dreamstime_xs_36905070-150x150Who’s responsible for ensuring that corrective actions to remedy issues identified by internal audit are completed?

Management is responsible for the system of internal control as well as for managing risk.
Management is responsible for correcting deficiencies either in controls or in the management of risk, whoever identified them.

So why does internal audit, more often than not, monitor completion of these actions? Why should they be the ones that report progress to the audit committee and executive management?

Internal audit certainly has an interest in seeing these actions taken. Not only does it mean that their recommendations for change are bearing fruit, but it is an indication that management takes internal control and the management of risk seriously.

The primary reason that internal audit monitors the completion of action items is that “We have always done it this way.” But that’s not an acceptable answer.

The better answer is that internal audit has the record of all the action items and therefore, it’s easier for them to monitor completion and report progress.

I can recall one audit committee insisting that management needed to take over the responsibility for monitoring action items and reporting on their progress. But, however much I wanted to just pass the ball and say “it’s all yours,” in practice I still needed to support management by providing schedules that included all the action items.

When we had an enterprise risk management program, I wanted to shift the tracking of action items to the risk management team. After all, each of the internal audit issues elevated the level of one or more risks and those risks would not return to acceptable levels until the actions had been completed. Unfortunately, that seemed to be something the risk management team couldn’t handle with their systems and processes.

Technology has come to our rescue.

Technology Now Helps in the Management of Action Items

These days, the completion of action items can be assigned an owner in management. Notices can be sent automatically when the due date for completion is approaching, the owner can report completion or set a new completion date (with exception reporting sent to more senior management, risk management, and internal audit notifying them of the delay), and reporting of action item status is also automated.

Furthermore, this can all be done within the risk management system and managed by the risk management team.

When a risk owner wants to see why a risk remains outside acceptable levels, he or she can drill down and see the outstanding action item.

Technology can’t solve all the problems facing internal audit and risk professionals. But ensuring timely completion of action items is a lot easier these days!