Performing formal, limited-scope follow-up audits on recommendation implementation can yield immense value for internal auditors. The IIA’s International Standards for the Professional Practice of Internal Auditing Standard 2500: Monitoring Progress establishes a follow-up process that reflects the knowledge that once recommendations are made, the matter is not considered closed. The added value comes from resolving the issues identified. Certain high-risk matters would be better served by scheduling specific follow-up engagements. Doing so would allow auditors to verify implementation and determine whether it fixed the problem. Follow-up audits also make the point that internal auditors can return after an audit is completed.
According to Standard 2500, internal audit must have a follow-up process to monitor effective implementation of recommendations by management (or management’s acceptance of the risk for not doing so). Internal audit departments typically address the need for following up on recommendations by remotely monitoring their implementation. The follow-up process should include regular communication on the status of implementation with those the recommendations were addressed to, along with requests for documentation in support of implementation actions. Regular reports showing the number of implemented and open recommendations should be produced, allowing internal auditors to provide this information to management and other stakeholders. In some cases, though, scheduling formal follow-up audits focusing on previous recommendations is called for. It is true that follow-up audits take away resources from potential new audits during the year. However, if planned well and based on a solid risk assessment, follow-up audits can be worth the opportunity cost.
Follow-up audits should focus on answering two main questions. First, were the recommendations implemented? This allows for a more thorough assessment of the implementation of recommendations and is best for high-risk issues. Second, did the implemented recommendations resolve the underlying issues? This second part provides additional information that might not be as discernible with remote monitoring.
Auditors might discover that some recommendations made in good faith did not fully address the root cause. Recommendations that are found to be ineffective require more work to determine what recommendations might resolve the issue. Management should be involved and see the value in follow-up engagements. The experience also can help improve future audits that encounter similar findings.
Cases for Follow-up Audits
The yearly work planning stage in my previous internal audit position at the United Nations allowed for follow-up audits to be scheduled in addition to the regular remote monitoring that was done. In one instance, follow-up audits were planned for our offices in Haiti and South Sudan. Given the inherent risk prevalent in these countries — such as political turmoil and corruption — the previous audits yielded complex recommendations. To mitigate these risks and help management in those offices, follow-up audits were needed.
In my current position as an internal auditor with the U.S. government, one particular case involves the follow-up audit of a project in Colombia that took place two years after the initial audit. The audit team was able to determine that all of the recommendations were taken seriously, and eight of the nine recommendations were fully implemented and effective. For one recommendation, the department noted that the actions were only partially effective. However, in performing further work, internal audit agreed with management that the recommendations were still practical, realistic, and would address the risk highlighted. The recommendation was therefore reissued in a largely positive report.
There were additional positives noted that were not anticipated or easily quantifiable. Management appreciated the acknowledgement of its efforts, which added a positive incentive for diligent implementation of future recommendations. Moreover, the issuing of a largely positive report seemed to increase the credibility of internal auditors as well.
While audit reports can be positive if few findings are made, the purpose of an audit report is to focus on the findings, associated risks, and actions required to resolve them — which can be seen as mostly negative. If auditors determine that recommendations were implemented and did resolve the issues brought up in the initial audit, a follow-up audit report can focus mostly on positives. If auditors determine recommendations were not implemented, or were not effective, the original recommendations should be reopened or new recommendations should be made.
Organizations that have numerous physical locations will particularly benefit from follow-up audits, as remote monitoring of recommendations can only provide limited evidence to both management and auditors. Follow-up audits allow internal auditors to clearly see whether recommendations were fully implemented in the field. Internal auditors also will be able to assess the strength and practicality of previous recommendations. This is crucial in helping auditors see the importance of recommendation formulation. Auditors also can gain knowledge for future audits with similar findings.
Follow-up audits should be part of an internal audit department’s monitoring of recommendations. Aside from helping to meet the criteria of Standard 2500, follow-up audits add value to the entire organization and improve the skills of internal auditors. More importantly, they hold business units accountable for recommendation implementation that addresses the related risks.