Blog: The Fallacy of Follow-up Audits
In his blog, IIA President and CEO Richard Chambers, CIA, QIAL, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. Here’s an excerpt from his latest post:
During my early years in the profession as a young internal auditor, I was always proud of my reports, particularly the findings and recommendations. So, issuing a new audit report was cause for celebration. But nothing was more demoralizing than when I would invariably undertake the required follow-up audit only to discover that my carefully crafted recommendations or management action plans were never implemented. After all, management had agreed to the proposed corrective actions (or had proposed their own corrective actions) to rectify problems identified in my audits. So, why did they fail so often to follow through?
There were always plenty of excuses from management when the follow-up audits disclosed that “problems had not been corrected”:
- “We underestimated the complexity of the action we agreed to take.”
- “We didn’t realize how long it would take to implement the promised actions.”
- “Circumstances changed, and the actions agreed are no longer valid.”
- “It turned out we didn’t have the resources to correct the problems.”
- “The dog ate our homework, etc.”
I eventually grew to dread follow-up audits, because the results were so often disappointing. When I became a chief audit executive (CAE), I seriously questioned the value of follow-up audits altogether. I found them to be rarely an efficient use of internal audit resources. After all, which generated the greatest impact for the organization: forging into new, high-risk areas, or revisiting areas where we dedicated resources only a few months before? Even when we found everything had been corrected, I felt that my limited resources could have been better deployed.