Verifying Management Actions: Closing the Loop and Ensuring Risk Mitigation

As Internal Audit professionals, our work doesn't conclude with the issuance of a report and recommendations. A crucial, and often understated, phase is verifying management actions. This process ensures that the agreed-upon steps have been implemented effectively and, most importantly, that they truly address the original risk gaps we identified.

The Institute of Internal Auditors (IIA) provides clear guidance on this vital aspect of our role.

According to the IIA Standard – Monitoring Progress, internal auditors must follow up to determine whether management has taken appropriate corrective action for reported conditions. Building upon this, Standard 15.2 specifically outlines the activities we should undertake to confirm the appropriate completion and effectiveness of management's action plans.

This standard emphasises that our methodology for verifying management actions should incorporate at least three key activities:

1. Inquiring about Progress:

The first step involves engaging with management to understand the journey of implementation. This isn't just about ticking boxes; it's about gaining insight into the "how" and "why" behind the progress. As the standard suggests, this can involve:

• Reviewing status reports: These provide a formal overview of progress against timelines.

• Attending project meetings: This allows for real-time updates and the opportunity to ask clarifying questions.

• Conducting informal check-ins: Regular communication, even informal, can help identify potential roadblocks early on.

Our experience tells us that proactive communication fosters a collaborative environment and allows us to understand management's perspective and any unforeseen challenges they may have encountered.

2. Performing Follow-up Assessments Using a Risk-Based Approach:

This is where we move beyond simply asking and delve into verifying the actual implementation and its impact. The standard rightly emphasises a risk-based approach. This means that the extent and nature of our follow-up assessments should be proportionate to the significance of the original finding and the complexity of the implemented actions.

For high-risk findings, a more rigorous and in-depth assessment will be necessary. This might involve:

• Re-performing the original tests: This allows us to directly assess if the control is now operating effectively and the risk is indeed mitigated. For example, if our initial audit found segregation of duties issues in accounts payable, we might re-perform a sample of invoice processing to confirm the new controls are in place and functioning as intended.

• Testing the design and operating effectiveness of newly implemented controls: When management introduces new controls, we need to evaluate if these controls are designed appropriately to address the risk and if they are being applied consistently in practice. This could involve walkthroughs, observations, and testing of the control activities.

• Analysing relevant data: Data can provide objective evidence of the effectiveness of management's actions. If a recommendation aimed to improve the efficiency of a process, we would analyse key performance indicators (KPIs) before and after implementation to assess the impact.

• Conducting interviews with relevant personnel: Speaking directly with those impacted by the changes provides valuable qualitative insights into the practical application and effectiveness of the implemented actions. It can highlight any unintended consequences or areas where further refinement might be needed.

Our experience highlights that a thorough follow-up assessment goes beyond simply confirming that an action has been taken. We must determine if it has had the intended effect on mitigating the original risk.

3. Updating the Status in a Tracking System:

Maintaining a robust tracking system is crucial for effective monitoring and reporting. As the standard outlines, this system should capture key dates, responsible parties, and evidence of completion for all management actions. This provides a clear overview of progress and helps us to:

• Monitor progress effectively: Easily identify actions that are on track, delayed, or completed.

• Identify overdue actions: Prompt timely follow-up on outstanding items.

• Provide a basis for communication: Facilitate clear and concise reporting to the board and senior management on the status of risk mitigation efforts.

Our practical experience underscores the importance of a well-maintained tracking system in ensuring accountability and transparency in the action plan implementation process.

Addressing Delays and Inaction:

The IIA standard also provides clear guidance on situations where management has not progressed according to agreed timelines. In such cases, we are obligated to:

• Obtain and document an explanation from management: Understanding the reasons for the delay is crucial.

• Discuss the issue with the Head of Audit (HOA): The HOA plays a pivotal role in evaluating the implications of the delay.

• The HOA is responsible for determining whether senior management, by delay or inaction, has accepted a risk that exceeds the risk tolerance. This is a critical judgment call that may necessitate further escalation and discussion with the board.

Beyond Completion: Assessing Effectiveness

It's paramount to remember that our verification efforts extend beyond simply confirming that an action has been completed. We must rigorously assess its effectiveness in mitigating the original risk gap. This requires critical thinking and the application of appropriate audit procedures, as outlined above.

In Conclusion:

Verifying management actions is not a mere administrative task; it is an integral part of the internal audit lifecycle. By diligently applying the principles outlined in the IIA standards, including inquiring about progress, performing risk-based follow-up assessments, and maintaining a robust tracking system, we can provide valuable assurance to the board and senior management. Our goal is to ensure that identified risks are effectively addressed, safeguarding the organisation's objectives and contributing to its overall success.