BACK TO BASICS - Audit Issue Follow-Up

October 9th 2020

As a rookie in internal auditing, after years in IT operations and IT security, I performed reasonably well in the first audit I led and identified some control areas that the management should strengthen. I was so excited since my skills and experience acquired from my previous roles proved that my hiring manager had made the right call. Then I found out an audit job was not completed and I was required to follow-up the audit issues identified until they were rectified according to the recommendations or management action plans. Fine I thought, a job was a job.

As time goes by, I realize in practice, audit issue follow-up often leads to disappointment and tension between auditors and auditees, challenges to resources allocation within the internal audit and confusion on the ownership of an audit issue. Typical excuses from management when audit issues are not rectified on time include:

"We have other priorities.";

"We do not have the support from other parties.";

"We can no longer fulfill the actions due to change of circumstances.";

"We do not understand what need to be done since the original issue owner has already left."

Do they sound familiar to you? [1] To some of you who are a chief audit executive (CAE), what is even worst is the requirement for reporting open audit issues and/or overdue audit issues to the Audit Committee (AC) and indirectly putting the pressure to internal audit to "close" the agreed actions before the due dates or AC meeting.

So what can we do? The following two thoughts may be helpful.

Audit Methodology

To begin with, it is always a good idea to go back to basic and reinforce the understanding on the roles and responsibilities of an auditor (an internal audit function) in respect of audit issue follow-up. Per the Institute of Internal Auditors (IIA) Standard: 2500 Monitoring Progress which addresses internal auditors' responsibilities concerning disposition of our findings and recommendations, it stipulates that the CAE must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. [2]

Two important messages can be taken from the said standard.

1. First, the CAE must establish a follow-up process but not an undertaking of a follow-up audit and it in fact implies that the CAE has the flexibility to handle the matter. He or she can develop the process and amend it from time to time depending on factors like the availability of resources of an internal audit function, risk rating of audit issues and concerns from stakeholders, etc. A robust and transparent follow-up process is vital to ensure stakeholders ranging from audit issue owners, chief executive officer, to members of audit committee to understand each other's roles an responsibilities (including consequences, if applicable). A key here is, CAE should manage the AC's expectation and thus there should be no pressure to report the overdue or open audit issues.
2. Second, may be more important than the first one, is the part after the word "or", i.e. that senior management has accepted the risk of not taking action. Strangely enough, I seldom see there is an option within a company's audit methodology allowing senior management to accept the risks identified by internal audit, or to execute such option. Trust that we all agree whenever a business is up and running, it always exposed itself to certain kinds of risk, and whether to accept such risks is a decision by the senior management. Furthermore, nowhere in typical mission or definition of internal auditing suggests that all issues identified by internal audit must be remediated. Of course, this risk acceptance process should be carefully defined and reviewed regularly by stakeholders.[3]

Recommendation or Management Action Plan

How often do you see the lead time to remediate an audit issue of higher risk is longer than an audit issue of lower risk rating? A fair answer is, it is not uncommon. I had seen audit findings that were given the highest rating available but they were still being remediated after two years! Occasionally, there were cases where consolidation of a number of long overdue audit issues was made. It is rather difficult to imagine how a company can be exposed to a "high" risk finding for a prolonged period of time without causing actual harm. There are three plausible explanations I can think of:

Firstly, an inaccurate risk rating has been granted to the audit issue.

Secondly, the senior management has no urgency to remediate the concerned audit findings due to other considerations. Should this be the case, why don't we trigger the risk acceptance process instead of spending time to liaise with management on their closure?

Thirdly, internal audit may be trying too hard to see through the implementation of a "perfect" solution to an audit issue uncovered in an assurance audit work. This often leads to inclusion of "interim or short term" and "long term" solutions that involve process or control automation. The world we are in is a constant change of business operations in order to adapt the rapid change in technologies and unforeseen global events. Therefore, the challenge is how internal audit or senior management can justify an investment for "long term" solution while there is a "short term" fix? Undoubtedly an automatic control has an advantage over manual control in terms of sustainability and repetitiveness, but it should be noted that the potential involvement of deployment of IT systems will incur additional investment of resources including time and there will be new control points. Thus the key question is whether it is worthy for internal audit to ensure the completion of "long term" fix to an audit issue?

CONCLUSION

Take reference on what reputable professional institutes say about the roles and responsibilities of internal audit and understand from what the stakeholders' expectations. Make amendment to your follow-up approach accordingly including how to report open audit issues where necessary with practicality and resources constraint in mind. Finally focus on whether an action can immediately address the risk instead of a "long term" solution in the development of recommendation or management action plan.

Your thoughts are welcome.

REFERENCE

1. https://iaonline.theiia.org/blogs/chambers/2019/Pages/The-Fallacy-of-Follow-up-Audits.aspx
2. https://na.theiia.org/standards-guidance/Public%20Documents/IPPF%202013%20English.pdf
3. https://www.corporatecomplianceinsights.com/whose-risk-is-it-anyway-when-management-says-no-to-internal-audit/