The effectiveness of audit work is measured by the impact it has on the organization. This impact is often realized through audit recommendations, highlighting the need to review and validate how these recommendations shape the organization’s control environment.
Auditors monitor the implementation of audit recommendations in two ways. The first method involves conducting follow-up audits. These audits are performed to verify whether the reported action plans have been fully implemented. The auditor focuses on previously failed controls, subjecting them to adequacy and effectiveness testing. Effectiveness testing helps determine if the control has been appropriately implemented over time. Therefore, a follow-up audit cannot be conducted immediately, such as within a month after the audit report has been issued.
The second and more common method for monitoring the implementation of audit recommendations focuses on control adequacy. Management provides the audit team with sample instances to validate that actions have been taken. This process, known as an audit follow-up, is widely used by internal auditors and is supported by most internal audit software. It enables regular reviews of the implementation status of audit recommendations and consistent reporting, offering a snapshot of improvements in the control environment.
External audits primarily rely on traditional follow-up audits. In my experience as an external auditor, the annual audit of an organization included a detailed review of prior audit findings, especially if there had been changes in the audit scope. At the end of the audit report, a table showing the status of previous audit findings would be inserted. Although not common, some internal audit functions follow the same reporting structure when re-auditing an area.
Even if separate follow-up audits are not scheduled in your annual plan, it is expected that you still monitor the implementation of recommendations. In his article, "Are Follow-Up Audits a Waste of Time?," Richard Chambers details his experience with the two processes mentioned above.
ISACA’s IT Audit Framework provides guidance in the audit follow-up processes as follows:
1402 Follow-up Activities
1402.1: IT audit and assurance practitioners shall monitor and periodically report to those charged with governance and oversight of the audit function (e.g., the board of directors and/or the audit committee) management’s progress on findings and recommendations. The reporting should include a conclusion on whether management has planned and taken⁷ appropriate, timely action to address reported audit findings and recommendations.
1402.2: Progress on the overall status of the implementation of audit findings should be regularly reported to the audit committee, if one is in place.
1402.3: Where it is determined that the risk related to a finding has been accepted and is greater than the enterprise’s risk appetite, this risk acceptance should be discussed with senior management. The acceptance of the risk (particularly failure to resolve the risk) should be brought to the attention of the audit committee (if one is in place) and/or the board of directors.
My summary of the audit follow-up process will focus on the following aspects:
(a) Structure
(b) Evaluation Criteria
(c) Reporting
(a) Structure
Defining the structure of the follow-up process is crucial for ensuring auditors can effectively monitor the implementation of audit issues. Apollo outlined that while having a good governance structure in place is not foolproof, it is essential to have a structure that supports evidence-based implementation. Therefore, as auditors, implementing a structure that allows for successful follow-through on the implementation of audit recommendations is critical.
The structure of the process should highlight roles and responsibilities, the tools used to conduct the process and communication mechanisms. This structure can be outlined in a procedure within the audit manual. It is important that both auditors and auditees/clients are familiar with this procedure.
(b) Evaluation Criteria
Once an audit report has been issued, it is common practice to generate action plans to address the audit recommendations. In line with audit standards, auditors are responsible for monitoring and providing status updates on the implementation of these action plans to the Management and the Audit Committee. To ensure the process is seamless, auditors should develop evaluation criteria to determine the type of information needed regarding the action plan. This evaluation provides direction and should link the status of implementation to the organization’s governance, risk and internal control processes. When a strong linkage exists, the impact of the audit work will be clearly visible and understood within the organization.
Common evaluation criteria include:
- Analysis of overdue audit recommendations: Reporting typically shows the total number of overdue issues per department. Some reports enhance this by including aging details, such as the total number of overdue issues aged 30 days, 60 days, 90 days, etc. However, simply reporting the number of overdue issues may not fully communicate the impact of a slow implementation rate. The report can be further enhanced by including the risk levels of the recommendations and linking them to the organization’s risk appetite levels. This approach effectively communicates the level of persistent exposure the organization faces.
- New audit recommendations per each reporting quarter: This reporting criterion is typically used to explain the difference in the total number of outstanding recommendations per period. Auditors can assess whether the risks arising from these recommendations have been included in the organization’s risk register. Often, risks associated with audit recommendations are not linked to the organization’s risk management process, despite management accepting the audit recommendations and reporting the possible risks. It is common for the risk department to report each quarter that there are no “new risks,” while internal audit continually issues new audit recommendations, potentially introducing new underlying risks. This practice isolates risks identified through audits from the organization’s risk management framework.
- Analyzing the audit implementation rate: Is another evaluation criterion used to communicate the status of audit recommendations? This involves evaluating the total number of implemented issues compared to the total number of outstanding issues. Period-to-period comparisons can determine the level of effort management puts into implementing audit recommendations. Auditors can also evaluate the percentage of audit recommendations implemented in a timely manner. To enhance this reporting, internal auditors can assess which audit issues have a low implementation rate. Categorizing audit issues to identify those with low implementation rates can help the organization determine areas prone to delays. From experience, categories that often suffer the most are related to policy development and process re-engineering, as these require changes in how the organization operates. For example, if it takes a long time to implement issues related to the development and approval of new policies, it could indicate that the delegation of the “policy/procedure/guideline” process is weak. In many organizations, the definitions of policy, process, procedure and guidelines are not well understood, and there is confusion about who should approve different documents. This can lead to delays, especially when a particular office, such as the CEO or accounting officers, needs to review these documents while also handling significant strategic issues.
- Analysis of repeat finding: Repeat findings are common and should be evaluated and flagged in the audit implementation status report. These findings, especially if they had previously been closed, can indicate that the closure of outstanding recommendations has not effectively strengthened the organization’s internal control environment. Reopened issues might also suggest that management did not fully understand the value of the audit recommendation or that the internal audit team needs to reassess the recommendation’s value.
- Analysis of long outstanding audit issues: Another important but often overlooked evaluation criterion is setting and agreeing on what the organization considers long outstanding audit recommendations and determining the appropriate actions for these issues. Escalation matrices should be developed for long outstanding issues to ensure that the right staff members are monitoring such recommendations. Leaving the responsibility for implementing or reporting a long outstanding issue to the same staff member might not yield results. Often, issues take a long time to be closed because they are not given the right priority. Therefore, staff members with delegated authority to prioritize work should be given responsibility over long outstanding issues. From an auditor's point of view, an independent assessment of these issues should be conducted periodically to validate their relevance. Internal audit should also have a process in place to close them.
(c) Reporting
Although auditors and management understand that audit is responsible for monitoring the implementation of audit recommendations, when the evaluation criteria are not well understood, reports on outstanding audit recommendations tend to be disconnected from the organization’s governance, risk and internal control processes.
It is important for internal audit departments to educate management on the evaluation criteria and agree on audit status reporting that reflects the organization’s needs. Additionally, it is crucial to determine how often internal audit should report the status of audit recommendations. This reporting should be included in the auditor’s communication plan.
