Turning audit chaos into a clear, actionable plan: a five-step approach

An audit team has recently visited your department or programme to conduct an audit. It could be data protection, AI governance, information security, or a specific process.

You have a copy of the audit report in front of you, and you need to respond to how you intend to address all the findings. It can be an overwhelming task, especially if the report is lengthy.

You feel like you've been hit by a ton of bricks. Fortunately, there is a way forward.

Dealing with a multitude of issues requires a structured, collaborative approach that will also generate documentation (evidence) to demonstrate accountability.

I've used the following method to address problems at various levels of a company, e.g., audit findings, performance issues at management level, broken processes, etc. At the end of it, you will be able to present a remediation plan to management and the Audit Committee (if you have one).

It's a straight-forward five-step workshop-oriented process:

• WHO? The stakeholders you need to involve

• WHAT? Making sense and understanding the findings themselves

• WHY? The underlying problems

• HOW? The work required to address the issues

• WHEN? Roadmap and timeline

Essentially you are transforming something that may at first appear to be chaotic (and painful), into a solid structure - your remediation plan.

Step 1: WHO? Identifying the right people

Identify the people who need to help you. These are the people who must take responsibility now, and from this point forward. They may have been involved in the audit itself. Typically they will be:

• Colleagues from the business, e.g., process owners, business marketing, application owners, customer service, etc,

• Colleagues from IT, e.g., IT asset owners, IT process owners, etc.,

• Colleagues from functional departments, e.g., legal, HR, finance, procurement, etc.

• Vendors - depending upon the nature and severity of the audit as well the nature of your operating model, you may need to involve 3rd parties

Make them aware of the audit report and that you need their help. Share a copy of the audit report with them (if internal policies allow you to do this).

You may be accountable for data protection in your company but delegating responsibility appropriately is a must (this may sound obvious - unfortunately many data protection leaders are one-person armies - you need all the help you can get).

Set a date and book a rapid analysis workshop - could be half-day, a whole day or over a series of days depending upon the number of findings. Book the rooms, book the people, allow time for travel planning, book refreshments, etc., Also start looking for an experienced facilitator - you will need to be a participant, it should not necessary be you.

Step 2: WHAT? Understanding the findings

The workshop itself - you will have prepared all workshop materials in advance by copying each finding onto a piece of card or large post-it with some additional info:

• Proposed owner - the individual you consider responsible

• Risk rating - some audit reports will provide this

• Audit finding - copy/paste this to a label/merge function in MS Word or similar and print directly to card or labels

• LoB/market/department - indicate the specific part of your company that the finding may relate to

Lay out all cards/notes on a large bench or across a long wall.

You will also have prepared an A3 template to use throughout the workshop - as you'll see, you'll need many copies of the template. Your company may have their own version - here's a rough example:

After all the welcome and introduction part, the first step is for all participants to review the findings (that you've copied onto card or post-its) and then together identify patterns or similarities (aka Affinity Mapping) across the findings, and group them.

Move the the similar or related cards/post-it into clusters or groups.

Typically, there will be several large clusters. Split the participants into workgroups (2-5 people) by either delegating or voting.

Each workgroup is then assigned a number of clusters. For each cluster, complete the "problem statement" section of the A3 template.

A "problem statement" is a clear and concise statement which explains in simple terms that anybody can understand the issue, the consequences, where the problem manifests itself and how the problem may be tackled.

It should be:

• Brief - a few sentences which explain everything needed. It can be revised over time

• No technical talk or jargon – no three letter acronyms

• Shows the size of the problem or impact

Remember, there will be non-technical, non-legal, non-IT people who will read the audit report and responses.

Next, the facilitator presents back the problem statements to all participants and facilitates the prioritisation of the clusters. Use a standard method such as MoSCoW, (rough definitions supplied - define your own appropriate to your company):

• MUST do - Unlawful processing, high risk to data subjects

• SHOULD do - Critical internal impact: financial, reputation

• COULD do - Non-critical impact, could be fixed at the same time as other similar/related issues

• WON’T do now - Non-critical, nice-to-have, little consequence if not dealt with immediately

Depending upon the time available, each workgroup will then take several clusters/problem statements to analyse.

Step 3: WHY? Identifying root causes

Findings are the tip of the iceberg. The real challenge is what’s beneath the surface.

For each problem/cluster conduct root cause analysis (why the issue occured) in the workgroups using a technique such as Ishikawa diagramming. An example here:

Some root causes may be more obvious than others, but the key is to get to the bottom of the problem rather than address the symptoms. Whatever you do don't try to "paper over the cracks" by just addressing symptoms! Dig deep!

Step 4: HOW? Developing solutions

The root causes identified in the previous step will provide input to the solution(s) and work needed to address the problem. The type of work will fall under one or more of the following categories:

• Policy/procedure

• Organisation/people

• Technology

• Information/document

By identifying the category of work now, it will help to understand the nature of the initiatives or projects that need to be launched to address the audit finds, e.g., technical initiatives, OCM, legal documentation, etc.

For each problem, populate the A3 document further, stating actions, owners, resources needed, ball park time and cost estimates, etc.

Make a second level of prioritisation, by plotting the A3s/initiatives on an Ease/Benefit matrix - this is also a collaborative effort:

Step 5: WHEN? Building the roadmap

The facilitator will finish up by driving the the production of a first cut Roadmap once all the A3 documents are complete. The roadmap takes into account prioritisation, dependencies between the initiatives as well as dependencies with other relevant projects/initiatives in your company, not least available resources. All participants work together to make the roadmap with the facilitator moving things along, settling disagreements etc.

A detailed schedule covering the coming three months can be developed later by engaging the teams that will be involved. I see trying to plan at a detailed level beyond three months a pointless exercise due to the dynamic nature of companies.

After the workshop, write everything up in the form of an Audit Response Report, including the completed A3s and the roadmap. The report will then feed into your company's business case process, or portfolio management system for consideration and approval. Produce a summary slide-deck of the report for the purposes of presenting to the Audit Committee together with the distribution of the report.

I've used this approach umpteen times over the past 20 years in various companies with good, consistent results. I'm always keen to hear of alternative approaches so feel free to get in touch for a knowledge exchange.

Does this resonate, or have you just received an audit report and need help to make sense of it and put a plan in place? Feel free to get in touch to arrange a no obligation call to discuss your requirements.