Most audit organizations dedicate a significant amount of time planning, scheduling and executing their projects. Traditionally, very little time is left for the reporting phase. Now, when it comes to the follow-up phase of the audit, we tend to hear a variety of challenges as to why the tail-end of the process cannot be properly conducted; There is no budgeted time left for this audit | Have to prepare for the next review | We will come back to this later, etc.
The fact of the matter is that in many cases, the follow-up phase is typically compromised or re-prioritize and eventually done as a check-the-box task. This is concerning because a poor follow-up could lead to reputational and operational risks not being mitigated.
Reputational risks. Once management learns that the audit team is not coming back for a follow-up review/conversation/ retesting, the issue owners will most likely lower their guards and reduce efforts to complete remediation plans if do them at all. The audit team’s reputation might be put at risk if management realizes that all the work put into issuing the audit report with findings and recommendations, will have little impact since the audit team will not return for a proper follow-up visit.
Operational risks. - As soon as management learns that no follow-up will take place, operations might go back to the way it was before the audit was conducted. This situation could expose the organization to experiencing the same control weaknesses that otherwise will remain top of mind if a proper follow-up exercise is scheduled and executed.
Many government audit organizations required follow-up reviews are part of their professional standards.
The Institute of Internal Auditors (IIA) shares guidelines around the follow-up process on their Standard 2500: Monitoring Progress addresses internal auditors' responsibilities concerning dispositthe ion of our findings and recommendations. It states: “The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.”
Furthermore, IIA’s Standard 2500.A1 indicates that – “The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.”
What might be more beneficial is to stop focusing on the follow-up process as a full audit, taking limited time and resources away from the internal audit organization. Instead, let’s design strategically targeted issues and action plan follow-up processes with the objective to focus on progress made towards remediation plans.
Follow-up reviews guidelines
Below are a few tips to adequately manage follow-up reviews:
1-) Start with the End in mind. Incorporate the follow-up strategy during audit planning sessions.
2-) Budget for at least 5% to 10% of your audit time to schedule and execute post-audit reviews.
3-) Train the internal audit staff on how to conduct follow-up reviews. Do not assume all auditors know how to successfully complete efficient follow-up.
4-) Make sure to review all audit issues found during the audit process. Prioritize the high-risk issues. Remember, prioritizing does not mean forgetting about certain low impact risks which could be symptoms of larger issues at play.
5-) Document and release a formal communication indicating the outcomes of the follow-up exercise.
The follow-up review should be designed, presented, performed, and perceived, more as a monitoring process to ensure management corrective action plans have been implemented, rather than just another opportunity for management to be audited.
Let’s not forget that the value of the audit recommendations are drastically reduced when there is not monitoring process in place to ensure action plans are executed as intended.
For more information about best practices, register at https://efficientadvice.com/subscribe. We are here to work with you and to make it better!