The Missing Piece: Audit Issue Follow Up

Audit Issue Follow Up

The results of audits are usually discussed presented and reported to management. However, many organizations then fail to adequately follow up on the results of these audits. Consequently, many audit issues are not resolved in a timely manner, or not resolved at all. Without adequate resolution, the time and effort to conduct the audit is wasted, and the lack of corrective action can look poorly on management may increase risk. As the Chartered Institute of Internal Auditors states, “Managers who do not implement agreed actions arising from internal audit findings expose the organization to risk.” (Follow Up Recommendations/Management Action pg. 1)

Many regulatory bodies understand that audit follow up is a key process to effective risk management program. In the banking industry, the United States Federal Reserve states that a bank should have procedures documented for issue tracking and follow up. “At a minimum, procedures should include…identification of requirements related to monitoring remediation of issues noted, validation of corrective actions, and board (audit committee) updates.” (Overview of the Components of an Effective Audit Function pg. 5).  The Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing also states, “Internal audit should have effective processes in place to track and monitor open audit issues and to follow-up on such issues. The timely remediation of open audit issues is an essential component of an organization’s risk reduction efforts.”

The Federal Reserve is not the only U.S. banking agency to cite the important of audit issue follow up. The United States Treasury Department’s Office of the Comptroller of Currency bank examination handbook states, “Internal audit should have effective processes to track, monitor, and follow up on open audit issues…The timely remediation of open audit issues is an essential component of an organization’s risk reduction efforts.” (Office of Comptrollers Bank Examination Handbook – Audit Section pg. 31)

As a whole, the organization that combines the U.S. banking regulatory agencies makes the statement about the important of audit follow up for operational management. As the Federal Financial Institution Examination Council (FFIEC) states, “Operating management should formally and effectively respond to IT audit or examination findings and recommendations. The audit procedures should clearly identify the methods for following up on noted audit or control exceptions or weaknesses. Auditors should document, report, and track recommendations and outstanding deficiencies. Additionally, auditors should conduct timely follow-up audits to verify the effectiveness of management’s corrective actions for significant deficiencies.” (FFIEC IT Audit Booklet pg. 5)

Whether done manually or via software processes, adequate follow up on issues is key to an effective audit program.  See how AuditFindings can help your organization follow up on audit issues, sign up for a free starter account.