Audit Remediation Monitoring: Fostering Accountability and Effective Risk Mitigation
May 17, 2019
They say there are two things that are certain in this world; death and taxes. But, there’s another for organizations that operate in today’s environment: audits. Whether a federal or state audit, a third party vendor audit, internal, or external audit—chances are you have been, and will continue to be, audited.
Almost as certain as an audit, is an audit finding, or observation. Throughout each audit, the auditors are evaluating the organization’s internal controls, processes, systems, and personnel against criteria such as policies, regulations, standards, or contracts. An observation is the result of the auditor identifying an area of non-conformance with the criteria. Observations are written as statement of facts and must be accompanied by sufficient audit evidence. Each observation is included in the resulting audit report, providing the supporting evidence, and a recommendation for how to remediate the deficiency and/or improve the internal controls to mitigate the underlying risk.
Most audit reports require the organization to respond to the observation, often called “management’s response” or the “management action plan” where it provides a description and timeline for how it intends to remediate the observation.
Management Action Plans
While the audit may be over (until the next one!), the organization’s journey has just begun. The organization needs to be accountable for the observation and risk mitigation efforts. From an organizational standpoint, the observations should be centrally tracked by an assigned resource to monitor the status of each recommendation. Additionally, this allows the organization to evidence and track periodic follow-ups with the individuals responsible for the remediation efforts.
Organizations can use specialized tracking software, or a simple Excel workbook (“tracking document”) to monitor the status of remediation efforts. Regardless of how the remediation of audit observations is monitored, the following attributes should be tracked:
While items #1-8 will remain the same throughout the management action plan tracking, items #9-15 are attributes that could be updated throughout the tracking of each implementation to document the history of follow-up activities, and to reflect new or updated information as it becomes available, and as the remediation moves closer towards completion.
Organizations should establish defined periodic updates for outstanding remediation efforts (e.g.: quarterly). Follow up should solicit an update on the status of the remediation from the responsible personnel, along with revised estimated dates of completion. When the remediation effort is complete, the personnel responsible for implementing the recommendation should present evidence that the action plan was successfully implemented. Ultimately remediation efforts need to be supported by evidence to validate that the risk associated with the observation has been mitigated. Remediation status updates and evidence of completion should be documented and retained to facilitate tracking, and as a source of reference for use in future and follow-up audits.
Consistent, detailed tracking of management action plans ensures the organization is monitoring the status of remediation efforts through completion and that implemented changes are appropriately addressing risk. If not effectively managed, failure to properly implement audit recommendations could result in a repeat audit observation. Repeat audit observations can have a ripple effect resulting in auditors increasing sample sizes, conducting more frequent follow-up audits, and could result in negative public perception, media attention, or loss of revenue/funding. More importantly, failing to sufficiently address and remediate identified observations and recommendations could result in a negative event that could significantly impact the organization—something that could have been prevented with more effective and consistent oversight. Tracking the remediation of audit observations and recommendations ensures that the organization is aware of the status of action plans and effectively managing risk.
If you’re concerned that your organization may not be effectively tracking the remediation status of prior audit recommendations, talk to your internal audit team, or an experienced independent advisor like SC&H Group’s Risk Management practice, to determine if additional tracking and monitoring may be appropriate. You can reach out to us if you’d like to learn more.