Resolving internal audit findings
Do you have a system that monitors how internal audit findings are resolved?
The Institute of Internal Auditors (IIA) standards state, “The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.”
Monitoring the resolution of internal audit findings and recommendations should be included in your organization’s internal audit plan, and it should be thought of as a significant control step in any internal audit activity.
Why it’s so important to resolve findings
If findings are not addressed and appropriately resolved by management, and there is inadequate follow-up, the internal audit activity could be perceived as irrelevant. No real improvements occur as a result of recommendations, so internal audit comes off as not adding value to the organization.
From an internal audit perspective, it’s your management’s responsibility to ensure internal audit findings are adequately resolved. However, the internal auditor is the one who determines whether the desired outcome was achieved and your management’s actions were enough to resolve the finding. There should be adequate procedures and controls in place to monitor and validate that your management commits to and acts on internal audit recommendations. Their responses to internal audit findings should be precise, address the root cause, and include responsible individuals and timelines for implementation.
Additionally, internal audit procedures related to management’s responses should include expectations for timing of the receipt of management responses, evaluation, verification and follow-up of the responses, as well as a process for internal audit to escalate unacceptable responses.
Seeing value in internal audit recommendations
Planning is crucial to success in monitoring outcomes of engagement recommendations. You must consider who will be responsible for monitoring and follow-up, what needs to be monitored, how often monitoring will occur, and finally the type of monitoring required. It’s important that your management be aware of and agree with what internal audit needs in order to conduct monitoring and verify the achievement of the recommendations so management actions will be accepted by internal audit.
If your management is unaware of what internal audit expects, it will be more difficult for management to meet any expectation and can result in miscommunications and re-work. This may lead to mistrust toward the internal auditor. Creating partnerships with management to work through recommendations and the actions required to resolve findings is paramount to management seeing value in those recommendations.
Establishing a tracking system
A critical process in resolving internal audit findings is establishing a findings tracking system.
An automated tracking system can be beneficial in ensuring timely follow-up occurs and is often built into most modern audit and work paper software programs. However, even manual tracking systems, such as Excel spreadsheets and calendar reminders, can provide the same level of tracking at a more reasonable cost.
Tracking systems should assist auditors in determining when follow-up should occur, which often depends on the severity of the finding and management’s proposed time frame for resolving the recommendation. More severe findings should be followed up on more frequently.
In determining appropriate follow-up and monitoring, internal audit should work with management to determine an appropriate time frame — monthly, quarterly, annually or just prior to the next audit of that area. In some instances, follow-up and resolution of audit findings could also be required prior to internal audit issuing final reports.
A findings tracking system should also provide an opportunity to document and track management’s responses to findings and follow-up communication that has occurred. This is especially important for recommendations that cannot reasonably be implemented immediately, such as those requiring capital costs or significant process enhancements.
It is also critical to document any management requests for extensions to initial time frames for resolution. Internal audit should assess and document management’s reasoning for requesting an extension to ensure it is legitimate.
There are also various types of follow-up procedures that need to be determined, including who is responsible for the follow-up that needs to occur. Will it be the process owner or management, will internal audit conduct targeted follow-up, or will an additional audit be required to determine the recommendations have been addressed? Different follow-up methods can and should be used depending on the scope of the initial audit area and the severity of findings identified.
The type of follow-up required will also depend on management’s response to the finding being addressed and the complexity of the implementation required. It would also be appropriate to mix follow-up methods to ensure adequate resolution has occurred.
Escalating concerns and increasing communication
Through monitoring and follow-up, if internal audit determines recommendations have not been resolved, or believes management is accepting too much risk, there should be established procedures for escalating these concerns to the appropriate level of senior management or the Board.
IIA Performance Standard 2600, Communicating the Acceptance of Risk, states: “When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.”
Internal audit standards dictate that the internal auditor is responsible for determining if management is accepting too much risk. However, management should be involved in the discussion of why the internal auditor feels a given action, or lack of action, to a recommendation is resulting in too much risk.
Often, through communication, the issue can be resolved. Ensuring management is involved in this process will help foster management acceptance of the internal audit activity and help to legitimize internal audit recommendations — helping to ensure resolutions are implemented, value is added and meaningful change results.
3 steps to building an internal audit process
The impact of AI on internal audits