What to read first: Audit recommendation tracking
|Auditors||Version 1.0 Beta|
Check the vocabulary for audit recommendations
An adequate declaration
Management declares to the audit committee that action on a recommendation is complete.
At a minimum, the audit committee will expect a Chief Audit Executive assessment of each management declaration as either adequate or inadequate, as a basis for closure. Inadequate declarations are common, even setting aside the question of whether the declaration is accurate.
A declaration can be true but inadequate, for instance by failing to address a key aspect of the original issue. A declaration can also be adequate but false, for instance by reporting comprehensive implementation of the recommendation when essential steps have not actually been taken. The audit committee will expect the Chief Audit Executive to identify inconsistencies, implausible assertions, unexplained delays, or other anomalies within the series of management reports leading to the final declaration.
Assessment of declarations
Chief Audit Executive staff make the assessment on behalf of the Chief Audit Executive. The Chief Audit Executive staff need not be formally independent auditors. The assessment effort can vary.
The least defensible effort would be incurred by taking the management progress reports and declarations on face value, and checking only the coherence, completeness, and consistency of each new management report with the original audit report and all of the management reports to date. There might also be a check for consistency with other reporting reaching the audit committee.
An important test is whether the management declaration will be seen to be a deliberate untruth, if it is discovered that the recommendation was not actually implemented as the audit committee would have been led to believe.
The highest effort would be to formally audit the activity again, to verify that the recommendation has been implemented and that the issue has been resolved to the satisfaction of all stakeholders. Verification effort would be particularly high if auditors were to generate objective evidence that the activity outcomes and risks have improved to an acceptable state.
The actual effort is usually somewhere in between these extremes. There is definite value in not verifying all statements made by management before they are seen by the audit committee. It keeps accountability on management: if verification is routine, management will be tempted to make unrealistic claims, knowing that auditors will correct those claims.
At the same time, it is a benefit to all parties if the Chief Audit Executive staff ensure that the management declaration to the audit committee tells all of the important story in an understandable way, and anticipates audit committee questions. Reaching that point may involve meeting with responsible managers and discussing the details of exactly what has and has not happened, how it is known to have worked, the reasons for delays, the possibility of remaining barriers to implementation, etc. Chief Audit Executive staff can compare the details from these conversations with the proposed management declaration with audit committee expectations, and if necessary recommend changes to the declaration.
|It is proper for Chief Audit Executive staff to draft progress reports and declarations for management authorisation. Doing so can lead to misunderstandings, with consequences. If the Chief Audit Executive staff are drafting words for management, it is best to route the draft to the executive management signatory upward through the staff or middle managers reporting to the signatory.|
It is good policy to rely on management declarations for the closure of an audit recommendation, without independent verification of the facts. If internal audit were to verify directly the implementation of each recommendation before closure, scarce resources would be spent, and management would feel less accountability resolving the deficiency identified by the audit.
It is also good policy to conduct formal follow-up audits specifically reviewing the later history selected audit recommendations after they were ‘closed’. Such an audit could be done once per year or once every two or three years.
This practice signals that a misleading declaration by management, leading to the closure of an audit recommendation, has a good chance of being detected. The existence of the follow-up audit thereby encourages honesty all the way through the audit life-cycle and probably in other ways as well.
This kind of audit focuses on the closed recommendations themselves. It is slightly different from the other kind of follow-up audit, which focuses on the whole of an activity subject to a past audit that found problems.
Main article on Audit recommendation tracking