VIII.

AUDIT
DOCUMENTATION
TOPIC OUTLINE
• Using the CCCER/5C Model to Document Findings
• Making Findings and Recommendations Persuasive
• Persuasion and Diversion
• Developing Useful, Pragmatic, and Effective Recommendations for
Corrective Action
CCCER MODEL
C: Criteria

C: Condition

C: Cause

E: Effect

R: Recommendation
 USING THE CCCER/5C MODEL TO
DOCUMENT FINDINGS
• Internal auditors must document relevant information to support their
conclusions and the results of the work performed. So, when internal
auditors find discrepancies between what is expected, and what is
occurring, they prepare what is commonly referred to as a finding.

FINDING
 A finding is the name given to the discrepancy between what is expected and
what is actually in place, as discovered by auditors during the course of their
work.
 A finding provides the details about the anomaly and is determined as a
result of the procedures performed by the auditor.

• When conditions meet the criteria, the auditor’s communication can

indicate that the performance was satisfactory.

1
CRITERIA
• The criteria are the performance standards or expectations set by
relevant stakeholders.
• The criteria are used in making the evaluation or verification and
consist of the expected performance.
• When performing financial reviews, the criteria would consist of
relevant accounting and financial standards that dictate the recording
of transactions for financial statement purposes.
• Criteria can also be established through external expectations like
those encapsulated in government laws and regulations. Others are
based on internal expectations such as those defined in the
organization’s policies and procedures that govern employee conduct,
the use of company resources, and procedures describing how control
activities or operational activities within a process should be
performed.
CRITERIA
• Lastly, the criteria can be a combination such as those reflected in
contracts and SLAs. Internal auditors may also use the organization’s
mission, values, and prevailing best practices as the basis for their
review.
 For example, if a process being reviewed does not have cycle-time
performance standards that set turnaround times, or escalation
procedures are missing, the auditor can refer to the overarching
corporate value statement indicating that stakeholders will receive
prompt service and that the organization will protect its image by
quickly responding to customer inquiries and requests.
• The criteria consist of what should exist – the correct state.
CONDITION
• The condition refers to what the auditor discovered as a result of
applying auditing procedures.
• It is the factual evidence that the internal auditor found during the
review. Internal audit procedures include gathering testimony,
reviewing documents, observing the work conditions and dynamics,
and performing calculations of important figures, where applicable.
• Whereas the criteria are what should be in place, the condition is what
is in place. The finding exists because there is a difference between
the criteria and the condition. What is happening is not what should
be happening, so this creates a deficiency that warrants reporting.
• The condition is the current state.
CAUSE
• The cause is the reason the condition exists.
• The cause explains why there is a difference between expected and
actual conditions.
• Internal auditors should search for and identify the root causes of the
condition. Failing to do so will result in the auditor working with the
symptom(s) of the problem and in the end making inadequate
recommendations that provide an insufficient solution. Getting to the
root cause of a problem is not always easy. In many cases there may
not be just one reason, but rather several factors creating the
problem. Larger issues often follow this pattern and internal auditors
should be cautious not to attempt to describe the root cause without
exerting sufficient efforts to find it. Another challenge with getting to
the root cause is that it takes additional time and effort on the part of
the auditor.
CAUSE
Some of the tools I have found particularly suited to help auditors get to
the root cause of problems are
 5 Whys. Ask “why?” until you get to the root cause of the issue.
 Cause and effect diagram (also known as fishbone diagram).
Create a diagram to show visually all the possible factors creating
the issue to see where the problem may have started.
 Drill down. Break down the condition into smaller parts to gain a
better understanding of the larger picture. This could also involve
data analytics.

This is one of the most common reasons for recurring problems:

misdiagnosing the cause of the problem and focusing on correcting
symptoms instead.
EFFECT
• The effect constitutes the consequence of the condition identified. It
relates to the risk or exposure the organization, program, process, or
others will face because the condition is not consistent with the
criteria.
• The effect is the impact resulting from the problem itself. A helpful
approach to document the appropriate effect and to make sure that
the auditor has in fact identified a finding worthy of being included in
the report is to ask: "So what?" Why should anyone care about this
condition?
• It is extremely helpful for the auditor to quantify as much as possible
the effect of the finding. This will make the finding more compelling
and convincing and serve as a useful yardstick to determine if the
finding has merit or not. This will also inform the reader about the
importance of heeding the next item presented in the report: the
recommendation.
RECOMMENDATION
• The recommendation is the action, or collection of actions, that if
successfully implemented, will neutralize the cause, stop the effect,
and restore the condition to the desirable state (i.e., criteria).
• The effectiveness of the recommendation will depend on the auditor
fully capturing the details about each of the components of the CCCER
model. By elaborating sufficiently on each of the components, the
finding will be convincing and compelling so that the reader comes to
the same conclusion as the auditor who identified the deficiency.
• Recommendations should be cost effective when correcting the
problem. Care must be applied so the cost of correcting the deficiency
does not exceed the exposure or loss the deficiency is identifying. It is
also useful for the auditor to consider the principles of effective
processes when making recommendations.
 MAKING FINDINGS AND
RECOMMENDATIONS PERSUASIVE
1. Quantify as much as possible. The auditor should tell the reader,
as much as possible, how big the problem is.

2. Make sure findings are significant. Since organizational

management is increasingly dealing with complex and worrisome
risks, managing large volumes of transactions and monetary
amounts, and faces constant time limitations, they should not
receive audit findings pertaining to minutiae.

3. Consider the cost/benefit involved. Internal auditors should

evaluate quantitative and qualitative costs and benefits in an effort
to refrain from presenting problems that are not particularly
significant and require a higher cost to correct.

4. Use appropriate language. Internal audit should know who their

readers are and make the language appropriate for the audience

2
 PERSUASION AND DIVERSION
• As much as internal auditors should know how to increase their ability
to be persuasive, they should also remember that sometimes audit
clients want to persuade the auditor as well. This could be done to
argue a point of view, educate the auditor, decrease the severity of
the rating on a finding, to convince the auditor to review or not review
certain items, and so on. Auditors should know about some of the
techniques used to persuade distract, and divert their attention. For
example:
• Repetition. By repeating an argument often enough, the perpetrator
hopes that the frequent repetition creates legitimacy. Some do this
with distorted and untrue statements. Because someone says it many
times, that doesn't make it true.

3
• Will of the majority. This gives the person's argument the aura of
legitimacy. If that were so, then the mere fact that many people share
the same knowledge or opinion would lend it credence. But if that is
fabricated, then it is done with the intent of deception.
• Generalization. Making unwarranted generalizations that represents
one's behavior as that of the whole is another way to distort the truth.
This consists of what is commonly stated as "everyone is doing it."
While this may be so, it does not make the behavior acceptable.
• Creating information. Some individuals attempt to present a different
version of the truth. This can be done by choosing to exclude some
information that if known would have resulted in a different opinion.
Internal auditors must be careful not to do this themselves and by
looking at situations, problems, and even choosing recommendations
from a biased perspective, the auditor could also introduce bias into the
analysis and be guilty of this as much as auditees can be.