Follow-up of internal audit recommendations report

An audit is officially closed after all of the recommendations have been recommended for closure through the follow-up audit process. The final audit report that is distributed to the Board of Regents Audit Committee includes the chancellor or vice president’s formal response consisting of the plan of action and implementation deadline for each recommendation in the report.  Audit and Consulting Services will use the implementation deadline to determine when follow-up procedures should be conducted. Sometimes we need to wait for an appropriate duration of time beyond the implementation deadline in order to have enough data on which to perform follow-up procedures.  See below for the most frequently asked questions in regards to follow-up auditing.

Audit standards require that a follow-up process is implemented to monitor the disposition of audit results and ensure that action plans have been effectively implemented. Our professional goal is to conduct follow-up auditing in a timely manner and report on the results.
There are two primary objectives for follow-up auditing:

1. Was the recommendation implemented as described in the plan of action submitted by the chancellor or vice president?

2. Did the recommendation and plan of action result in the intended effect of mitigating the risk that had necessitated the recommendation in the first place [in other words, is the recommendation operating as intended?]

Each fiscal year we schedule follow-up auditing for recommendations that have follow-up due based on their implementation deadline. We will:

1. Distribute an entrance letter to each chancellor or vice president that communicates our intent to conduct follow-up audit procedures throughout the fiscal year.

2. Contact the respective associate vice chancellor or vice president to notify them regarding which prior audits have recommendations on which follow-up will occur and the approximate timing of our follow-up activities.

3. As follow-up activities progress, each department head is notified as relevant to the recommendations and plans of action. Along with notification the auditor usually requests information such as:

a. A written update on the status of implementation of the recommendation.

b. Documentation that validates the recommendation was implemented.

We can often accomplish this from the office via telephone and email communications, but we also value face-to-face meetings when they can be arranged. We take your time into consideration, so please let us know what will work best for you.

Results of follow-up auditing are reported to the department head, vice chancellor or vice president, chancellor and president. They are also presented to the Board of Regents Audit Committee at their regularly scheduled meetings. The Audit Committee usually meets each year in June, September, December and April. This process provides assurance to the Audit Committee that recommendations receive an appropriate level of attention by management and are implemented in a timely manner.

On occasion we conduct follow-up activities and discover that a department has undergone staffing or process changes that resulted in a recommendation that was not implemented. In this situation, we report that we followed-up with the department but that circumstances prevented us from recommending closure and that follow-up audit activities will be rescheduled for another date in the future.

Too many instances of this can reflect negatively upon the department unless reasonable explanations are provided, usually resulting from extenuating circumstances that are not likely to be repeated.

If you are leading a department or have responsibility for a function or process that was audited, you will receive a copy of the final audit report that describes the audit results, formal plans of action submitted by your chancellor or vice president, and implementation deadlines. If you’re unsure as to which recommendations remain in an open status, thus eligible for follow-up auditing activities, please do one of the following:

1. Contact the associate vice chancellor for administrative services [UAA, UAF] or the vice chancellor for administrative services [UAS]. They have taken an active role in monitoring audit recommendations for their respective campuses.

2. Contact Audit and Consulting Services.

Stage 4: Audit Follow-up

These are the major activities to be executed during the Audit Follow-up Stage:

1. Follow-up Audit
2. Follow-up Review
3. Follow-up Report
4. Surveillance Audit

[1] Follow-up Audit

Follow-up Audit is an audit which verifies that corrective actions have been accomplished as scheduled. It determines that the actions are effective in preventing or minimizing future recurrence. Usually, a Follow-up Audit includes a Follow-up Review and a Follow-up Report. These are the additional activities:

• Monitoring follow-up of the initial response to the audit.
• Reviewing and evaluating the corrective action response of the Client.
  •  Refer to “Execute Corrective Actions “ and “Corrective Action Procedures”
• Confirming the content on the “when, who, where, and how” to the response.
• Monitoring and reviewing the Client‟s actions to address the deficiencies and recommendations.
• Conducting a follow-up audit, or re-audit if necessary.
• Ensuring the corrective action are taken and a satisfactory conclusion is achieved
• Reviewing and filing of the documentation and records.
• Identifying actions for verification during the next audit.

[2] Follow-up Review

The Follow-up Review is a review of the Client's response letter to the audit report findings. The actions taken by the Client to resolve the audit report findings may be tested to ensure that desired results were achieved. All unresolved findings will be discussed in the Follow-up Report

[3] Follow-up Report

The Follow-up Report is a document generated after the Follow-up Review. This report lists the actions taken by the Client to resolve the original report findings.

Any unresolved findings will appear in this Follow-up Report. It should include:

• A brief description of the findings
• The original audit recommendation
• The Client’s response
• The current condition
• The continued exposure to the Client

A discussion draft of each report with unresolved findings is circulated to the Client before the report is issued. The follow-up review results will be circulated to the original report recipients and the Client’s Executive Management as deemed appropriate.

The auditor would recommend the auditees to "Execute Corrective Procedures and Actions"

[4] Surveillance Audit [BCM Certification]

The Surveillance Audit is a periodic audit performed by an external Auditor to ensure that an organization still meets BCM or ISO standard requirements. The objectives of a typical surveillance audit are to:

• Conduct periodic audits to ensure that an organization still meets BCM standard requirements.
• Make Continual Assessment Visits [CAVs]
  •  On-going surveillance visits
• Have a Re-certification
  •  Once in every three years
  •  Option One is to re-certify by full system audit
  •  Option Two is to re-certify by a strategic review

Resource

Goh, M. H. [2016]. A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series [2nd ed.]. Singapore: GMH Pte Ltd.

Singapore Government Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click the button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This includes the CITREP+, SkillsFuture Credit and UTAP.

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

What is the importance of internal audit recommendation follow up?

How do you follow up after an audit?

How do you write a recommendation for an audit report?

How do you respond to an audit recommendation?