120 likes | 226 Views
Determine appropriate follow-up activity by the internal audit activity Identify appropriate method to monitor engagement outcomes. Section Topics. Conduct follow-up activity Communicate monitoring plan and results. Part 2, Section C. Standard 2500.A1
E N D
Determine appropriate follow-up activity by the internal audit activity Identify appropriate method to monitor engagement outcomes Section Topics • Conduct follow-up activity • Communicate monitoring plan and results Part 2, Section C
Standard2500.A1 “The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.” Standard2500.C1 “The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client.” Responsibility to Monitor Progress Final audit report Recommendation #1 Recommendation #2 Recommendation #3 Part 2, Section C, Topic 1
CAE’s Monitoring Responsibility To ensure response, CAE should: Final audit report • Establish appropriate time frame. • Evaluate response against objectives of audit recommendations. • Verify response through communication. • Conduct follow-up audit, if necessary. • Escalate, if necessary. Assessment against audit criteria Gaps, risks, and correction priority Criteria for correcting shortcomings Also see PA 2500-1, “Monitoring Progress.” Part 2, Section C, Topic 1
Discussion Question What should the CAE consider when determining appropriate follow-up? Sample answer: • How significant is the condition? • What will correcting the condition cost in money and time? • What may result from failure of the corrective action? • How soon should management respond? Part 2, Section C, Topic 1
6 5 4 3 2 1 When Is It Time to Escalate?* Is the recommendation still valid? Were the objectives met by a different approach? Is there hope of changing management’s mind? Should implementation be delayed? Is the recommendation key to resolving control issues? Can achieving the recommendation be made easier and more desirable to management? *US Government Accountability Office white paper, 1991. Part 2, Section C, Topic 1
Elements of the Monitoring Plan Assign specific internal auditors andspecialists from other areas if needed. Who? Translate objectives into measurable, observable criteria. What? Monitoring plan How? Restrict high-dollar transactions? Monitor computers? Do full audit? When? Give management a time frame consistent with urgency. Part 2, Section C, Topic 2
Monitor management actions Follow-up engagement? Process and Goals Process Goals Action taken? Finished or in progress? Is focus of change on root cause? What are the benefits? Positive relations Data collection Data analysis Do benefits match expectations? Observation Document review Interviews Part 2, Section C, Topic 3
Discussion Question If management is making no progress in implementing recommendations, what might be the reason? What are some possible actions? Sample answer: • Possible obstacles to progress • Management resistance. • Unforeseen problems. • Recommendation has become irrelevant. • Unavoidable delays. • Inadequate recommendation. • Possible actions • Talk through issues. • Develop alternative methods to implement. • Schedule additional monitoring. Part 2, Section C, Topic 3
Standard 2060, “Reporting to Senior Management and the Board”: Adequate Response Ongoing projects Ongoing projects Ongoing projects Ongoing projects Ongoing projects Ongoing projects CAE quarterly report CAE quarterly report CAE quarterly report CAE quarterly report CAE quarterly report CAE quarterly report • CAE charged to report periodically to senior management and the board. • Charge includes quarterly reports on ongoing projects, including monitoring activities to follow up on completed engagements. • CAE often reports in person at senior management or quarterly board meetings. Part 2, Section C, Topic 4
Stop Monitoring and Report Results Report results of monitoring STOP • Emphasize benefits. • Use qualitative or quantitative measures. • Be brief—one-page summary with appendices as needed for support. • Discuss new issues as needed. • Successful as planned • Objectives met by alternate methods • New conditions Part 2, Section C, Topic 4
Discussion Question What is the CAE’s responsibility if management’s response is inadequate? Sample answer: • Inform new management of recommendations. • Argue the case for recommendation if management resists. • Escalate if risk warrants. Part 2, Section C, Topic 4
Questions? End of Section C Part 2, Section C