[UPDATED JANUARY 2024]
Recently I consulted with a client who tasked me with conducting an audit follow-up.
Assessing how management implements previous recommendations and action plans influences an internal audit team’s program. However, accomplishing this in practice is easier said than done!
This article dispels some mystery surrounding a follow-up audit. It is relevant to any organisation’s C-suite as much as it is for professional internal auditors.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations – IIA
Conflicting priorities and fiscal constraints frequently hinder management from implementing previously agreed-upon plans.
An organisation will almost certainly continue to face the same risks when issues remain unaddressed.
Accountability for the follow-up
Accountability lies ultimately with management for implementing action plans they’ve agreed on to mitigate exposure.
Internal auditors will monitor the progress made towards this.
The manner in which management implements recommendations provides a useful benchmark for Internal Audit. It’s a useful barometer to gauge management’s attitude towards internal controls.
Follow-up audits are extensions of internal audit engagements. They require careful planning and close dialogue with management.
Clear terms of reference are critical as they prevent misunderstandings about the objectives and scope of the follow-up audit.
Internal auditors need to clarify whether they’ll re-perform previous work or focus on evaluating management’s progress.
International Standards for the Professional Practice of Internal Auditing
The Institute of Internal Auditors (IIA) issues “International Standards for the Professional Practice of Internal Auditing.”
While the IIA acknowledges the importance of following up on management’s agreed action points, the standards do not prescribe specific actions.
Internal audit staff should balance following these standards with remaining flexible.
It is imperative that they should ensure management accepts the risk of not implementing a recommendation or has implemented it. Alternatively, management should be actively working on it.
An Internal Audit Department’s annual plan typically includes a budget to complete follow-up audit activities. Allocating 15% to 20% to such activities is not uncommon.
Whether management has embedded a risk management framework often determines the nature and frequency of follow-up activities.
Internal Audit It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
It’s encouraging to see many internal auditors working closely with risk managers, who record the progress of outstanding audit issues. Risk managers frequently circulate reports to audit committees, executive management, etc.
Subsequently, internal auditors should verify a selection of recommendations using a risk based approach.
Naturally, difficulties may arise during a follow up audit. If original recommendations and management responses are ambiguous, determining the status of action plans may be difficult.
Effective recommendations should provide enough detail for management to make informed decisions. Management should agree on the timing and method of implementing recommendations before auditors finalise their reports.
The SMART framework
When preparing recommendations, internal auditors should adopt a SMART approach. Neglecting to do this can cause issues later.
Recommendations and management’s action plans should be Specific, Measurable, Actionable and Relevant. This will reduce ambiguity. Additionally, they should include an appropriate Time-frame.
Focusing on High-Priority Risks
Auditors should adopt a risk-based approach for follow-up audit activities. Board committees and executive management almost certainly want to know about and understand “show-stoppers”.
Senior management should use a risk-based approach to focus and allocate the right level of resources to address risks.
In most organisations I have worked with, monthly follow-up audits are conducted on all recommendations classified as high risk. Subsequently, Internal Audit staff seek evidence to support management’s progress.
It’s common for internal auditors to review an entire process or department when they conclude that internal controls are weak.
Internal audit is not just about compliance, it’s about adding value to an organisation by providing insights, assurance, and recommendations for improvement.
While they shouldn’t overlook low-level risks and recommendations, they may review them less frequently and with less rigour.
Implementing such a framework necessitates systems. At a basic level, organisations utilise spreadsheet databases and send emails to management. In some cases, more sophisticated software is employed to log and track the status of management’s action plans.
Larger organisations use custom-made or off-the-shelf software solutions or for geographically dispersed teams.
Numerous software solutions include follow-up audit functionality to alert management to document their updates. For instance, they utilise automated email prompts to follow up agreed action plans.
Reporting the Audit Follow Up
Several organisations I have worked with adopt processes to report progress to line management. Nevertheless, these processes aren’t always utilised to report to senior management.
In most follow-up audits I’ve been involved in, I have used these reports as a starting point. This approach minimises duplication and prioritises audit activity.
Circulating and Reporting the Audit Follow Up
Most organisations distribute reports to all tiers of management. In such organisations, management actively review progress.
Management will only archive recommendations that they conclude have been fully resolved. This practice generally indicates that they take these activities seriously.
This practice allows internal auditors more time to focus on other activities.
Internal auditors are the eyes and ears of an organisation, uncovering risks, identifying opportunities, and promoting accountability and transparency
When evaluating management’s response and actions, internal auditors should discuss areas of concern with management. Severe risks and concerns should be escalated to senior management and audit committees.
Audit staff will try to eliminate or to reduce duplication when management have prepared suitable status reports. Auditors should indicate their view of the issues that management have implemented, as well as those that they haven’t.
Internal audit will scrutinise management’s proposed implementation dates and action plans for any obsolete processes.
Audit teams will use the results from the follow-up audit to drive and schedule future annual audit activities.
Policies and Reporting the Audit Follow Up
Many clients set their own policies concerning follow-up audits. They invite internal auditors to re-evaluate entire processes or departments when “unsatisfactory” audit conclusions are given. Similarly, many insist on reporting the status of high-level risks at appropriate time periods.
However, audit professionals should never underestimate the benefits of conducting a follow-up audit. It is an essential part of a continuous internal audit programme. The follow-up audit helps ensure that management has taken appropriate remedial action.
The same risks will continue to expose an organisation if they remain unresolved. Therefore, undoubtedly the follow-up audit remains a valuable tool in the internal auditor’s arsenal.
Mark Gwilliam FCCA
Mark started his internal audit career began with Barclays Group Internal Audit in 1997.
In 2001, he relocated to New Zealand and continued to specialise in business risk services. He enjoyed roles as a Senior Manager with Arthur Andersen and as an Associate Director with KPMG.
He remains a prominent figure in the field of internal audit and risk management. He currently serves as the Director of Business Risk Services at Chakra Partners.
Throughout his career, Mark has managed a diverse portfolio of risk management and internal audit assignments. His experience spans banking and financial services, healthcare, shared services, contact centres, and consulting with board committees.
Excellent comments Mark. It is often more difficult when an audit client already has a negative opinion towards auditing or auditors! After holding exit interviews, my team and I suggest that we help them to improve a particular process and schedule an advisory engagement instead of an audit. There are also times when we postpone an audit and review and track progress.
I totally agree with your idea that follow ups are an essential audit activity. As internal auditors, we must continue to develop and foster relationships where our audit customers feel comfortable to communicate with us. We might not always be welcomed with open arms but we must try.
The Internal Auditor conducts impartial assessments of financial and operational processes, risk management, and compliance. They report findings to the Board of Directors or Audit Committee, guiding actions based on recommendations. Crucially, they detect and prevent fraud, investigating suspicious activities and enhancing anti-fraud measures. Additionally, they scrutinize financial transactions for accuracy and compliance with standards and regulations.