Principles and approach

Introduction

As a department, set a policy for agreement/follow up of actions, including:

  • if you use report recommendations or management actions or both;
  • the level of management that can agree actions. Relevant factors include the seriousness of the issue (issue category/audit materiality) and the length of time the action will remain open (e.g. where senior management need to effectively accept the risk during this period);
  • the treatment of risks accepted (e.g. who can accept the risk, its documentation, reporting and frequency of review);
  • how you should deal with actions where some initial work has to be undertaken before a definitive date for resolution can be provided (e.g. the date could be shown as ‘to be advised’ or could be shown as two actions, the first being the research and the second the resolution);
  • the escalation process for actions not cleared by the agreed date;
  • the percentage of actions you’ll follow up, usually by category rating and usually with 100 per cent of high priority actions followed up;
  • how to report actions that have been completed, but where audit still needs to confirm this by undertaking testing over a period of time; and
  • who in audit can clear the action and if quality review is needed.

Main approaches

There are two main approaches to clearing actions: issue by issue as the due date arrives/you’re notified the action has completed; or by undertaking a follow up audit covering all the actions:

  • The first approach is timelier and aids reporting to the audit committee
  • The second approach can be useful where there are complex and interconnected issues
  • To ensure the action is implemented correctly you can’t just rely on management informing you that this is the case. You must obtain suitable evidence to confirm it and, where relevant, undertake testing
  • It’s critical not just to ensure the action is complete, but that it has effectively mitigated risk to an acceptable level. The quality and effectiveness of the action must be reviewed
  • It’s management’s responsibility to ensure that their risks are effectively managed, and they should have their own view on their clearance of audit issues and not be reliant solely on the information you provide.

Progress reporting

Reporting of progress on outstanding actions is vital to both the audit committee and to senior management in the business. This should be both statistical and highlight areas of specific concern and trends. It should include: 

  • missed dates and revised dates (particularly if repeatedly revised); 
  • how you should deal with actions where some initial work has to be undertaken before a definitive date for resolution can be provided (eg. the date could be shown as ‘to be advised’ or could be shown as two actions, the first being the research and the second the resolution);
  • the escalation process for actions not cleared by the agreed date;
  • the percentage of actions you’ll follow up, usually by category rating and usually with 100 per cent of high priority actions followed up;
  • how to report actions that have been completed, but where audit still needs to confirm this by undertaking testing over a period of time; and
  • who in audit can clear the action and if quality review is needed.

Hints and tips

Multiple-choice questions