Followup Audits Are a Waste of Time!
Internal Auditors – Beware of Your Own Ethical Lapses
September 26, 2022
New Report Calls External Audit Independence The “Big Lie”
October 11, 2022
There’s a Better Way to Monitor Progress
During a recent seminar I was leading in Dubai, the topic of followup audits came up, the frustration in the room was palpable. Attendees were frustrated by often undertaking followup audits only to discover that nothing had been corrected!
I sympathized with my seminar students. As a young internal auditor, I was always proud of my reports, particularly the findings and recommendations. So, issuing a new audit report was cause for celebration. But nothing was more demoralizing than when I would invariably undertake the required follow-up audit only to discover that my carefully crafted recommendations or management action plans were never implemented. After all, management had agreed to the proposed corrective actions (or had proposed their own corrective actions) to rectify problems identified in my audits. So, why did they fail so often to follow through?
There were always plenty of excuses from management when the follow-up audits disclosed that “problems had not been corrected”:
- “We underestimated the complexity of the action we agreed to take.”
- “Guess what? Your recommendations were not feasible!”
- “We didn’t realize how long it would take to implement the promised actions.”
- “Circumstances changed, and the actions agreed are no longer valid.”
- “It turned out we didn’t have the resources to correct the problems.”
- “The dog ate our homework, etc.”
I eventually grew to dread follow-up audits because the results were so often disappointing. When I became a chief audit executive (CAE), I seriously questioned the value of follow-up audits altogether. I found them to rarely be an efficient use of internal audit resources. After all, which generated the greatest impact for the organization: forging into new, high-risk areas, or revisiting areas where we dedicated resources only a few months before? Even when we found everything had been corrected, I felt that my limited resources could have been better deployed.
As a government auditor at the time, I didn’t really have a choice whether we did follow-up audits. They were mandated by our professional standards and required by regulations. Fortunately today, The IIA’s International Standards for the Professional Practice of Internal Auditing provide much greater latitude when it comes to follow-up audits. The focus has shifted from outputs (follow-up audits) to outcomes (appropriate disposition of the findings and recommendations in our reports).
The IIA’s Standard 2500: Monitoring Progress addresses internal auditors’ responsibilities concerning disposition of our findings and recommendations. It states:
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
Nowhere in the standard do the words “follow-up audit” appear. Instead, the emphasis is on a “follow-up process.” The IIA goes into much greater detail on how such processes can be designed and implemented in the implementation guide for Standard 2500. In designing such a process, the guidance appropriately emphasizes that internal auditors “solicit management’s input on ways to create an effective and efficient monitoring process.” The guidance notes that the monitoring process can be “sophisticated or simple” depending on the size and complexity of the internal audit function and the organization it serves.
The IIA’s guidance clearly offers alternatives to mandatory follow-up audits that many of us labored over in the past. In fact, it states:
“…some CAEs may choose to inquire periodically, such as quarterly, about the status of all corrective actions that were due to be completed in the prior period. Others may choose to perform periodic follow-up engagements for audits with significant recommendations to specifically assess the quality of the corrective actions taken. Others may choose to follow up on outstanding actions during a future audit scheduled in the same area of the organization. The approach is determined based on the adjudged level of risk, as well as the availability of resources.”
As the guidance notes, some CAEs may still choose to perform follow-up audits, particularly for prior findings that signaled significant risks to the organization. I also recognize that, in some instances, management, audit committees, or regulators may want internal audit to undertake routine follow-up audits. In those cases, I recommend a very practical approach before undertaking follow-up audits that ensures the wisest use of internal audit’s scarce resources. Before scheduling a follow-up audit, I would ask myself several questions.
- Has management reported that corrective action is complete? I would never start a follow-up audit without asking management beforehand, “Have you implemented the agreed-upon corrective actions?” If not, we probably need to ask why corrective action is behind schedule, but it’s not yet time for a follow-up engagement. There’s no need for a follow-up audit when you already know something is still “broken.”
- Has management of the area under review ever tried to mislead internal audit about the completeness of corrective action or about other audit issues? If so, that’s a tremendous red flag that clearly warrants a follow-up audit. However, if your client is trustworthy and you have an open, candid working relationship, you might want to rely on their assertion that corrective actions have been implemented. If the issues are particularly high risk, you might still want to follow up on a selective or sample basis to ensure that management’s assertion is correct.
- Was planned corrective action so complex that it was likely to result in unforeseen problems? Controls are most likely to break down when processes are being changed; and when complex changes are being made, further review may be warranted. But if planned corrective actions are relatively straightforward, mistakes are less likely, and a review might not be warranted.
- Are repeat findings likely? If you know your clients well, you may know of a few managers who tend to make the same mistakes or who seem to undervalue the importance of internal controls. When a client is mistake-prone or when they often have repeat findings, the risks are higher. But if operations are well-controlled and the client reports that corrective action is complete, you might be able to skip the follow-up visit.
- Is the followup audit required by the audit committee or by regulation? As noted above, some audit committees insist upon follow-up audits, particularly those with higher risk findings. If the CAE believes this expectation is leading to inefficient use of internal audit resources, I urge a candid conversation with management and the audit committee outlining alternative provisions as outlined in The IIA’s implementation guidance for Standard 2500. But the decision is ultimately the board’s — not ours.
If, after careful assessment, follow-up audits often seem justified, you might want to ask yourself why your organization’s implementation plans keep going astray. Were your recommendations vague? Were you unpersuasive? Did you fail to listen to management or to take their objections seriously? Are recommendations or management action plans unclear or nonspecific? Is there a culture of noncompliance within the organization?
Obviously, it’s better to find repeated mistakes than to overlook them, and sometimes that might mean a follow-up audit is required. But repeat findings are often as much a failure for internal audit as they are for management. If we need follow-up audits often to get the job done, then we need to get to the root cause. It’s better to prevent follow-up failures than to detect them after the fact.
It’s time that we recognize the ultimate objective is not scores of follow-up audits. Instead, the objective is that corrective actions are implemented, and a monitoring system is in place to afford such assurance.
I welcome your thoughts.
There is a Better Way to Monitor Progress
8 Comments
Your thoughts are pretty straightforward. And I agree. I used to use mail/merge to follow up monthly via email with all owners of issues that, according to my records, were not yet closed. Then, if the owner claims the issue is now completed, I considered the options that you describe. For example – Do I trust them on this particular issue? Should I explicitly gather basic evidence of completion? Do I need to actually test again? I did whatever seemed necessary to satisfy me and, by extension, my Audit Committee. Oh – and by the way – the owner of the issue? Their boss(es) were also included in the mail/merge request for the update. So — no surprises.
I cannot put it into numbers but too often the results turn to the excuses exemplified in the article, pretty relevant, by the way. I didn´t realize how open is the Standard 2500, will reflect about it. Great!
Follow up work has somehow become one of the defining parts of my whole career–not that I asked for it! I think all audit issues should stay open until 1) management asserts their responsive action is complete and 2) some sort of validation has taken place. This doesn’t need to be a whole new audit, but should be more than just one person’s assertion.
I’ve found audits of areas previously assessed to be among the most valuable projects, but only if something significant has changed in the process, whether those changes are a result of the previous audit or not. Inherently risky items will come up again year after year. I wouldn’t even call that a re-audit though. I’m talking about a whole new audit with similar objectives.
Ultimately, its their processes that auditors are adding value or controls to and not vice versa. Process should be held accountsble to implementing audit recommendation unless proven otherwise.
Better still to put in the report the auditors assessment of likelihhood of the organisation taking up and acting on the recommended follow-up measures.
I really liked this
If it was said by IA and accepted by management by means of an action plan is management responsibility whether if it was implemented or not
Interesting thoughts and I fully agree with the article. I would focus more on the persuasion angle and ensuring that the auditor in charge agrees with management on the recommendation prior to issuance of the report as final to reduce the instances of repeat findings or the need for follow up audits.
Internal auditors, though independent of the management in discharging their function, are part of the organisation they audit. If the management accepts the audit recommendations, it should be understood that they are taking the responsibility of setting things right, in organisation’s and everyone’s interest.
Non-disposition of audit recommendations that an entity’s top management had assured to implement might open up a new area for examination by auditors, viz., the role played by those charged with governance, audit committee and top management. It might be interesting to examine what those in responsible positions did while not being serious about implementing the audit recommendations, during the intervening period till follow up. If there were no other significant projects or emergent issues to engage their immediate attention and resources during the period, auditors should question the irresponsibility if the perceived risks due to non-compliance continue to be very high. A recommendation for replacement or removal of key officers concerned for dereliction of duty may be made rightaway. After all, it’s a major governance lapse that further weakens the risk and control processes of the organisation.
According to me, the follow up process is required to gather evidence and actually assess the action taken by top management to address the key GRC issues identified and reported earlier, regardless of the assertion or excuse provided by the management.