control, and governance
How Do I … Plan for Follow-up Testing?
Auditors perform follow-up testing procedures to determine whether management has addressed corrective actions identified in audit reports. While the timing and the extent of follow-up testing varies based on the audit, Standard 2500: Monitoring Progress from The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) requires chief audit executives (CAEs) to establish and maintain a follow-up process for their audit engagements. Examining management’s responses to corrective actions, communicating effectively to enhance understanding of remediation efforts, and sharing auditor expectations for follow-up testing during reporting can increase the likelihood of successful follow-up.
Auditors should evaluate management’s responses to audit report comments to ensure corrective action plans address the audit recommendations and mitigate risk effectively. For an audit comment stating there are no control procedures to ensure transactions are recorded to the general ledger account accurately, completely, and timely, a management response that provides details of the reconciliation procedures that are effective in achieving the control objectives (i.e., accurately, completely, and timely) and mitigating the risk is considered well designed. A management response that includes a detailed action plan, lists the employees responsible for completing the corrective action, and establishes a reasonable completion date demonstrates a carefully considered remediation plan as well as management’s commitment to addressing the audit recommendations.
The auditor should ensure all stakeholders receive final communication of the reportable findings and management responses resulting from the review. Normally, the identified issues are reported to members of management responsible for managing the associated risks and controls. In some cases, however, issues identified during the review may affect management from another business unit.
The closing meeting affords management the opportunity to discuss the reported results and finalize the audit engagement. Meeting attendees typically should include line and executive management. While line management is knowledgeable about and familiar with the audit results, this may be the first opportunity for executive management to review the results. This meeting can allow the auditor to summarize the audit results and outline the follow-up testing expectations and process.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.