Audit recommendation tracking: Topic Index

Audit recommendation tracking

What are audit recommendations? What happens without tracking of audit recommendations What gets tracked The tracking cycle Forecast and target dates for implementing a recommendation When tracking ends: good and bad reasons to ‘close’ an audit recommendation Common problems and solutions in audit recommendation tracking The magic format Reporting to the audit committee The secret is management accountability- for the deficiency

Vocabulary for audit recommendations

Audit Audit committee Chief Audit Executive (CAE) Auditor External auditor Internal auditor Finding (audit finding) Recommendation (audit recommendation) Recommendation tracking Client (audit client)

What is an ‘audit recommendation’?

Before that, what is an ‘audit’? To whom audit recommendations are made Are audit recommendations mandatory?

What to read first: Audit recommendation tracking

Why there are always recommendations

Recommendations resolve deficiencies Levels of deficiency Resistance is common

What to read first: What is an ‘audit recommendation’?

Declarations vs. independent verification

An adequate declaration Assessment of declarations Follow-up audits

What to read first: Audit recommendation tracking

Reasons to close audit recommendations

‘Open’ and ‘closed’ recommendations – what is ‘closure’? The stages of ‘closure’ Proper and improper bases for ‘closure’

Common problems and solutions

No real action has been taken, and nobody claims to have taken any. No-one is arguing with the recommendation, but responsibility is being pushed around like a hot potato, or is dismissed carelessly. The recommendation requires action from two independent managers, e.g. both the CFO and the CIO. There are repetitive promises of action that never happens. Management signals that they care, but it becomes clear to Chief Audit Executive staff that no-one is actually doing anything. Management say the recommendation has already been implemented, without reporting convincing details. The Chief Audit Executive is not convinced. Management status reports are off-topic. They may claim that the audit recommendation has been implemented, but the specific steps they report are not clearly a resolution to the deficiency identified in the audit. Implementation of the audit recommendation is tied to a ‘Project X’. ‘Project X’ is still in the promised future. In the meantime, the problem motivating the recommendation continues. The Chief Audit Executive’s request for a status report on the recommendation comes as an uncomfortable surprise to the managers directly responsible (those down at ‘ground zero’). When the Chief Audit Executive asks for an update, the person responsible recognises the obligation, but has no understanding of what is needed, what is involved, or why it matters. The Chief Audit Executive team is unable to provide a definitive list of all open audit recommendations for which one senior management position is responsible.

What to read first: Audit recommendation tracking

The magic format for tracking an audit recommendation

Do this Don’t do this

What to read first: Audit recommendation tracking

Target dates and extensions

Target dates are not forecast dates Extensions are problem A workable solution

What to read first: Audit recommendation tracking