I’m sure I cannot be the only CAE that finds follow up to a chore and hard work. First there is the theory. The client receives the original assurance report, then responds with a clear action plan that clearly addresses all of the risks. This plan is neatly agreed by the Audit Committee and all parties are happy. These plans are clearly ascribed to named officers and individuals and the overall senior or overseeing manager ensures that these are kept to time schedule and implemented. When it comes to periodic follow up these senior managers then present their collated plan of actions that clearly show progress. The auditor can then sample test the items and place assurance on the process of management follow up of audit actions.
Does this seem recognisable to anyone? Not to me with my clients and in the real world. First the theory fails to allow for the fact that risks change and the original response may not be far too much, too little, or just wrong. Second I am generally disappointed by clients’ ability to respond with an action plan to the risks presented rather than the auditor’s narrative in the report. If only as much effort went into problem solving as providing ‘context’ or excusing errors, poor performance, or generally arguing with reports.
I stopped making recommendations a long time ago. It is management’s responsibility to respond to the risks highlighted, not mine. I do, of course, make ‘suggestions’. I try to make reasonable appropriate solutions that break often ‘wicked’ problems into meaningful action plans and activities. This is why I believe an internal audit qualification (not a financial auditing qualification as a proxy) supported by a specialist professional qualification (perhaps accountancy, but more likely MBA, or other technical profession) is required. The ability to provide meaningful internal business consultancy advice (which is what good internal audit should be).
So if one does not make recommendations, what does one follow up? Well I would suggest that it should be a reported-risk follow up. The task is, therefore, to follow up unmitigated business risks previously reported in audit reports. This has the benefit that it allows for a number of actions to be taken rather than just the auditor’s suggested one. It allows flexibility in response, to change tack according to the nature of the risk. In today’s constantly changing business environment this seems to me to be more realistic and sensible. It also allows the overall objective of audit to move away from a myopic preoccupation with audit and focus on the overall goal of assisting in the reduction of unmitigated business risk, therefore more organisationally aligned to delivering value to the business.
This does present some practical issues though. Risks take longer to mitigate, especially strategic ones. They can take years. Thus a typical follow up list could run into 100s of reported risks to be followed up. Thus a digital, item-by-item reporting to senior management and audit committees would not be appropriate in this setting. It also means that far from being the junior staff member’s nightmare task, it becomes a senior auditor’s task with the strategic overview. It will require higher skills to re-assess the net risk arising after the actions taken have been made, a ‘re audit’ if you will. That is a big ask. The output is more ‘real’ than the follow up reporting I have seen in my career. It is possible that any size of organisation can possibly have an outstanding ‘tail of risk’ that numbers in the tens? Really?
Just because something is difficult should not stop it being done in my view. I suggest all CAEs really take a step back from their follow up and really make sure that it is not a myopic audit-focused activity. How do you do yours?