logo-newlogo-newlogo-newlogo-new
  • Home
  • Blog
  • Audit Trail Academy
  • Advisory Services
  • Books
✕
  • Home
  • Chambers on Internal Audit
  • Internal Audit Trends and Priorities
  • Followup Audits Are a Waste of Time!

Followup Audits Are a Waste of Time!

Internal Auditors – Beware of Your Own Ethical Lapses
September 26, 2022
New Report Calls External Audit Independence The “Big Lie”
October 11, 2022
October 4, 2022

There’s a Better Way to Monitor Progress

During a recent seminar I was leading in Dubai, the topic of followup audits came up, the frustration in the room was palpable. Attendees were frustrated by often undertaking followup audits only to discover that nothing had been corrected!

I sympathized with my seminar students. As a young internal auditor, I was always proud of my reports, particularly the findings and recommendations. So, issuing a new audit report was cause for celebration. But nothing was more demoralizing than when I would invariably undertake the required follow-up audit only to discover that my carefully crafted recommendations or management action plans were never implemented. After all, management had agreed to the proposed corrective actions (or had proposed their own corrective actions) to rectify problems identified in my audits. So, why did they fail so often to follow through?

There were always plenty of excuses from management when the follow-up audits disclosed that “problems had not been corrected”:

  • “We underestimated the complexity of the action we agreed to take.”
  • “Guess what? Your recommendations were not feasible!”
  • “We didn’t realize how long it would take to implement the promised actions.”
  • “Circumstances changed, and the actions agreed are no longer valid.” 
  • “It turned out we didn’t have the resources to correct the problems.”
  • “The dog ate our homework, etc.”

I eventually grew to dread follow-up audits because the results were so often disappointing. When I became a chief audit executive (CAE), I seriously questioned the value of follow-up audits altogether. I found them to rarely be an efficient use of internal audit resources. After all, which generated the greatest impact for the organization: forging into new, high-risk areas, or revisiting areas where we dedicated resources only a few months before? Even when we found everything had been corrected, I felt that my limited resources could have been better deployed.

As a government auditor at the time, I didn’t really have a choice whether we did follow-up audits. They were mandated by our professional standards and required by regulations. Fortunately today, The IIA’s International Standards for the Professional Practice of Internal Auditing provide much greater latitude when it comes to follow-up audits. The focus has shifted from outputs (follow-up audits) to outcomes (appropriate disposition of the findings and recommendations in our reports).

The IIA’s Standard 2500: Monitoring Progress addresses internal auditors’ responsibilities concerning disposition of our findings and recommendations. It states:

The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

Nowhere in the standard do the words “follow-up audit” appear. Instead, the emphasis is on a “follow-up process.” The IIA goes into much greater detail on how such processes can be designed and implemented in the implementation guide for Standard 2500. In designing such a process, the guidance appropriately emphasizes that internal auditors “solicit management’s input on ways to create an effective and efficient monitoring process.” The guidance notes that the monitoring process can be “sophisticated or simple” depending on the size and complexity of the internal audit function and the organization it serves. 

The IIA’s guidance clearly offers alternatives to mandatory follow-up audits that many of us labored over in the past. In fact, it states:

“…some CAEs may choose to inquire periodically, such as quarterly, about the status of all corrective actions that were due to be completed in the prior period. Others may choose to perform periodic follow-up engagements for audits with significant recommendations to specifically assess the quality of the corrective actions taken. Others may choose to follow up on outstanding actions during a future audit scheduled in the same area of the organization. The approach is determined based on the adjudged level of risk, as well as the availability of resources.”

As the guidance notes, some CAEs may still choose to perform follow-up audits, particularly for prior findings that signaled significant risks to the organization. I also recognize that, in some instances, management, audit committees, or regulators may want internal audit to undertake routine follow-up audits. In those cases, I recommend a very practical approach before undertaking follow-up audits that ensures the wisest use of internal audit’s scarce resources. Before scheduling a follow-up audit, I would ask myself several questions.

  • Has management reported that corrective action is complete? I would never start a follow-up audit without asking management beforehand, “Have you implemented the agreed-upon corrective actions?” If not, we probably need to ask why corrective action is behind schedule, but it’s not yet time for a follow-up engagement. There’s no need for a follow-up audit when you already know something is still “broken.”
  • Has management of the area under review ever tried to mislead internal audit about the completeness of corrective action or about other audit issues? If so, that’s a tremendous red flag that clearly warrants a follow-up audit. However, if your client is trustworthy and you have an open, candid working relationship, you might want to rely on their assertion that corrective actions have been implemented. If the issues are particularly high risk, you might still want to follow up on a selective or sample basis to ensure that management’s assertion is correct.
  • Was planned corrective action so complex that it was likely to result in unforeseen problems? Controls are most likely to break down when processes are being changed; and when complex changes are being made, further review may be warranted. But if planned corrective actions are relatively straightforward, mistakes are less likely, and a review might not be warranted. 
  • Are repeat findings likely? If you know your clients well, you may know of a few managers who tend to make the same mistakes or who seem to undervalue the importance of internal controls. When a client is mistake-prone or when they often have repeat findings, the risks are higher. But if operations are well-controlled and the client reports that corrective action is complete, you might be able to skip the follow-up visit. 
  • Is the followup audit required by the audit committee or by regulation? As noted above, some audit committees insist upon follow-up audits, particularly those with higher risk findings. If the CAE believes this expectation is leading to inefficient use of internal audit resources, I urge a candid conversation with management and the audit committee outlining alternative provisions as outlined in The IIA’s implementation guidance for Standard 2500.  But the decision is ultimately the board’s — not ours. 

If, after careful assessment, follow-up audits often seem justified, you might want to ask yourself why your organization’s implementation plans keep going astray. Were your recommendations vague? Were you unpersuasive? Did you fail to listen to management or to take their objections seriously? Are recommendations or management action plans unclear or nonspecific? Is there a culture of noncompliance within the organization? 

Obviously, it’s better to find repeated mistakes than to overlook them, and sometimes that might mean a follow-up audit is required. But repeat findings are often as much a failure for internal audit as they are for management. If we need follow-up audits often to get the job done, then we need to get to the root cause. It’s better to prevent follow-up failures than to detect them after the fact.

It’s time that we recognize the ultimate objective is not scores of follow-up audits. Instead, the objective is that corrective actions are implemented, and a monitoring system is in place to afford such assurance.

I welcome your thoughts.

There is a Better Way to Monitor Progress

Share

Related posts

March 20, 2023

New Report Reveals Surprising Insights from Internal Audit Executives


Read more
March 13, 2023

New IIA Report Is a Timely Benchmarking Resource for Internal Auditors


Read more
December 8, 2022

Here Comes 2023! What’s Keeping the C-suite Awake?


Read more

8 Comments

  1. Charles Schrock says:
    October 4, 2022 at 4:05 pm

    Your thoughts are pretty straightforward. And I agree. I used to use mail/merge to follow up monthly via email with all owners of issues that, according to my records, were not yet closed. Then, if the owner claims the issue is now completed, I considered the options that you describe. For example – Do I trust them on this particular issue? Should I explicitly gather basic evidence of completion? Do I need to actually test again? I did whatever seemed necessary to satisfy me and, by extension, my Audit Committee. Oh – and by the way – the owner of the issue? Their boss(es) were also included in the mail/merge request for the update. So — no surprises.

    Reply
  2. Tibe says:
    October 4, 2022 at 5:05 pm

    I cannot put it into numbers but too often the results turn to the excuses exemplified in the article, pretty relevant, by the way. I didn´t realize how open is the Standard 2500, will reflect about it. Great!

    Reply
  3. Steve Sokol says:
    October 4, 2022 at 9:41 pm

    Follow up work has somehow become one of the defining parts of my whole career–not that I asked for it! I think all audit issues should stay open until 1) management asserts their responsive action is complete and 2) some sort of validation has taken place. This doesn’t need to be a whole new audit, but should be more than just one person’s assertion.

    I’ve found audits of areas previously assessed to be among the most valuable projects, but only if something significant has changed in the process, whether those changes are a result of the previous audit or not. Inherently risky items will come up again year after year. I wouldn’t even call that a re-audit though. I’m talking about a whole new audit with similar objectives.

    Reply
  4. Hector says:
    October 5, 2022 at 12:14 am

    Ultimately, its their processes that auditors are adding value or controls to and not vice versa. Process should be held accountsble to implementing audit recommendation unless proven otherwise.

    Reply
  5. Winston says:
    October 5, 2022 at 4:04 am

    Better still to put in the report the auditors assessment of likelihhood of the organisation taking up and acting on the recommended follow-up measures.

    Reply
  6. Maritza Villanueva says:
    October 5, 2022 at 4:12 am

    I really liked this

    If it was said by IA and accepted by management by means of an action plan is management responsibility whether if it was implemented or not

    Reply
  7. Joseph says:
    October 5, 2022 at 2:26 pm

    Interesting thoughts and I fully agree with the article. I would focus more on the persuasion angle and ensuring that the auditor in charge agrees with management on the recommendation prior to issuance of the report as final to reduce the instances of repeat findings or the need for follow up audits.

    Reply
  8. B Sabarinathan says:
    October 10, 2022 at 12:24 pm

    Internal auditors, though independent of the management in discharging their function, are part of the organisation they audit. If the management accepts the audit recommendations, it should be understood that they are taking the responsibility of setting things right, in organisation’s and everyone’s interest.

    Non-disposition of audit recommendations that an entity’s top management had assured to implement might open up a new area for examination by auditors, viz., the role played by those charged with governance, audit committee and top management. It might be interesting to examine what those in responsible positions did while not being serious about implementing the audit recommendations, during the intervening period till follow up. If there were no other significant projects or emergent issues to engage their immediate attention and resources during the period, auditors should question the irresponsibility if the perceived risks due to non-compliance continue to be very high. A recommendation for replacement or removal of key officers concerned for dereliction of duty may be made rightaway. After all, it’s a major governance lapse that further weakens the risk and control processes of the organisation.

    According to me, the follow up process is required to gather evidence and actually assess the action taken by top management to address the key GRC issues identified and reported earlier, regardless of the assertion or excuse provided by the management.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

What’s Trending

03-20-23

New Report Reveals Surprising Insights from Internal Audit Executives


03-13-23

New IIA Report Is a Timely Benchmarking Resource for Internal Auditors


03-02-23

6 Things Audit Committee Members Often Won’t Say to Internal Audit


Read More

Archive

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • October 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009

Contact Us

PO Box 1441
New Smyrna Beach, FL 32170

+1-407-463-9389
rchambers@richardchambers.com

About AuditBeacon.com

AuditBeacon.com is a resource center for internal auditors and risk professionals from around the world. In addition to more than 500 blogs authored by Richard Chambers, the site includes links to news and insights on internal audit and other information that illuminates the value of this important profession. AuditBeacon.com is provided as a service by Richard F. Chambers and Associates, LLC.

Copyright © 2023 Richard F. Chambers & Associates. All Rights Reserved.
  • Home
  • Blog
  • Audit Trail Academy
  • Advisory Services
  • Books