The audit report goes to the regulator. The management letter goes to you. The action plan you build in response is what prevents the same findings recurring next year, and what improves your operations along the way.
What you'll learn
→ Read the management letter carefully → Build the action plan → Embedding the changes → Working with your auditor afterwardRead the management letter carefully
The management letter typically contains: control observations (where the auditor identified weaknesses), efficiency recommendations (where they see improvement opportunities), regulatory compliance comments (where there are concerns), and required communications under audit standards (related party transactions identified, fraud risk, etc.).
Each item is graded, high, medium, low. High items typically require remediation within 30-90 days. Medium within 6 months. Low within the next financial year. Document the priorities.
Build the action plan
For each finding: what is the root cause, what is the remediation, who owns it, what is the deadline. Document in a single tracker. Review monthly with the finance team and quarterly with the auditor.
Prioritise findings that recur. A first-year finding is often a knowledge gap. A second-year repeat is a process gap, more serious. A third-year repeat is a culture gap and should escalate to the board.
Embedding the changes
Document new policies and procedures arising from each finding. Train the finance team on the new approach. Update job descriptions and approval matrices where the responsibility shifts. The finding closes only when the new practice is operational, not just defined.
Test in 6 months: run a sample of transactions through the new process. Confirm the control operates as intended. Pre-empt the next audit's testing of the same area; show the auditor the evidence at the next planning meeting.
Working with your auditor afterward
Schedule a 30-minute call with the audit partner 90 days after audit completion. Walk through the action plan and progress. Ask for their input on prioritisation and approach. The conversation is free, helpful, and signals the seriousness of your remediation.
At next year's audit kickoff, the auditor reviews remediation as part of risk assessment. Findings remediated and tested reduce the risk rating; findings open or recurring increase it. The fee differential between a remediated client and a recurring-finding client is meaningful.
This guide is general information, not professional advice. For situations that involve specific facts, talk to your accountant, or hire one of ours from the marketplace.