Which of the following is part of the follow-up process to monitor and ensure that management actions have been implemented?
The work of internal audit fails to improve the internal control, risk and governance arrangements if areas it identifies for improvement are not carried through by management. Audit committee and senior management require assurance that the agreed actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively. To inform this process and provide the necessary assurance, internal audit should undertake follow up work. The approach and frequency to this will vary by organisation and the internal audit team should agree a follow up protocol with management. This protocol should consider:
Approaches to follow upThere are three main approaches to follow up and clearing actions:
The first approach is timelier and aids continuous reporting to the audit committee but presents a challenge in terms of managing defined internal audit resources and making these available as and when completion is notified. The second is the more traditional approach and tends to be performed at agreed frequencies. This aids resource planning but is resource intensive and provides a less timely picture of implementation. The third and preferred option reflects and reinforces the fact that the agreed actions are indeed for management to implement. It puts the monitoring and reporting of progress in management’s court and makes the most efficient use of defined internal audit resources. The role of internal audit becomes one of assurance over the accuracy and completeness of reporting by management to the audit committee. It is undertaken at agreed frequencies with internal audit providing opinion to the audit committee over the reliance which may be placed upon management’s reporting. If positive assurance cannot be provided to the audit committee then it is likely that internal audit will need to revert to one of the other approaches and work with management to improve their monitoring in the interim until such time as management’s own systems are robust. To ensure the action is implemented correctly, internal audit cannot rely on management informing it that this is the case. Internal audit must obtain suitable evidence to confirm this and, where relevant, undertake testing to ensure it is operating effectively. It is critical not just to ensure the action is complete, but that it has effectively mitigated risk to an acceptable level. The quality and effectiveness of the action must be reviewed. Progress reportingReporting of progress on outstanding actions is vital to both the audit committee and senior management. This should be both statistical and highlight areas of specific concern and trends. It should include:
Who owns this progress reporting will depend upon the approach to follow up adopted above. IIA IPPF Standard 2500 - monitoring IIA IPPF Standard 2600 - acceptance of risk Internal Audit-Action Plan-Implementation-Follow Up-Closed Purpose Internal audits reports are often concluded with observations and their proposed recommendations but not the internal audit process. What follows internal audit is the ‘Follow Up Audits Process’. Why did I strike audits? It’s simply because still many auditors believe that follow up is a separate audit. Even though I agree that sometimes a follow up process can take an equal amount of time as an audit in testing, gathering evidences and updating report, it is still not a separate audit. Having said that, I do believe that follow up processes shall be included in the audit plan to anticipate time allocation of the staff in the task. Further, this can make operational management be aware and encouraged to take timely action. The IIA's Standard 2500: Monitoring Progress addresses internal auditors' responsibilities concerning disposition of findings and recommendations. It states: The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. 2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. There could be various factors that may have prevented the management to implement the recommendations with in the agreed timelines. While most of the time such factors are time, staff and budget constraints, but at times, it could also be a complete change in the process which could make the observation itself obsolete. For example, an observation about inadequacies in the recruitment process will become obsolete if the whole recruitment process has been outsourced. There is also a possibility that management has decided to accept the risk of not implementing the agreed action plan considering the risk being within the tolerable limits of the organization. Nonetheless, internal auditors are responsible to obtain clear understanding on the open issues and their closures. Responsibility Primarily, management is responsible to resolve issues raised in the internal audit reports and implementing agreed actions within the agreed timelines. However, internal audit helps the organization to track the progress of the actions contributing to the ultimate goal of internal audit i.e., to help the organization achieve its objectives . Internal Audit department should develop guidelines for the follow up process including (not limited to) the following
Follow up process
In addition to the above, an internal audit log report to audit committee can also include
Critical/High Risk observations For observations which were rated critical or posing high/significant risk, internal audit department should undertake some tests to verify the effectiveness of the action plan implemented. Scope of the tests to be conducted for follow up varies. Generally, testing the implementation of the ‘Low Risk’ or ‘Requires attention’ observations is not necessary. Management representation on the same is sufficient to provide assurance. However, in certain scenarios, such actions can also be tested if there is insufficient evidence to support their closure. Risk Based Follow Up Approach In a true risk based follow up approach, it is important for an internal auditor to analyse and report how effective managers are at implementing risk responses. One of the best way of doing so is to follow-up both issue and its root cause. Follow up process should consider whether actions have been implemented and whether the identified risks have been adequately managed with anticipated benefits, and if not, whether the residual exposure is within the identified risk appetite. In general, it should provide objective analysis about how well management understand the scale and priority of their inherent risks, and how effectively they are able to develop a control environment to mitigate risks to acceptable levels. Follow Up Tests It is important for organisations to have a good understanding of their risks and how well they are managed. Discrepancy between reported risk responses and the actual status could mislead those who rely on the information. Internal audit should design the follow up in a manner that sufficient tests are performed in order to provide objective assurance that management’s response to risk is satisfactory. The follow up work should be effectively targeted to provide independent confirmation that action is being taken and that risks are being managed effectively. The two most important factors which will define the level/depth of tests to be conducted are a. Risk rating/significance/impact of the issue b. Collaboration with the management Disagreement with Management on Residual risk When the Chief Audit Executive (CAE) is of the opinion that a residual risk accepted by the management is not acceptable to the organization, CAE must report the issue to the Audit Committee. Opinion on the reported findings Where reports have expressed the Opinion on the process review, the internal auditor may be expected to consider whether subsequent improvements in the control might warrant the opinion assessment to be revisited. |