Management action often focuses on the sample or weakness that audit identified.
We call this "remedial action" - but is it really a remedy at all?
We must ask: Does the action minimise the risk? And, importantly, if a customer knew about it, would they be satisfied with the fix?
Better remediation needs to include, in addition to fixing the specific sample/weakness, a focus on the present, the past and the future.
Has this happened before?
Has this happened with other similar processes?
Look beyond the sample to determine whether the issue exists elsewhere such as in past transactions or similar processes.
Why and how is this happening now?
Explore the circumstances and find and fix the root cause.
This could be one or more of:
- a technology defect;
- a gap in a process or procedure;
- a behavioural (i.e., people) issue.
How can we prevent this, or something like this, from happening again?
How can we catch it if it starts?
Implement controls to detect and prevent re-occurrence.
Here are two simple illustrative examples
Do your audits help minimise risk and meet customer expectations?