During my early years in the profession as a young internal auditor, I was always proud of my reports, particularly the findings and recommendations. So, issuing a new audit report was cause for celebration. But nothing was more demoralizing than when I would invariably undertake the required follow-up audit only to discover that my carefully crafted recommendations or management action plans were never implemented. After all, management had agreed to the proposed corrective actions (or had proposed their own corrective actions) to rectify problems identified in my audits. So, why did they fail so often to follow through?
There were always plenty of excuses from management when the follow-up audits disclosed that “problems had not been corrected”:
I eventually grew to dread follow-up audits, because the results were so often disappointing. When I became a chief audit executive (CAE), I seriously questioned the value of follow-up audits altogether. I found them to be rarely an efficient use of internal audit resources. After all, which generated the greatest impact for the organization: forging into new, high-risk areas, or revisiting areas where we dedicated resources only a few months before? Even when we found everything had been corrected, I felt that my limited resources could have been better deployed.
As a government auditor at the time, I didn’t really have a choice whether we did follow-up audits. They were mandated by our professional standards and required by regulations. Fortunately today, The IIA’s International Standards for the Professional Practice of Internal Auditing provide much greater latitude when it comes to follow-up audits. The focus has shifted from outputs (follow-up audits) to outcomes (appropriate disposition of the findings and recommendations in our reports).
The IIA’s Standard 2500: Monitoring Progress addresses internal auditors’ responsibilities concerning disposition of our findings and recommendations. It states:
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
Nowhere in the standard do the words “follow-up audit” appear. Instead, the emphasis is on a “follow-up process.” The IIA goes into much greater detail on how such processes can be designed and implemented in the implementation guide for Standard 2500. In designing such a process, the guidance appropriately emphasizes that internal auditors “solicit management’s input on ways to create an effective and efficient monitoring process.” The guidance notes that the monitoring process can be “sophisticated or simple” depending on the size and complexity of the internal audit function and the organization it serves.
The IIA’s guidance clearly offers alternatives to mandatory follow-up audits that many of us labored over in the past. In fact, it states:
“…some CAEs may choose to inquire periodically, such as quarterly, about the status of all corrective actions that were due to be completed in the prior period. Others may choose to perform periodic follow-up engagements for audits with significant recommendations to specifically assess the quality of the corrective actions taken. Others may choose to follow up on outstanding actions during a future audit scheduled in the same area of the organization. The approach is determined based on the adjudged level of risk, as well as the availability of resources.”
As the guidance notes, some CAEs may still choose to perform follow-up audits, particularly for prior findings that signaled significant risks to the organization. I also recognize that, in some instances, management, audit committees, or regulators may want internal audit to undertake routine follow-up audits. In those cases, I recommend a very practical approach before undertaking follow-up audits that ensures the wisest use of internal audit’s scarce resources. Before scheduling a follow-up audit, I would ask myself several questions.
If, after careful assessment, follow-up audits often seem justified, you might want to ask yourself why your organization’s implementation plans keep going astray. Were your recommendations vague? Were you unpersuasive? Did you fail to listen to management or to take their objections seriously? Are recommendations or management action plans unclear or nonspecific? Is there a culture of noncompliance within the organization?
Obviously, it’s better to find repeated mistakes than to overlook them, and sometimes that might mean a follow-up audit is required. But repeat findings are often as much a failure for internal audit as they are for management. If we need follow-up audits often to get the job done, then we need to get to the root cause. It’s better to prevent follow-up failures than to detect them after the fact.
It’s time that we recognize the ultimate objective is not scores of follow-up audits. Instead, the objective is that corrective actions are implemented and a monitoring system is in place to afford such assurance.
As always, this blog represents my opinions and should not be substituted for The IIA’s formal guidance. But I hope it will provoke you to rethink any outdated processes you may have in place.
I welcome your thoughts.