control, and governance
How Do I … Conduct Follow-up Engagements
In a perfect world, audit clients would implement internal auditors’ recommendations after every engagement, leaving no doubt as to the status of prescribed actions. But in the real world, of course, competing priorities, budget limitations, and other factors often prevent clients from putting recommendations in place. Significant risks may remain unaddressed, exposing that particular area — or even the whole organization — to potential harm.
To comply with professional standards, audit departments need to perform follow-up work. But how formal should the process be? What documentation should be created, and to whom should the results be communicated? How often should follow-up occur? Although these are all questions the CAE must answer, auditors at every level of the department also need to understand the process in the event they are enlisted to participate in follow-up engagements.
PERFORMING THE ENGAGEMENT
An auditor’s follow-up procedures should be tailored to the circumstances and culture of the organization. In a more formal culture, the auditor would begin by sending both the department manager and upper manager an announcement before the follow-up engagement.
Next, the auditor would meet with the department manager to obtain copies of documents pertaining to action-plan implementation. After receiving the documentation, the auditor would need to ascertain whether actions taken by the department adequately mitigate the issue identified and lower the associated risk to a reasonable level. Based on this assessment, the auditor would then determine whether the action plan is complete, still in process, or unaddressed.
In an informal culture, follow-up procedures might entail simply asking appropriate departmental staff and management about the progress of action plans. Based on the information obtained, the auditor can then make a final judgment regarding action-plan status (i.e., complete, still in process, or unaddressed).
Regardless of the specific procedures used, documentation always constitutes the most important part of the follow-up process. The documentation should note who was interviewed, the date of the interview, the documentation reviewed, and the auditor’s assessment of whether recommended actions plans are complete, still in progress, or unaddressed. If management fails to implement the action plan, the documentation should explain why. Moreover, it should indicate how management is mitigating the associated risk or whether management has simply chosen to accept it.
Because follow-up procedures are an integral part of internal audit activities, the cae should report the results of these procedures to upper management and the board. In a formal culture, the auditor might conclude the engagement by sending written reports to upper management and the board on any open issues. One of these reports would be detailed, listing issues, impact, action plans, employees responsible for implementation, status, and progress notes. The second report would be a summary heat map, similar to the one provided to upper management in the audit follow-up announcement.
In an informal culture, by contrast, the reporting procedures typically would consist of an oral presentation to upper management and the board. Even though the information would be delivered verbally, the presentation’s content must still be documented.
The CAE needs to determine how often follow-up procedures should be conducted. While the appropriate frequency may differ depending on organizational culture, follow-up work generally should be performed often enough to provide the cae, upper management, and the board assurance that issues and associated risks identified in the audit findings are mitigated adequately.
Adapted from "Follow-up Engagements" by La Donna Flynn (Internal Auditor, "Back to Basics," December 2007).
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.