Following up recommendations/management actions



Similar documents
What Every Director. How to get the most from your internal audit. Endorsed by

Internal Audit Terms of Reference

Compliance Policy AGL Energy Limited

DATA AUDIT: Scope and Content

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

Bridgend County Borough Council. Corporate Risk Management Policy

Avon & Somerset Police Authority

Internal Audit Quality Assessment Framework

Information Commissioner's Office

Risk committee performance evaluation

Risk Management Strategy & Implementation Plan

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

Solvency II Detailed guidance notes

RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT FRAMEWORK

COMPLIANCE CHARTER 1

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Risk Management Policy and Process Guide

Solvency II Data audit report guidance. March 2012

Feature. A Higher Level of Governance Monitoring IT Internal Controls. Controls tend to degrade over time and between audits.

Aegon Global Compliance

Risk Management Within an Organisation

ING Group Compliance Risk Management Charter and Framework

How To Write A Risk Management Policy For The University Of Kerry

Health and Safety Management Standards

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

Risk Management Strategy and Guidelines

Regulation of Social Housing in Scotland. Our Framework

Internal Audit Charter. Version 1 (7 November 2013)

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

SAI GLOBAL LIMITED Risk Management Policy

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

E.ON UK - Independent Audit of Complaint Resolution Processes

Note the Chief Internal Auditor s findings to date and gain assurance from Officers that key issues raised are being addressed.

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

ENTERPRISE RISK MANAGEMENT POLICY

APPENDIX 50. Enterprise risk management - Risk management overview

INTERNAL AUDIT FRAMEWORK

Information Commissioner's Office

Application of the Framework is relevant to clinical networks, units and health service teams within each service or organisation.

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

MARCH Strategic Risk Policy Update March 2012 v1.10.doc

Audit of the Test of Design of Entity-Level Controls

IT Governance. What is it and how to audit it. 21 April 2009

Confident in our Future, Risk Management Policy Statement and Strategy

The Risk Management strategy sets out the framework that the Council has established.

VICTORIAN CARDIAC OUTCOMES REGISTRY. Data Management Policy

Audit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee

Internal Audit Division

APPENDIX A Clackmannanshire Council. Audit of housing and council tax benefit. Risk assessment report

National Occupational Standards. Compliance

Complaints Policy and Procedure. Contents. Title: Number: Version: 1.0

Internal Audit Practice Guide

AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER

Managing Risk Control Environment and Responsibilities

SESSION 3 AUDIT PLANNING

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

IT Service Desk Unit Opportunities for Improving Service and Cost-Effectiveness

Understand why, when and how-to to formally close a project

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

Customer Relationship Management (CRM) and Data Officer. Reference No: Grade:

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

WEB APPLICATION SECURITY TESTING GUIDELINES

Certification Body Quarterly Data Submission Instructions QFE-016 Version 1.0

Performance Management Unit. Performance Management Framework

Smart Meters Programme Schedule 8.6. (Business Continuity and Disaster Recovery Plan) (CSP North version)

PROJECT MANAGEMENT FRAMEWORK

Complaints Standard. for Suppliers. Categorised as Basic (B or F)

Quality Assurance Framework

INFORMATION GOVERNANCE POLICY & STRATEGY FINAL DRAFT

Internal Audit Standards

The Procter & Gamble Company Board of Directors Audit Committee Charter

Data Analysis: The Cornerstone of Effective Internal Auditing. A CaseWare Analytics Research Report

February Audit committee performance evaluation

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA

Minutes of the meeting of 30 June 2014

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July Hong Kong

DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Appendix 1b REVIEW OF CHEQUE HANDLING PROCESS

Risk & Assurance. Tailored to your needs. Internal audit solutions

DOCUMATION S PURCHASE TO PAY (P2P) SUITE

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

Effective Internal Audit in the Financial Services Sector

Capital Projects. Providing assurance over effective delivery of projects

Report of Don McLure, Corporate Director of Resources

Who s next after TalkTalk?

Middlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager

Standards for the Professional Practice of Internal Auditing

CORP RISK MANAGEMENT POLICY & METHODOLOGY

DOCUMATION S CUSTOMER SERVICES SOLUTION

National Programme for IT

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

1.1 Terms of Reference Y P N Comments/Areas for Improvement

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Effective Internal Audit in the Financial. Services Sector. Non Executive Directors (NEDs) and the Management of Risk

Preparing for an OFAC Review An Examiner s Perspective

Safety Management Systems (SMS) guidance for organisations

Second Clinical Safety Review of the Personally Controlled Electronic Health Record (PCEHR) June 2013

Transcription:

09 May 2016 Following up recommendations/management actions Chartered Institute of Internal Auditors At the conclusion of an audit, findings and proposed recommendations are discussed with management and subsequently management action plans are developed to explain how the agreed recommendations will be implemented. Competing priorities, budget limitations and other factors may prevent managers from implementing agreed actions in the agreed timeline or as previously designed to mitigate the risk. The purpose of follow up is to ensure that management has implemented the action, and that it has addressed the issue. In practice, this is often easier said than done! The purpose of follow up Responsibility for follow up The follow up process Bespoke systems Policies and procedures Targeting high priority risks Follow up engagements The purpose of follow up Managers who do not implement agreed actions arising from internal audit findings expose the organisation to risk. Following up on your actions helps to prevent this becoming an issue. Arrangements need to be clear on: how outstanding recommendations/management actions will be tracked how resolution will be reported and validated what follow up action might be needed (this may also link to the nature of the risks/findings identified by internal audit with high risk areas having more internal audit resource or input as part of the follow up) how this will be carried out in order to provide assurance that identified risks are being appropriately addressed. The degree of follow-up activity may be influenced by the size and nature of the risk identified. Responsibility for follow up Responsibility to resolve issues and manage agreed actions lies with management. Internal audit may help the organisation to track the implementation of actions and periodically follow up to see 1

that risks are being adequately managed. The International Standards require internal audit activities to monitor what is happening to the results of audit engagements. This does not mean that internal auditors have to undertake the follow up but they do have to ensure that actions have been implemented effectively or that management has accepted the risk of not taking action. This applies to agreed actions from both consulting and assurance engagements. The follow up process The International Standards recognise the importance of follow up to ensure management actions effectively mitigate the risk identified but are not prescriptive as to how it should be done as each organisation is different. Where risk management is fully embedded, the monitoring of action plans arising from assurance activities may be integrated into wider performance reporting. In this situation management take full responsibility for all the related reporting, up to and including reporting to the audit committee. For example, management at one bank compile a quarterly report for their audit committee that includes the status of all assurance recommendations/management actions and observations, including those from internal audit. The report highlights whether recommendations/management actions are pending, in progress or complete in the form of a dashboard for senior management and committee use. Similarly, an NHS trust forward copies of all assurance reports, including those from internal audit to a member of the organisation's risk management team who is responsible for logging all agreed actions on an internal tracking system. In accordance with implementation deadlines an email is sent to the responsible manager to request confirmation that the action has or has not been implemented. The tracking log is then presented by the risk manager to the audit committee. Internal audit choose to independently verify implementation of some recommendations. Bespoke systems Bespoke systems designed by the organisation or purchased from software suppliers can make follow-up more efficient and effective. This approach enables the ownership of actions to be assigned to managers and enables tracking of action through to completion. Automated emails often notify and remind managers of tasks allowing them to add completed actions and up to date reporting. Such systems can either be set up by management or jointly with assistance from internal audit with input and viewing facilities assigned where appropriate. Software tools such as these are particularly helpful in large organisations where managers operate in different parts of the country or operate in different countries. A UK FTSE100 organisation tracks internal audit recommendations/management actions using an 'audit work system' that establishes a review date and target implementation date. When actions 2

are approaching their review date a reminder is sent to the internal auditor. This prompts the internal auditor to contact the operational owner and client audit liaison within 20 working days of the original target implementation date for a progress report. The progress update may be received directly from the client by email or from the audit liaison through the submission of a progress review on the 'audit work system'. The client audit liaisons can view the actions assigned to them and raise progress reviews from a partitioned web view of the 'audit work system'. If the client has stated that the action has been completed and it was rated as critical or significant in the final report re-testing must be completed by internal audit within 20 working days of receiving the progress update from the client. If the action is rated as 'requires attention' internal audit accept management's representation and do not do any further testing. In addition all closed critical and significant actions are subject to review by audit management and are re-opened if there is insufficient evidence to support their closure. Re-testing is completed on an action by action basis. It is the internal auditor's responsibility on a quarterly basis to flag up the time they will need to retest actions, so that it can be built into their quarterly schedule. Policies and procedures In other organisations the internal audit activity itself asks managers to report back that management actions have been implemented and then report this feedback to senior management and the audit committee. For example, a large government internal audit activity builds follow-up into the audit plan so that each assurance review has scheduled follow up within three months of the completion of the original audit. The scope of the follow up work varies but for most actions it is obtaining an update from management on what they have done to complete the agreed actions. If particularly high priority actions were agreed, then the audit department undertakes some work to verify the effectiveness of that action such as testing operating effectiveness. Where follow-up is conducted in this way, the chief audit executive needs to develop a policy and supporting procedures that are communicated to the organisation's managers and internal auditors for clarity. For example the policy needs to explain: The objectives of follow-up exercises. How they are to be conducted. The frequency of follow up. How follow up is scheduled and prioritised within the organisation's timetable and the internal audit plan. The FTSE100 company referred to earlier includes the following detail in its internal audit quality management system. Action tracking is important because: It is an IIA International Standard to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. 3

It provides an assessment of the commitment and effectiveness of management in implementing actions; It is a measure of our effectiveness. The implementation rate provides a further useful measure of our performance and is a control over the quality of our recommendations It assures management of our commitment and may stimulate implementation when actions are about to be reviewed. Targeting high priority risks A truly risk focused follow-up plan is targeted at the higher priority risks irrespective of the organisational context or internal audit review within which the recommendation was raised. To meet its objective the follow-up process in a risk-based audit approach should report how effective managers are at implementing risk responses. This might be action to avoid or transfer the risk as well as those actions that reduce the risk. However, in practical terms it might prove more sensible to follow-up both issue and root cause based upon the original audit report, or by other key criteria. Follow up should consider whether actions have been implemented and whether the identified risks have been adequately managed with anticipated benefits, and if not, whether the residual exposure is within the identified risk appetite. In general, the follow-up process helps to determine the effectiveness of management's response to risk. In other words, it should be used to provide objective data about how well management understand the scale and priority of their inherent risks, and how effectively they are able to develop control arrangements to mitigate those risks to acceptable (residual) levels. When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organisation, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the audit committee for resolution. Follow up engagements It is essential for organisations to have a good understanding of their risks and how well they are managed. Discrepancy between reported risk responses and the actual status could mislead those who rely on the information. Internal audit should perform sufficient work in order to provide objective assurance to senior management and the audit committee that management's response to risk is satisfactory. Essentially, this means following up audit work in areas that have recently been audited to ensure that there is adequate remediation. This work should be effectively targeted to provide independent confirmation that action is being taken and that risks are being managed effectively, for example the higher the risk rating/level of risk, the greater the level and depth of validation and verification. Working collaboratively with managers so that they actively report and evidence where 4

recommendations have been addressed will help reduce the amount of objective follow up work necessary. Managers need to be aware that internal auditors are likely to check on the adequacy of some mitigation and that outstanding actions may be escalated to the audit committee and this will encourage them to take timely action. Where time is of the essence, the internal auditor could focus on areas where the risks have the greatest potential impact and high likelihood of occurring. Depending on the culture within the organisation the internal auditor may need to inform senior managers and operational managers when and where follow up engagements will take place. In less formal situations it may simply be a case of scheduling a short visit or meeting. Either way the internal auditor needs to observe and/or gather evidence to determine that actions have been implemented. Where opinions have been expressed, the auditor may need to consider whether any subsequent improvement in control might warrant the opinion assessment to be revisited. This should be handled cautiously as other aspects may have changed since the area was originally audited and the follow-up activity may not be sufficiently detailed to revise the opinion. Practice advisories 2500-1 Monitoring progress 2500. A1-1 Follow up process 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information