The International Standards for the Professional Practice of Internal Auditing, Standard 2500 informs about the final stage of the audit process, that of monitoring.
While the standard outlines the responsibilities of the chief audit executive and internal audit function, itself, the action has a threefold effect.
1. Provides Reassurance to Management –
The final report submitted to the audit committee and copied to senior management provides reasonable assurance of the assessment of risks and corrective action to controls and processes therein. However, the follow-up activity goes further in saying more about the same area of audited activity to management and the organization. After reporting on the agreed-upon action between the internal auditor and client within the specified timeline, the recommendation of the auditor should be reported as closed. Risks identified during the audit process should have been mitigated and residual risks now should be at a manageable level.
2. Highlights Management’s Satisfactory Performance
The internal auditor is encouraged to report satisfactory performance observed during the audit review. At the follow-up stage, tests performed by the auditor on the effectiveness of the corrective action tha t wa s impl emented should hi ghli ght management’s treatment of the risks that were identified. This action reassures senior management about risks mitigation as well as provides an appreciation of the repair work of the audited department.
3. Underscores Audit’s Value
The corrective action (recommendations) proposed by the internal auditor, agreed on by the client, and eventually implemented underscores the auditor’s value in the process. This is the stage where the quality assurance aspect of the audit process emerges, certifying the effectiveness of all the work done in the four preceding stages of planning, performing, communicating, and monitoring.
Many internal audit functions especially small and mid-sized departments find it difficult to perform follow-up reviews. Staffing constraints and sudden management requests take a toll on an already-full schedule. The main focus is getting the approved annual audit plan completed before year-end.
The internal audit function is a major player in effective corporate governance, and we must make it mandatory to allow management to rely on our activity. Follow-up reviews bring full circle the effectiveness of the work that internal audit started.