In my first year in my current job as chief audit executive, I found I was repeating findings that my predecessor deemed corrected in the prior annual report (required by law in my jurisdiction). ![]() We cared about the quality of internal audit services – assurance, advice, and insight – my team delivered. ![]() I was not conforming with the Standards, but neither I nor the audit committee cared. I expect they will agree.Īfter this episode with one audit committee, I changed my approach (focusing only on the follow-up of serious issues) with the wholehearted support of every audit committee I worked with. the time it takes, stop doing it – and inform the audit committee why. We should all question the value of monitoring and reporting whether “management has implemented the agreed-upon action plans”. Is it necessary and valuable, especially when we cannot audit and confirm the status of every action plan and we are not the only function that is identifying corrective actions? That’s a very poor answer! We wouldn’t accept it from an auditee! Internal auditors must confirm that management has implemented the agreed-upon action plans. That update should include changing Standard 2500 (current version) and 15.2 (draft). We have an opportunity to update the IIA’s Standards for the Professional Practice of Internal Auditing to include what is appropriate and necessary for efficient and effective auditing that delivers the assurance, advice, and insight the organization and its leaders need. In other words, blindly doing what you are told (whether by a standard or by an auditor) is not a good idea. When management’s actions are appropriate for the business, the auditor should talk to them about changing the standard. If an auditor finds that management is not complying with one of its standards, they should find out why. I was not complying with the IIA Standard 2500. I included that information in maintaining my continuously updated audit plan. I continued to monitor some action items, but limited that to those that represented a serious risk to the organization. We agreed that management would be responsible for ensuring corrective actions were taken as agreed, and that they would let me know if there was a serious problem. I included the CIO as many of the action items were in IT. I met with the CFO and other senior managers, including the CIO. I understand the audit committee would like me to work with management on a better way forward, which we will discuss after the meeting. Q: Why are you doing this then? It’s not a complete picture and we can’t really rely on it since you haven’t checked the status of every item yourself.Ī: These are all good points. They identify issues themselves, such as through their monitoring of user access, and other functions like Quality or Security identify corrective actions as well. Q: Are these all the action items management is responsible for to address risk and control issues?Ī: No. I will discuss that with the CFO after the meeting. Q: Aren’t there better uses of your time, especially as you are only reporting what management is telling you?Ī: Good point. I see it as a service to management as they don’t have a process of their own. Q: Why are you monitoring the status of these actions? Shouldn’t management?Ī: It’s normal practice for Internal Audit to do this. We have not audited the status of every action item. Q: Does that mean it might be incorrect? Have you audited the status they report?Ī: It is possible, but I have no reason to believe their reported status is incorrect. Q: Does this represent what you believe is the current status of action plans?Ī: It represents what management is telling me the current status is. This is roughly what happened as I answered questions from the directors: ![]() This was fine until I presented the status of management actions at an audit committee meeting. Since my team issued a lot of audit reports (more than 100 per annum), this became a significant activity to the point that I put it on the audit plan and issued audit reports with the results. The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.Ģ500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. ![]() When I first became a chief audit executive (CAE), I did what pretty much everybody did: instituted a periodic process to follow-up the status of management action plans.Īfter all, the IIA Standards say (2017 version):
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |