During my early years in the profession as a young internal auditor, I was always proud of my reports, particularly the findings and recommendations. So, issuing a new audit report was cause for celebration. But nothing was more demoralizing than when I would invariably undertake the required follow-up audit only to discover that my carefully crafted recommendations or management action plans were never implemented. After all, management had agreed to the proposed corrective actions (or had proposed their own corrective actions) to rectify problems identified in my audits. So, why did they fail so often to follow through?
There were always plenty of excuses from management when the follow-up audits disclosed that "problems had not been corrected":
- "We underestimated the complexity of the action we agreed to take."
- "We didn't realize how long it would take to implement the promised actions."
- "Circumstances changed, and the actions agreed are no longer valid."
- "It turned out we didn't have the resources to correct the problems."
- "The dog ate our homework, etc."
I eventually grew to dread follow-up audits, because the results were so often disappointing. When I became a chief audit executive (CAE), I seriously questioned the value of follow-up audits altogether. I found them to be rarely an efficient use of internal audit resources. After all, which generated the greatest impact for the organization: forging into new, high-risk areas, or revisiting areas where we dedicated resources only a few months before? Even when we found everything had been corrected, I felt that my limited resources could have been better deployed.
As a government auditor at the time, I didn't really have a choice whether we did follow-up audits. They were mandated by our professional standards and required by regulations. Fortunately today, The IIA's International Standards for the Professional Practice of Internal Auditing provide much greater latitude when it comes to follow-up audits. The focus has shifted from outputs (follow-up audits) to outcomes (appropriate disposition of the findings and recommendations in our reports).
The IIA's Standard 2500: Monitoring Progress addresses internal auditors' responsibilities concerning disposition of our findings and recommendations. It states:
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
Nowhere in the standard do the words "follow-up audit" appear. Instead, the emphasis is on a "follow-up process." The IIA goes into much greater detail on how such processes can be designed and implemented in the implementation guide for Standard 2500. In designing such a process, the guidance appropriately emphasizes that internal auditors "solicit management's input on ways to create an effective and efficient monitoring process." The guidance notes that the monitoring process can be "sophisticated or simple" depending on the size and complexity of the internal audit function and the organization it serves.
The IIA's guidance clearly offers alternatives to mandatory follow-up audits that many of us labored over in the past. In fact, it states:
"…some CAEs may choose to inquire periodically, such as quarterly, about the status of all corrective actions that were due to be completed in the prior period. Others may choose to perform periodic follow-up engagements for audits with significant recommendations to specifically assess the quality of the corrective actions taken. Others may choose to follow up on outstanding actions during a future audit scheduled in the same area of the organization. The approach is determined based on the adjudged level of risk, as well as the availability of resources."
As the guidance notes, some CAEs may still choose to perform follow-up audits, particularly for prior findings that signaled significant risks to the organization. I also recognize that, in some instances, management, audit committees, or regulators may want internal audit to undertake routine follow-up audits. In those cases, I recommend a very practical approach before undertaking follow-up audits that ensures the wisest use of internal audit's scarce resources. Before scheduling a follow-up audit, I would ask myself several questions.
- Has management reported that corrective action is complete? I would never start a follow-up audit without asking management beforehand, "Have you implemented the agreed-upon corrective actions?" If not, we probably need to ask why corrective action is behind schedule, but it's not yet time for a follow-up engagement. There's no need for a follow-up audit when you already know something is still "broken."
- Has management of the area under review ever tried to mislead internal audit about the completeness of corrective action or about other audit issues? If so, that's a tremendous red flag that clearly warrants a follow-up audit. However, if your client is trustworthy and you have an open, candid working relationship, you might want to rely on their assertion that corrective actions have been implemented. If the issues are particularly high risk, you might still want to follow up on a selective or sample basis to ensure that management's assertion is correct.
- Was planned corrective action so complex that it was likely to result in unforeseen problems? Controls are most likely to break down when processes are being changed; and when complex changes are being made, further review may be warranted. But if planned corrective actions are relatively straightforward, mistakes are less likely and a review might not be warranted.
- Are repeat findings likely? If you know your clients well, you may know of a few managers who tend to make the same mistakes or who seem to undervalue the importance of internal controls. When a client is mistake-prone or when they often have repeat findings, the risks are higher. But if operations are well-controlled and the client reports that corrective action is complete, you might be able to skip the follow-up visit.
- Is the follow-up audit required by the audit committee or by regulation? As noted above, some audit committees insist upon follow-up audits, particularly those with higher risk findings. If the CAE believes this expectation is leading to inefficient use of internal audit resources, I would urge a candid conversation with management and the audit committee outlining alternative provisions as outlined in The IIA's implementation guidance for Standard 2500. But the decision is ultimately the board's — not ours.
If, after careful assessment, follow-up audits often seem justified, you might want to ask yourself why your organization's implementation plans keep going astray. Were your recommendations vague? Were you unpersuasive? Did you fail to listen to management or to take their objections seriously? Are recommendations or management action plans unclear or nonspecific? Is there a culture of noncompliance within the organization?
Obviously, it's better to find repeated mistakes than to overlook them, and sometimes that might mean a follow-up audit is required. But repeat findings are often as much a failure for internal audit as they are for management. If we need follow-up audits often to get the job done, then we need to get to the root cause. It's better to prevent follow-up failures than to detect them after the fact.
It's time that we recognize the ultimate objective is not scores of follow-up audits. Instead, the objective is that corrective actions are implemented and a monitoring system is in place to afford such assurance.
As always, this blog represents my opinions and should not be substituted for The IIA's formal guidance. But I hope it will provoke you to rethink any outdated processes you may have in place.
I welcome your thoughts.