By Alan Simpson CA
Part of the role of the internal audit function is to follow up on the agreed management action plan based on the audit recommendations, and the completion timescale for implementing them. This article looks at the purpose and importance of the role of that follow-up process.
Why follow up?
An important part of internal audit’s recurrent work is in monitoring management actions to the agreed recommendations from the various audit reports issued and then giving the audit committee (and through it to the board) periodic summary updates on:
- Management progress made in progressing agreed actions.
- Whether appropriate actions been made within the previously agreed timescale and if there has been any slippage.
- If there has been some slippage, what is the reason for this and what is being done to rectify it.
- Any instances where management have subsequently accepted that they will now take the risk by not carrying out the previously agreed action.
A follow up is also needed because one important measure of the effectiveness of the internal audit function is its success in achieving a high implementation rate of recommendations made in audit reports.
The reasons for failure to complete the previously agreed actions could also be explained by budget constraints, staff shortages, competing priorities or the emergence of some other circumstances, such as other improvements in controls, which mean that the original recommendations are no longer relevant.
Guidance on follow up to management actions
The Institute of Internal Auditors (IIA), in their International Standards for the Professional Practice of Internal Audit, have produced guidance on this area in Standard 2500 – Monitoring Progress and in Standard 2600 – Communicating the Acceptance of Risks. This places specific responsibilities on the internal audit team, in particular, the most senior individual in the internal audit function, referred to here as the chief audit executive.
- Standard 2500: (Paragraph 1) requires the chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
- 2500. (Section A1) – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
And where management does not implement agreed actions:
- Standard 2600: (Paragraph 1) When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to an organisation, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.
The Standards are mandatory on IIA members. They will also be a useful benchmark for non-members of IIA working in internal audit.
This requires a structure along the lines of the following:
- The organisation’s internal audit charter should summarise the responsibility and duties of the various parties (audit committee, management and internal audit) in the follow-up process.
- Separately, there requires to be more detailed instructions establishing:
- How recommendations and management actions will be tracked.
- What format of reporting is required by the audit committee of the progress made in completing agreed management actions, both on a quantitative basis and in flagging up any areas of concern.
- In addition to the above, there should also be “protocol” agreed between internal audit and management, and accepted by the audit committee, on the following:
- How to deal with and report progress on partial implementation of actions.
- The ranking of outstanding actions by priority (for example by using a pictorial “traffic lights” classification with red as highest priority and green as the lowest) for senior management and the audit committee to absorb the information quickly.
- The escalation process needed for actions which are still outstanding and have now passed the previously agreed implementation date.
- Whether agreed actions are followed up in full or on some sort of sample basis or ranking in importance.
- Which level of staff within internal audit have the authority to decide whether an agreed action has been satisfactorily implemented.
- In organisations with a large volume of internal audit reports, the creation of a database (or other software tool) to automate tracking of the agreed recommendations, implementation deadlines and actual performance achieved to date is desirable by helping to make the administration of the follow up progress more efficient than relying on spreadsheets or even a paper diary
On the conclusion of an audit assignment, the auditee should be reminded by internal audit of how the subsequent follow-up process works and what to expect. It may be useful to have guidance published on the organisation’s intranet about the process for follow up as part of a guide to internal audit.
Conducting the follow-up
Internal audit cannot wholly rely upon management assurances, either verbal or written, that the agreed actions have been properly implemented; they also need to obtain additional independent evidence gathered from carrying out work (including sample testing) in order to report back with confidence to the audit committee on what progress has been made since the issue of the original audit report. It goes without saying that this follow-up work must be planned, and the fieldwork properly documented. Internal audit is acting here as the “eyes and ears” of the audit committee. The time needed for follow up work requires to be built into internal audit’s annual resource planning.
This article was originally published by ICAS.