GUEST BLOG POST
There are conflicting views on whether internal audit should follow up on every action item from previous audits. Let me see if I can inject some common sense into the debate.
Imagine this is the situation:
- A year ago, management agreed to a recommendation by internal audit to remove the access of 20 former employees to the financial system.
- Also a year ago, they agreed to monitor the issuance of credit notes after an audit found several had been processed without the prior approval of management.
- Nine months ago, internal audit recommended a periodic review of the policy for reviews of employee expense reports which had not been updated in five years. Management agreed to update it within 60 days.
- After an internal audit, management committed to ensure all account reconciliations in a major subsidiary are completed before their financial team sends their results to Corporate. That action should have been completed six months ago.
- After last year’s external audit, management agreed with the external auditors’ recommendation to improve controls over the receipt of materials.
- A year ago, the Securities and Exchange Commission told management to improve its risk disclosures.
- Six months ago, the Environmental Protection Agency found errors in the company’s emissions reporting. Management agreed to correct them immediately.
- In their last annual audit, the ISO Quality auditors found defects that they indicated were major in the testing of manufactured products.
- After employees sued the company several months ago, the judge directed management to update its hiring policies and practices. They were seen as discriminating against people over the age of 50.
- A couple of quarters ago, the board directed management to provide additional detail on how they are addressing the risk that competitors will cut prices in a major market.
- Three months ago, the CEO directed the chief information security officer to complete the implementation of an upgraded breach detection system within 30 days.
- After reviewing the quarterly risk report, the CEO directed the CFO to improve the monitoring of currency fluctuations and the General Counsel to upgrade the monitoring of relevant legal cases and actions.
Which, if any of these action items should be included in an internal audit follow-up engagement?
Which merit testing and which do not? Does it make common sense to follow up and confirm the closure of internal audit action items regardless of the level of risk, but not the high-risk action items from other sources?
My opinion is that internal audit should follow up and confirm closure of those that merit attention based on the level of risk. They should be aware of and follow up action items from other sources where the risk if they are not closed is high. Where justified, testing should be performed.
By the way, the need to follow up on internal audit action items is far less if internal audit has worked collaboratively with management to agree on the need for them and as a result management has taken active ownership. They realize it is in their own best interests to take those actions.
It is when management is agreeing to act without really agreeing, because they don’t see the actions as being in their best interests, that follow-up shows results. But it’s far better to prevent failures to take actions than detect them.
When many action items are not completed as agreed, the fault may well be internal audit’s! Maybe management was right and the actions were not justified on business grounds!
What do you think? What is common sense here? Please provide your views in the comments section below. 
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.