You child is not well. In fact, he is so unwell that you bring him to visit your doctor, who asks some questions, performs some tests and, after considering the facts, writes a prescription. She tells you to ensure that your son finishes the course of prescribed antibiotics and to bring him back for a follow-up consultation. Why? Because the doctor wants to make sure that her actions have been effective. She wants to make sure that they result in your son getting better.
Now, consider your last audit. On behalf of the audit committee, you reviewed processes, procedures, applications or databases. You considered their protection from a confidentiality, integrity and availability perspective. You considered relevant standards and legislation. You asked some questions, performed some tests and, after considering the facts, you made a recommendation. But, did you or will you follow up?
I have discussed this with many of my contemporaries, and a surprising number do not perform audit follow-up activities. The usual reason given is that they are too busy. They have too many audits to perform and do not have the time to go back to previous audits. In addition to the fact that follow-up activities are mandated by ISACA and Institute of Internal Auditors (IIA) standards, if you do not follow up, how do you know that all is well? How can you determine the adequacy, effectiveness and timeliness of actions taken by management on previous recommendations? How can you tell the audit committee that things are getting better?
In my recent Journal article, I make some observations and recommendations, which I hope will improve your follow-up activities. In particular, I provide suggestions on the data items to capture for each audit recommendation, and I explain how summarizing these data can give meaningful management information that will enable an audit committee to see that all is well or that, at a minimum, things are going in the right direction. I also show how this management information can be used to foresee that all may not be well with future initiatives.
Read Ian Cooke’s recent Journal article:
“Enhancing the Audit Follow-up Process Using COBIT 5,” ISACA Journal, volume 6, 2016.