I recently consulted with a client who asked me to carry out a follow-up audit. Following up to evaluate how management has implemented previous recommendations and action plans is a critical component of any internal audit team’s programme. This is easier said than done, in practice!
This article seeks to dispel some of the mystery surrounding follow-up audits. It’s applicable to any organisation’s C-suite as much as it is for professional internal auditors.
Conflicting priorities, fiscal constraints and other issues often inhibits management from implementing action plans that they’ve previously agreed. Failing to address these issues will almost certainly continue to expose an organisation to the same risks.
Accountability for the follow-up
Management are ultimately responsible for managing action plans that they’ve agreed to resolve exposure. Internal auditors monitor the progress made towards this objective. The extent that management has implemented the recommendations can often be a useful benchmark on how management perceive Internal Audit. It’s also a useful barometer to help assess an organisation’s attitude to its internal control environment.
Follow-up audits are an extension of a typical internal audit engagement. They still require careful planning and close dialogue with management. Well scripted terms of reference remain critical to avoid misunderstandings about the follow-up audit’s objectives and scope. Internal auditors must be clear on whether they’ll re-perform previous work or whether they’ll focus on evaluating management’s progress.
International Standards for the Professional Practice of Internal Auditing
The Institute of Internal Auditors (IIA) has issued “International Standards for the Professional Practice of Internal Auditing.” Whilst IIA acknowledges that it’s important to follow-up management’s agreed action point, the standards are not overly prescriptive. As a business risk professional, I believe that it’s important that internal auditors strike a practical balance between adhering to the standards and remaining flexible. They should ensure that management either accepts the risk of not implementing a recommendation or has implemented it (or making progress to implement it).
The Internal Audit Department’s annual audit plan will typically include time to carry out follow-up activities. It’s not uncommon to allocate 15% to 20% of the department’s time to such activities. The nature and frequency of follow-up activities will often depend on whether an organisation has embedded a risk management framework. I have been pleased to see many internal auditors work closely with risk managers who record the progress of outstanding audit issues. In these organisations, risk managers frequently circulate reports to interested stakeholders (audit committees, executive management, etc.). Internal auditors then independently verify a selection of recommendations using a risk based approach.
Naturally, there will be times when difficulties arise during a follow up. If original recommendations and management responses are ambiguous, it can be difficult to determine the status of action plans. A good recommendation will be descriptive enough for management to either agree to disagree with it. How and when management intends to implement the recommendation should generally have been discussed with it prior to circulating a final report.
Internal auditors would benefit from adopting a SMART approach when preparing recommendations. Failing to do so inevitably leads to issues later. Recommendations and management’s action plans that are Specific and Measurable, as well as Actionable and Relevant will typically result in less ambiguity. They should also include an appropriate Time-frame.
Focus on high priority risks
In my opinion, follow-up activities should focus on using a risk-based approach. It’s almost certain that board committees and executive management want to be informed and understand the “show-stoppers”. A risk-based approach will help management to focus ad allocate the right level of resources to address risks.
I don’t believe that internal auditors adopt a “one-size-fits-all” approach when carrying out a follow-up audit. I’ve consulted with organisations that follow-up recommendations classified as high risk every month and internal auditors seek evidence to support management’s progress. I’ve also evidenced internal auditors who review an entire process or department if the audit conclusion is that internal controls are weak (or no assurance can be given). Of course, internal auditors should not overlook lower level risks and recommendations – it’s just that they may be reviewed less frequently and with less rigour.
Such a framework requires systems. I’ve evidenced spreadsheet databases being used, emails sent to management and more sophisticated software used to help log and track the status of management’s action plans. Custom-made or off-the-shelf software solutions are more typically used in larger organisations or where teams are geographically dispersed. Many software solutions also have follow-up functionality built into them (for example: automated email prompts) to alert management to record updates.
Many organisations I work with adopt some sort of process to report progress to line management. But they don’t always use it to report to management. In the majority of follow up audits I’ve been involved in, we use these reports as a starting point for the review. In this way, we seek to minimise duplication and helps focus and prioritise our audit activity.
In many organisations I have consulted with, reports are distributed to all tiers of management. In such organisations, management actively review progress themselves. Recommendations are only archived when management is satisfied that issues or recommendations have been fully resolved implemented. This is generally a positive sign that management takes these activities seriously. This allows internal auditors more time to focus on other activities.
When evaluating management’s response and action, internal auditors should discuss any areas of concern with management. Depending on the nature of the risk, the internal auditor’s concerns should be escalated to the audit committee. They should consider and tailor how they present their reports to audit committees. If management provides separate status reports, internal auditors should seek to eliminate or reduce duplication. Reports should clearly annotate the internal auditor’s view on the issues that have been implemented, as well as those that haven’t. Management’s proposed implementation dates and any issues or action plans that have become obsolete should be carefully evaluated and included.
Results from the follow-up audit should drive and schedule future annual audit activities. I’ve consulted with many clients who set policies that demand that an entire process or department is re-evaluated if an “unsatisfactory” audit conclusion was given. Equally, I’ve seen many that insist that the status of high-level risks is reported monthly.
The benefits of conducting a follow-up should never be under-estimated. It’s an essential part of a continuous internal audit programme and helps ensure that management has taken appropriate remedial action. If issues remain unresolved, the same issues will continually be raised and expose an organisation to the same risks. Without doubt the follow-up audit remains a valuable tool in the internal auditor’s armoury.
Mark Gwilliam FCCA MIIA
Mark’s internal audit career began with Barclays Group Internal Audit in 1997. He moved to New Zealand in 2001 and, as a Senior Manager/Associate Director with Arthur Andersen and KPMG, continued to focus on business risk services. He remains a leading internal audit and risk professional and is currently Director of Business Risk Services at Chakra Partners. His portfolio of risk management and internal audit assignments have included: banking & financial services, the health-sector, shared services, contact centres, and consulting with board committees.