Which of the following is part of the follow-up process to monitor and ensure that management actions have been implemented?

The work of internal audit fails to improve the internal control, risk and governance arrangements if areas it identifies for improvement are not carried through by management.

Audit committee and senior management require assurance that the agreed actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively.

To inform this process and provide the necessary assurance, internal audit should undertake follow up work. The approach and frequency to this will vary by organisation and the internal audit team should agree a follow up protocol with management.

This protocol should consider:

• if you will use report recommendations or management actions or both
• how you should deal with partial implementation or work in progress
• the escalation process for actions not cleared by the agreed date
• whether you will follow up all recommendations or only those of a particular category or a percentage of actions
• how to report actions that have been completed, but where internal audit still needs to confirm this by undertaking testing over a period of time
• who in internal audit can clear the action and whether quality review is needed

Approaches to follow up

There are three main approaches to follow up and clearing actions: 

1. issue by issue as the due date arrives and internal audit is notified of completion
2. by undertaking a follow up audit based upon internal audit’s record of recommendations 
3. by providing assurance over management’s own tracking and reporting of progress to the audit committee

The first approach is timelier and aids continuous reporting to the audit committee but presents a challenge in terms of managing defined internal audit resources and making these available as and when completion is notified.

The second is the more traditional approach and tends to be performed at agreed frequencies. This aids resource planning but is resource intensive and provides a less timely picture of implementation.

The third and preferred option reflects and reinforces the fact that the agreed actions are indeed for management to implement. It puts the monitoring and reporting of progress in management’s court and makes the most efficient use of defined internal audit resources.  

The role of internal audit becomes one of assurance over the accuracy and completeness of reporting by management to the audit committee. It is undertaken at agreed frequencies with internal audit providing opinion to the audit committee over the reliance which may be placed upon management’s reporting. 

If positive assurance cannot be provided to the audit committee then it is likely that internal audit will need to revert to one of the other approaches and work with management to improve their monitoring in the interim until such time as management’s own systems are robust. 

To ensure the action is implemented correctly, internal audit cannot rely on management informing it that this is the case. Internal audit must obtain suitable evidence to confirm this and, where relevant, undertake testing to ensure it is operating effectively.

It is critical not just to ensure the action is complete, but that it has effectively mitigated risk to an acceptable level. The quality and effectiveness of the action must be reviewed.

Progress reporting

Reporting of progress on outstanding actions is vital to both the audit committee and senior management. This should be both statistical and highlight areas of specific concern and trends.

It should include:

• actions implemented
• missed dates and revised dates (particularly if repeatedly revised)
• actions followed up and cleared by internal audit
• statistical analysis of status to enable monitoring and achievement of any targets

Who owns this progress reporting will depend upon the approach to follow up adopted above.

IIA IPPF Standard 2500 - monitoring

IIA IPPF Standard 2600 - acceptance of risk

Internal Audit-Action Plan-Implementation-Follow Up-Closed

Purpose

Internal audits reports are often concluded with observations and their proposed recommendations but not the internal audit process. What follows internal audit is the ‘Follow Up Audits Process’. Why did I strike audits? It’s simply because still many auditors believe that follow up is a separate audit. Even though I agree that sometimes a follow up process can take an equal amount of time as an audit in testing, gathering evidences and updating report, it is still not a separate audit. Having said that, I do believe that follow up processes shall be included in the audit plan to anticipate time allocation of the staff in the task. Further, this can make operational management be aware and encouraged to take timely action.

The IIA's Standard 2500: Monitoring Progress addresses internal auditors' responsibilities concerning disposition of findings and recommendations. It states:

The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

There could be various factors that may have prevented the management to implement the recommendations with in the agreed timelines. While most of the time such factors are time, staff and budget constraints, but at times, it could also be a complete change in the process which could make the observation itself obsolete. For example, an observation about inadequacies in the recruitment process will become obsolete if the whole recruitment process has been outsourced. There is also a possibility that management has decided to accept the risk of not implementing the agreed action plan considering the risk being within the tolerable limits of the organization. Nonetheless, internal auditors are responsible to obtain clear understanding on the open issues and their closures. 

Responsibility

Primarily, management is responsible to resolve issues raised in the internal audit reports and implementing agreed actions within the agreed timelines. However, internal audit helps the organization to track the progress of the actions contributing to the ultimate goal of internal audit i.e., to help the organization achieve its objectives .

Internal Audit department should develop guidelines for the follow up process including (not limited to) the following

1. Tracking method of the recommendations i.e., either manually or through an internal tracking system
2. Timing of the follow up processes
3. Resolution reporting procedures
4. Follow up for Significant, High, Medium and Low risk issues etc.

Follow up process

1. In a fully embedded risk management environment- In such an environment, management takes complete responsibility of the action plans and their reporting. A typical example could be ‘Management Report’ to the Audit Committee on a quarterly basis which includes the status of all recommendations/actions arising from both external and internal audits. 
2. Internal Tracking system : Some companies, although very less, uses an audit tracking system which monitors the recommendations/actions with the target implementation date. When target date is approaching, an automatic reminder is sent to the management as well as internal auditor.
3. Manual Follow up: As highly practiced, a follow up email is sent to the operational department/ responsible person or audit liaison officer who then provides the confirmation if the action has or has not been implemented. The Tracking log with updated status is then presented to the audit committee. A basic format for the audit log includes the following:

• Report name and reference
• Responsible function/department
• Observation highlight
• Agreed action plan
• Agreed timeline
• Current Status (Open/Closed/In progress)
• Reason of the delay (should be provided by the management)
• Revised timeline (requested by the management)

In addition to the above, an internal audit log report to audit committee can also include

• Previously reported observations with revised timelines due now and their current status
• Observations for which risk has been accepted by the management
• Observations which has become obsolete
• Observations with multiple exceeded timelines

Critical/High Risk observations

For observations which were rated critical or posing high/significant risk, internal audit department should undertake some tests to verify the effectiveness of the action plan implemented. Scope of the tests to be conducted for follow up varies. Generally, testing the implementation of the ‘Low Risk’ or ‘Requires attention’ observations is not necessary. Management representation on the same is sufficient to provide assurance. However, in certain scenarios, such actions can also be tested if there is insufficient evidence to support their closure. 

Risk Based Follow Up Approach

In a true risk based follow up approach, it is important for an internal auditor to analyse and report how effective managers are at implementing risk responses. One of the best way of doing so is to follow-up both issue and its root cause.

Follow up process should consider whether actions have been implemented and whether the identified risks have been adequately managed with anticipated benefits, and if not, whether the residual exposure is within the identified risk appetite. In general, it should provide objective analysis about how well management understand the scale and priority of their inherent risks, and how effectively they are able to develop a control environment to mitigate risks to acceptable levels.

Follow Up Tests

It is important for organisations to have a good understanding of their risks and how well they are managed. Discrepancy between reported risk responses and the actual status could mislead those who rely on the information. Internal audit should design the follow up in a manner that sufficient tests are performed in order to provide objective assurance that management’s response to risk is satisfactory. The follow up work should be effectively targeted to provide independent confirmation that action is being taken and that risks are being managed effectively. The two most important factors which will define the level/depth of tests to be conducted are

a.     Risk rating/significance/impact of the issue

b.    Collaboration with the management

Disagreement with Management on Residual risk

When the Chief Audit Executive (CAE) is of the opinion that a residual risk accepted by the management is not acceptable to the organization, CAE must report the issue to the Audit Committee.

Opinion on the reported findings

Where reports have expressed the Opinion on the process review, the internal auditor may be expected to consider whether subsequent improvements in the control might warrant the opinion assessment to be revisited.