Internal audits identify internal control issues and opportunities for efficiencies, and make recommendations to reduce the potential for fraud, even in organizations with strong controls. Management must determine what action, if any, it will take based on the nature of the audit results, potential risks, and the cost and benefits of implementing corrective actions. A corrective action plan comprises step-by-step instructions that are developed to achieve desired outcomes cost effectively, such as addressing a deficiency identified during an internal audit.
Internal auditors should stress to management the importance of developing corrective action plans to address noted weaknesses, especially those with significant impact or materiality. The International Standards for the Professional Practice of Internal Auditing requires internal auditors to follow up on audit issues and evaluate corrective actions, as stated in Standard 2500 – Monitoring Progress and Standard 2500.A1, which says the CAE “must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.”
Internal audit departments may use a system to track audit issues as open or closed. Discussions with management are encouraged to help ensure that risks are fully understood and that potential corrective actions are appropriately considered. Once internal audit concludes that management has provided adequate evidence that a corrective action plan has been fully implemented, or follow-up testing shows necessary improvements, the audit issue can be closed. An understanding of the corrective action plan process promotes an effective audit cycle.
Planning and Development
Many internal auditors use a condition, criteria, cause, effect, and recommendation format in presenting audit findings. Understanding this approach can guide development of a quality corrective action plan.
Condition What was found during the audit? For example, “A contract employee included expenditures for alcohol on a travel voucher, and it was reimbursed as an expense despite the company policy prohibiting such reimbursement.”
Criteria What policy, rule, or regulation was violated, such as a company policy on expense reimbursement?
Cause What is the reason that the violation occurred? Was it lack of employee training regarding expense reimbursement? Lack of management review of invoices? Depending on the nature of the issue, the root cause can be difficult to discern cost effectively.
Effect What is the impact? For example, how much did the company pay for the inappropriate expense?
Recommendation What would fix the problem? This should address the cause of the noted condition or the underlying risk with the goal of avoiding reoccurrence of the condition.
Ideally, the audit report should address the root cause or potential causes and underlying risks. However, management may need to obtain additional information in developing corrective action plans. Management should be able to answer:
- What happened?
- What should have happened?
- Where was the process failure and what caused it?
- Were there any contributing factors?
- Who is accountable for the area in which the process failure occurred?
- What was the operating environment in which the failure occurred?
- What are the risks involved, what is the level of urgency, and what resources are available to address this issue?
Once these questions are answered, management can begin to develop the corrective action plan to address audit issues cost effectively and consistent with its risk appetite. Key practices in the corrective action process include:
- Identifying an executive or senior manager to oversee the corrective action plan process and to approve and monitor the corrective action plan. The nature and scope of the audit issue will be a key factor in the selection of the person to serve in this capacity, such as a chief operating officer or human resources director.
- Identifying potential solutions and determining the best choices based on available resources, time, and severity of the issue. It is helpful to document why alternative solutions were not adopted, such as they were too costly or not feasible because of technological limitations.
- Assigning a manager to develop the corrective action plan and to present the plan for approval to the executive or senior manager with oversight responsibility.
The level of detail and complexity of the corrective action plan can vary widely, though there are important considerations when developing the plan: specific steps that address the root cause; milestones with achievable deadlines and identified lead persons; legal/regulatory requirements; steps for training, policy and procedure updates, testing, etc.; resource needs (e.g., new hires, cost to develop or update procedure manuals, and IT system redesign); and major assumptions and dependencies.
Implementation and Monitoring
Progress toward corrective action plans should be regularly monitored, and explanations for delays or cost overruns should be sought. The plans should be modified when warranted because of changes in systems, resource availability, or other factors. Several practices should be considered:
- Management should maintain a database of all audit issues, or request reports from such a database maintained by internal audit. Status reports regarding corrective action plan steps should be regularly provided to stakeholders, and additional focus should be placed on high-risk areas and those actions that are overdue.
- Once corrective actions have been implemented, management should ensure that any necessary updates to policies and procedures are completed, and that employees are made aware of new procedures or receive training on them.
- Internal audit should coordinate with management about communications regarding remediated audit recommendations. One option would be to request that management develop a package of materials documenting the corrective actions taken. Such a package could be reviewed by internal audit, or be made available during follow-up reviews. In addition, the package could serve as a resource for external auditors performing the annual audit of the financial statements.
A Strong Control Environment
Timely follow-up of audit deficiencies is important to internal auditors as well as management. Such audit deficiencies should be taken seriously, or the organization may suffer consequences. Developing and effective implementation of corrective action plans, and being able to document actions taken, promotes a strong control environment. Proactive consideration of the underlying risks and ongoing monitoring by management to ensure that corrective actions remain effective are critical to the corrective action plan process. Follow-up audits by internal audit help ensure accountability and provide management an independent feedback loop.