You’ve just completed a very complex audit. There were a multiple issues to report. Some issues have easy fixes and others would require a significant amount of time and attention. Management’s action plans are very detailed. They contain concise responses, assign responsible parties for fixing the issues and include due dates. So when audit and management are comfortable with the draft, you release the final report.
Twelve months later, you decide to perform a follow up audit. You discover that a few of the issues remain open. But some were closed months ago. Others are no longer relevant because the processes have changed. Management promises they are working on the outstanding items but have not had the opportunity to implement everything. Some items were a quick fix whereas others will require more than one year to fix. So all in all, your follow up audit was a flop.
That is a complicated question. Auditors must follow up on issues presented in audit reports. This is not an option. But I do not believe in follow up “audits”. I define a follow up audit as an audit that occurs at a point in time after the release of a report to determine if the issues presented in a report have been resolved.
There is one primary reason I do not like follow up audits.
Follow Up Audits Assume all Issues are Equal
Suppose you have an audit report with 10 issues. Two are critical risk, one is high risk and the remaining seven are low risk items. Further, management commits to clearing one critical item in six months and the other in one year. The longest expected completion date is for one of the low risk items and it is one and a half years out. Some audit functions will schedule a follow up audit one and half years out because that is the date all issues should be resolved. But what about the critical item that is to be resolved in six months? It is overlooked until the scheduled follow up date. This is why I do not like follow up audits.
Audit shops can spend time chasing issues that either have been completed, are not completed or are currently irrelevant. All for the sake of saying we followed up. There is a better way. Many audit functions do it a better.
So what would I suggest?
First, all reportable items must identify the issue, contain an action plan to fix it, identify the party responsible for fixing it and include the date when the item will be resolved. If these elements are in place, we simply follow up with the audit client about 30 days prior to the due date of each issue. We determine if they are still on target. If not, change the date. If so, test the action plan on or close to the due date. I’m suggesting that audit addresses individual issues based on their due dates. This ensures issues are addressed timely. Thankfully many audit functions currently follow up in this manner. Most audit systems have this functionality built-in. This technique is a more streamlined approach to following up on open audit issues.