Addressing Audit Quality Issues in Companies

Audit Red Flags: Lessons from the Frontline I asked several external auditors across the EU to share the most alarming feedback they’ve encountered during inspections over the past five years. Their answers were both revealing and unsettling, highlighting systemic issues that demand attention from leadership. Here are some of the most striking examples: • “I escalated and was told to continue as it is.” This suggests a culture where raising concerns is not just discouraged but actively ignored, allowing non-compliant practices to persist unchecked. • “I know, but when I report, nothing has been done; it’s been this way for years.” This reflects a systemic neglect of compliance risks, leading to a breakdown of trust in the organization’s ability to address critical issues. • “It’s not my responsibility.” A lack of ownership creates dangerous gaps in processes and controls, increasing the likelihood of compliance failures. • “We prioritize operational output over compliance.” When compliance is sidelined for productivity, organizations may risk of-becoming a culture of corner-cutting. • “We don’t have the resources to address that.” Resource constraints can leave critical gaps in compliance frameworks • “I wasn’t aware that was required.” Training and communication failures mean employees may unintentionally breach regulations • “We’ve always done it this way; why change now?” Resistance to change or adherence to outdated practices stifles progress and can result in non-compliance with evolving regulations. These responses reflect systemic failings in governance, accountability, and cultural alignment. Addressing these issues requires a holistic approach: 1. Cultural Transformation Leadership must foster an environment where employees feel empowered to report concerns without fear of retaliation. Building a compliance-first culture means embedding ethical behavior into the DNA of the organization. 2. #Accountability at All Levels #Compliance should not be seen as the responsibility of a single department. Clear roles and responsibilities must be defined, ensuring everyone understands their part in maintaining regulatory adherence. 3. Resource Allocation Compliance cannot be an afterthought. Organizations must invest in the right tools, personnel to ensure systems are robust and scalable. 4. Ongoing Training and Communication Regulations evolve, and so must your workforce’s understand them. Regular training sessions ensure employees remain informed and capable. 5. Proactive #RiskManagement Waiting for an inspection to identify issues is reactive and costly. Organizations should conduct regular internal audits to identify and address compliance gaps before they escalate. 6. Leverage Technology Technology can streamline compliance monitoring, reduce human error, and improve reporting capabilities. From automated risk assessments to AI-driven analytics, the tools are out there—invest in them. #CorporateGovernance #OperationalExcellence

On a recent episode, our listener Allison raised a thought-provoking question: should there be a limit on the number of audits conducted versus the number of employees a firm has? Setting a limit on the ratio of audits to employees might help, but it doesn't address the real problem. Auditors lack a financial incentive to find fraud or significant issues. They're motivated to complete the audit (under an overwhelming workload), with only ethics keeping them in check. But in business, money often trumps ethics. The solution? Incentivize ethical behavior by having an independent party hire auditors and reward them for uncovering problems. The current system, where auditors are hired by the board of directors via the audit committee, falls short because the directors themselves are often too invested in the company's appearance of success to want to expose issues. To reform audit, we must realign incentives and prioritize uncovering the truth over simply completing the job. Only then can we ensure the integrity of financial reporting and protect the public.

Only about 5 percent of internal auditors say their work mainly focuses on strategic issues. That was the response when I asked 284 internal auditors this question during a session hosted by the Institute of Internal Auditors Singapore last week. The poll asked where internal audit work mainly concentrates. Only 5 percent selected the strategic option. The result exposes a tension within the profession. The risks with the greatest potential impact on an organisation often arise from strategic decisions about markets, technology, investments, or business models. Yet internal audit effort still tends to concentrate heavily on operational assurance. The questions that followed the poll were revealing. • How do we persuade management that strategic auditing is worthwhile? • How do we convince the audit committee to allow internal audit to examine strategic assumptions? • What happens when the audit committee itself is still developing confidence in areas such as strategy or technology risk? These questions point to something important. The barrier to strategic auditing is seldom technical capability. Most auditors can learn the necessary techniques. The more common barrier is expectation. If internal audit is expected primarily to provide operational assurance, strategic issues will rarely find their way into the audit plan. In practice the shift toward strategic insight often begins in a much simpler way. Operational audits can become strategically valuable when auditors deliberately ask one level higher question. An audit may confirm, for example, that purchasing approvals are properly authorised and that procedures are being followed. A strategic perspective asks something different. Do the purchasing patterns themselves support the company’s stated strategy? In one retail engagement we examined inventory and buying. Controls were operating properly and approvals were consistently authorised. Yet buying decisions continued to support roughly twelve days of inventory worldwide, even though the company’s strategy aimed to reduce holdings to ten days. Operationally everything was compliant. Strategically the organisation was drifting away from its objective. By connecting operational findings with their strategic implications, internal audit can help management and the audit committee see how everyday decisions shape long-term direction. In that sense the 5 percent figure may even understate what is already happening. Many auditors already contribute strategic insight through the quality of the questions they ask, even when the work itself is labelled operational. What is sometimes missing is recognising that those observations carry strategic meaning. When operational findings are framed in terms of their strategic consequences, the conversation gradually changes from operational assurance alone to include strategy.

🔹 Quarterly Results: Governance or Pressure Cooker? Current rules around quarterly results have become a race against time, pushing management to prioritize speed over substance. This creates incentives to manipulate earnings, or worse, hide mistakes—defeating the very purpose of transparency. Should SEBI consider abolishing public quarterly results altogether or limiting them to confidential filings with regulators? Management bandwidth is consumed preparing accounts four times a year, and Audit Committees often receive financials too late to meaningfully review them. The rush creates unrealistic expectations: management has 365 days to operate but just a couple of days of real oversight each quarter. Instead, a biannual reporting regime could balance transparency with the need for quality. Allowing companies to publish audited accounts 30 days after finalization would give auditors and Audit Committees time for thorough review. 🔹 Audit Committees: Form Over Substance? While corporate governance talks a good game, the reality inside many Audit Committees remains troubling. Accounts are often finalized overnight, delivered to committees at the last minute under the pretext of avoiding insider trading leaks. Meetings start late, run short, and are rushed—chairpersons need to leave for flights, auditors have 15 minutes to present, and critical committee reports get just a few minutes of attention. When non-accounting directors face mountains of standards and disclosures with no time to review, expecting effective oversight is unrealistic. How can Audit Committees truly fulfill their responsibility if they’re given less than an hour to review complex financials? 🔹 Recommendations: A Bold Rethink ✅ Dispense with mandatory public quarterly results and limit filings to regulators. ✅ Allow Audit Committees to meet with adequate time—at least 48 hours’ notice with full access to financials. ✅ Consider scheduling meetings over weekends, so directors can review accounts without weekday time pressures. ✅ Track and disclose the number of times Audit Committees make material changes to financials; consistent ‘NIL’ adjustments can signal lack of diligence. If we genuinely care about investor protection, we must move beyond box-ticking. It’s time to bring substance to corporate governance—rebalancing regulation, removing unnecessary compliance burdens, and empowering Audit Committees to act effectively. To be continued…

Delve is not the only problem in the GRC space. They were just the most sloppy. 𝗧𝗛𝗘 𝗟𝗔𝗦𝗧 𝟱 𝗬𝗘𝗔𝗥𝗦 - 𝗡𝗢𝗧𝗛𝗜𝗡𝗚 𝗡𝗘𝗪 Anyone inside the industry is aware that quality problems with SOC 2 and ISO 27001 have existed for at least the last 5 years. We have done more than 2000 projects and we have seen: → 𝗖𝗵𝗲𝗮𝗽 𝗮𝗻𝗱 𝗙𝗮𝘀𝘁: Remember those "SOC 2 in 2 weeks" ads? Delve was not the first to run this play. → 𝗜𝗻𝗱𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝗰𝗲 𝗜𝘀𝘀𝘂𝗲𝘀: Audit firms have long accept green checkboxes in automation platforms. They have also enjoyed preferred partner status. Serious thing to consider: Can an audit firm that gets 50% of it's business from a GRC platform be genuinely independent? → 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗺𝗶𝗹𝗹𝘀: There are thousands of rubber stamped reports not adequately evaluated by professionals. Poor writing, bad testing, things that don't make sense. I see them everyday. Some fraudulently issued. This is not limited to Delve. But what do we do about it in terms of the broader industry? 𝗠𝗬 𝗦𝗨𝗚𝗚𝗘𝗦𝗧𝗜𝗢𝗡 To be clear, I appreciate what technology has done to the security and GRC space. Innovation and competition are good things. It makes us all work harder. But there are also some important things to consider. Here are three things on my mind: 𝟭. 𝗗𝗲𝗰𝗶𝗱𝗲 𝗬𝗼𝘂 𝗖𝗮𝗿𝗲: At the end of the day it starts with each of us. We have to decide we care. We have to do things right even when they are hard. Maybe that means a harder audit. A longer timeline. A hard conversation with a partner. Maybe that means being tougher on vendors during diligence. It pays off in the long run. 𝟮. 𝗖𝗣𝗔'𝘀 𝗧𝗮𝗸𝗲 𝗮 𝗦𝘁𝗮𝗻𝗰𝗲: I hope that the AICPA decides to make some important changes to how SOC 2 is managed. Two things I would do right away include increased quality of the SOC 2 peer review process and SOC 2 report validation portals. It will take CPAs and industry insiders to join committees and make this happen. 𝟯. 𝗥𝗲𝗮𝗹 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀, 𝗡𝗼𝘁 𝗙𝗮𝗸𝗲 𝗢𝗻𝗲𝘀: One thing that is clear is that companies are begging for real solutions to simplify security and compliance. And rather than faking it - we owe the market real solutions. Ways to achieve the same ends without cheating, lying, and fraud. The know-how and technology exists to make a dent in this. If we are patient. If we focus. No shortcuts.

I've sat in more than 50 audits across GCC & Europe (ISO 27001, SOC 2, SAMA etc..) You rarely fail for missing a piece of evidence... You fail because the proof is scattered, outdated, ownerless, or can't be found (while the person providing it swears they submitted already) To avoid this: 1- Pick one system of record for evidence (SharePoint or Google Drive, etc.). No WhatsApp, Teams DMs, or email threads as “evidence.” 2- Create one folder per Framework. Create sub folder per control group. Use a clean name for files, {ControlName}{YY-quarter(e.g. Q1)} 3- Assign one named owner per domain (Access, Assets, Change, Incident). Give each an audit response cheat sheet: what to show, where it lives, who to pull in (good luck with getting other teams doing it!) 4- Run a pre-audit dry run: fresh eyes click every link, open every file, check dates/signatures, and tie each piece of evidence to the control ID. Time-box to 2 hours. Ask the team: “If we were audited tomorrow, where would you point the auditor to?” 5- Automate refresh: exports/screenshots as needed (monthly?), owner sign-offs, and expiry checks so proofs don’t go stale. Simple fix: Make evidence hygiene the product, not an afterthought. Or simply save yourself the headache, at Vamu we automate a large part of this, and map controls to owners and time-stamped proofs so the folder is clean by default. But you can start with the list above this week. Audits are won (or lost) in the evidence folder.

Enhancing Internal Audit Programs through Risk-Based Auditing: A Strategic Approach Integrating Risk-Based Auditing (RBA) into internal audit programs enhances effectiveness and efficiency. Learn how to achieve this strategic approach: Understanding Risk-Based Auditing - Risk-Based Auditing (RBA) identifies and assesses key risks to an organization's objectives, allocating resources to high-risk areas for more relevant and timely insights. Key Steps to Integrate RBA - 1. Understand the Organization: Understand the organization's objectives, strategies, and risk landscape by reviewing key documents and consulting with stakeholders to identify critical risk areas. 2. Risk Assessment: Conduct a thorough risk assessment to identify and prioritize risks using tools like risk matrices and heat maps, forming the foundation of the RBA approach. 3. Develop the Audit Plan: Develop a dynamic risk-based audit plan that aligns with the organization's risk profile, allowing for adjustments as risks evolve. 4. Allocate Resources: Allocate audit resources based on risk assessment, prioritizing high-risk areas and adjusting resource allocation accordingly. 5. Coordinate with Other Assurance Providers: Collaborate with other assurance providers to avoid duplication and ensure comprehensive risk coverage. 6. Communicate the Plan: Communicate the risk-based audit plan to stakeholders to gain support and understanding of audit focus and priorities. 7. Continuous Monitoring and Updating: Regularly review and update the risk-based audit plan to reflect changes in the organization's risk environment and ensure ongoing effectiveness. Benefits of Risk-Based Auditing - i. Enhanced Focus: RBA focuses on high-risk areas, addressing critical issues and leading to more impactful audit outcomes. ii. Proactive Risk Management: RBA promotes a proactive approach to risk management, helping organizations to anticipate and mitigate risks before they materialize. iii. Improved Resource Allocation: Efficient use of audit resources by focusing on areas that matter the most, thereby increasing the overall efficiency of the audit process. iv. Better Stakeholder Communication: Clear communication of the audit plan and its focus areas enhances transparency and builds trust with stakeholders. Conclusion - Integrating Risk-Based Auditing into internal audit programs is not just a best practice but a necessity in today’s dynamic business environment. It enables organizations to stay ahead of potential risks, ensuring robust risk management and sustained success.

🎯 "Again? Seriously?" — The life of a Quality Manager. Between IATF, ISO, VDA, and customer-specific requirements, it can feel like we’re living in a never-ending episode of “Audit Things.” But the best organizations don’t just survive audits — they build systems that make them always ready. Here are a few strategies I use (and coach my teams on): ✅ Build audit readiness into daily work. Layered Process Audits (LPAs), visual controls, and good documentation habits mean fewer surprises. ✅ Standardize evidence. Keep control plans, work instructions, and Quality Alerts organized and version-controlled in one place. ✅ Close the loop fast. Treat audit findings like opportunities — track root cause, verify effectiveness, and communicate changes. ✅ Train beyond compliance. Make sure operators and engineers understand why requirements exist — not just what to check. When you do that, audits stop being stressful events... and start becoming proof that your system actually works.

Reviewing the SOC 2 report issued by a firm catches some quality issues, but most CPA firms specializing in SOC 2 audits use templated reports that have all the elements necessary. They will use templated controls and templated tests that cover everything. There are edge cases where SOC 2 reports might state that they used inquiry-based testing only, but those are not the norm. To determine if quality standards are being met, there also needs to be independent oversight of the testing performed by firms when they perform a SOC 2 audit. Currently, this is a very minor part of the peer review program. To improve oversight, which should ultimately improve quality, I would propose the following (I don't know how much this would cost, or who should pay for it, but we need to get the ball rolling and start with ideas): -The AICPA implements an additional quality review program for SOC 2 specifically. The current Peer Review program should no longer be required to cover SOC 2 reports. They need to hire personnel that are technical enough to understand security, cloud technology, and auditing concepts. -In order to issue SOC 2 reports, firms must be a part of the AICPA's SOC 2 quality review program. -The AICPA will choose the review team. -I don't think it would be economically feasible to perform reviews for every firm on an annual basis, I suggest every two years to start with. -The number of audits reviewed should be a statistically valid sample based on the number of reports issued over the last two years. -The review should cover items such as the following (not an exhaustive list): 1) Was the audit scoped correctly? 2) Were the controls listed in the report actually the ones tested? 3) Were any key controls missing that should have been tested? 4) Did the firm's testing procedures include appropriate procedures other than inquiry? 5) Did the firm obtain sufficient and appropriate evidence to conclude that each control was suitably designed and operating effectively? 6) Did the firm perform appropriate procedures to obtain comfort over the completeness and accuracy of evidence provided by the client? 7) Did the tests documented in the firm's workpapers and the evidence reviewed correspond to the testing procedures and evidence documented in the report? 8) Did the firm appropriately document their conclusions for each control and the evidence reviewed? 9) Did the firm appropriately identify subservice organizations? 10) Were there independence concerns that caused the reviewer to question whether the firm was independent from the client? 11) Everything covered as part of the current Peer Review program should also be included in this review. 12) Results should be public. I understand this isn't something that changes overnight, and I am all for grassroots efforts to get things moving, but I believe the AICPA needs to administer it to ensure that the quality review program is objectively administered for all firms, small and large.

Passing an audit doesn’t mean you’re protected. Broken quality loops still put patients at risk. Here’s how. When FDA issues a warning letter, it’s easy to focus on the findings: • Complaints open too long • CAPAs that stop at documentation • Risk files that aren’t updated • Cleanroom excursions without clear patient linkage This reflection was prompted by a recent FDA letter, but the pattern is far broader than any one company. What failed weren’t isolated controls. What failed were the loops of compliance. Compliance only works when critical loops stay closed: 🔁 Signal Loop Complaints → Investigation → Decisions → Learning When complaints linger, the organization stops hearing risk. 🔁 Containment Loop Deviation → Health hazard evaluation → Product impact → CAPA When containment ends at paperwork, risk keeps moving. 🔁 Risk Governance Loop CAPA learnings → Risk files → Design & validation updates When risk management is static, the system lies to itself. FDA isn’t asking for more SOPs. They’re asking a harder question: Does your system think? Here’s the uncomfortable truth for leaders: Passing an audit is a snapshot, not a verdict. Compliance without systemic reasoning is fragile. These aren’t new issues. They’re old ones that persist when quality is treated as proof instead of protection. Our role as leaders isn’t to manage findings. It’s to ensure the loops stay closed, especially when no one is watching. — ♻️ If this resonates, feel free to repost so more teams reflect on this before the next inspection, not after. 📬 The Beacon Brief: https://lnkd.in/gNXeXDzH