The results of audits are usually discussed, presented, and reported to management. However, many organizations fail to adequately follow up on the results of these audits. Consequently, many audit issues are not resolved in a timely manner, or not resolved at all. Without an adequate resolution, the time and effort to conduct the audit are wasted, and the lack of corrective action can reflect poorly on management. As the Chartered Institute of Internal Auditors states, “Managers who do not implement agreed actions arising from internal audit findings expose the organization to risk.” (Follow Up Recommendations/Management Action pg. 1)
Many regulatory bodies understand audit follow-up is a key process to an effective risk management program. In the banking industry, the United States Federal Reserve states a bank should have procedures documented for issue tracking and follow-up. “At a minimum, procedures should include…identification of requirements related to monitoring remediation of issues noted, validation of corrective actions, and board (audit committee) updates.” (Overview of the Components of an Effective Audit Function pg. 5).
The Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing also states, “Internal audit should have effective processes in place to track and monitor open audit issues and to follow-up on such issues. The timely remediation of open audit issues is an essential component of an organization’s risk reduction efforts.”
The Federal Reserve is not the only U.S. banking agency to cite the importance of audit issue follow-up. The United States Treasury Department’s Office of the Comptroller of Currency bank examination handbook states, “Internal audit should have effective processes to track, monitor, and follow up on open audit issues…The timely remediation of open audit issues is an essential component of an organization’s risk reduction efforts.” (Office of Comptrollers Bank Examination Handbook – Audit Section pg. 31)
As a whole, the organization combining the U.S. banking regulatory agencies makes the statement about the importance of audit follow-up for operational management. As the Federal Financial Institution Examination Council (FFIEC) states, “Operating management should formally and effectively respond to IT audit or examination findings and recommendations. The audit procedures should clearly identify the methods for following up on noted audit or control exceptions or weaknesses. Auditors should document, report, and track recommendations and outstanding deficiencies. Additionally, auditors should conduct timely follow-up audits to verify the effectiveness of management’s corrective actions for significant deficiencies.” (FFIEC IT Audit Booklet pg. 5)
Whether done manually or via software processes, adequate follow-up on issues is key to an effective audit program. See how AuditFindings can help your organization follow up on audit issues, and sign up for a free starter account.