Going beyond the initial remedial actionAug 26, 2019
Management action flowing from an internal audit finding often focuses on the specific sample or weakness that was identified. We call this "remedial action" - but is it really a remedy at all?
We must ask: Does the action minimise the risk? And, importantly, if a customer knew about it, would they be satisfied with the fix?
Better remediation needs to include, in addition to fixing the specific sample/weakness, a discussion about:
- The Past
Has this happened before? Has this happened with other similar processes?
Look beyond the sample to determine whether the issue exists elsewhere such as in past transactions or similar processes.
- The Present
Why and how is this happening now?
Explore the circumstances and find and fix the root cause. This could be one or more of:
- a technology defect;
- a gap in a process or procedure;
- a behavioural (i.e., people) issue.
- The Future
How can we prevent this, or something like this, from happening again? How can we catch it if it starts?
Implement controls to detect and prevent re-occurrence.
Let's look at two simple examples
Do your audits help minimise risk and meet customer expectations?