IN A PERFECT WORLD, AUDIT CLIENTS would implement internal auditors' recommendations after every engagement, leaving no doubt as to the status of prescribed actions. But in the real world, of course, competing priorities, budget limitations, and other factors often prevent clients from putting recommendations in place. Significant risks may remain unaddressed, exposing that particular area - or even the whole organization - to potential harm.

According to The IIA's Performance Standard 2500: Monitoring Progress, the chief audit executive (CAE) needs to establish and maintain a system that monitors the status of audit results. An advisory associated with this standard, Practice Advisory 2500.A1-1, further states, The [CAE] should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action."

To comply with professional standards, then, audit departments need to perform follow-up work. But how formal should the process be? What documentation should be created, and to whom should the results be communicated? How often should follow-up occur? Although these are all questions the CAE must answer, auditors at every level of the department also need to understand the process in the event they are enlisted to participate in follow-up engagements.

PERFORMING THE ENGAGEMENT

An auditor's follow-up procedures should be tailored to the circumstances and culture of the organization (see "Organizational Culture" on page 24). In a more formal culture, the auditor would begin by sending both the department manager and upper manager an announcement before the follow-up engagement. The announcement typically would explain what action plans are still open since the last follow-up, the status of those action plans (i.e., not yet due, past due), and the impact of issues associated with the action plans (i.e., high, moderate, low). The department manager's announcement could be issued in letter form, listing the manager's open issues and action plans as well as any associated impact, whereas the upper management announcement could be presented...