task was actually done.
3. Where necessary, re-perform certain tests or procedures to assure remediation has worked.
For example, you may want to re-perform a vulnerability scan to confirm that certain software patches have been implemented; or test access controls to determine whether multi-factor authentication exists and works.
Throughout this process, alerts and escalation for remediation tasks not done in a timely manner will be crucial. People assigned to complete tasks by a certain date should be reminded of their deadline; then they should be required to submit a certification that, yes, the work is complete. Ideally, both alerting and certification should be automated.
This spares the compliance officer from chasing down overdue tasks, and assures that all documentation is stored in a single repository.
Escalation procedures are necessary because (again, don’t faint from surprise here) some employees will ignore their assigned tasks. You’ll need a procedure to escalate those remediation demands to more senior managers, who can then apply the appropriate pressure to errant employees.
Alerts and escalations are also important because they let compliance teams know whether audit findings are being ignored, and lagging action on audit findings is a key risk indicator for all sorts of risks. Failing to act swiftly on remediation can lead to compliance risks, security threats, surprise financial costs, legal risks, and much more. So, monitor your alerts and escalations closely, and convert that data into a KRI.
What Remediation Achieves
We should also step back to consider the larger picture here: why is a strong remediation process important at all? That might seem like a silly question, but really it’s not. A strong remediation process will require technology, investment, and executive attention, so compliance officers need to be able to explain the business imperative for caring about this.
First is the very practical reason that companies typically need to remediate audit findings to meet their regulatory compliance obligations. If you ignore those findings, you might fail a regulatory examination — or, worse, suffer legal violations that expose your company to enforcement actions.
Second, remediation is part of the broader enterprise risk management process; so the better your remediation processes, the better your company can manage risk. That leads to fewer disruptions and all their attendant costs.
Third, you’ll be able to brief the board, regulators, and other stakeholders more confidently about the risks your company does have. For example, external auditors might do less testing of their own, if they find your documentation complete and accurate. Business partners might find your company more attractive, because your remediation process gives them more visibility into their third-party risk (their third party, of course, is you).
The ultimate goal here is to bring more efficiency and rigor to your remediation work, so your business can navigate today’s highly regulated and highly interdependent business landscape with more agility. That allows you to outmaneuver competitors and thrive in the market. Strong remediation processes are essential, so spend the time and resources to get those processes right.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.