When I first became a chief audit executive (CAE), I did what pretty much everybody did: instituted a periodic process to follow-up the status of management action plans.
After all, the IIA Standards say (2017 version):
2500 – Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
Since my team issued a lot of audit reports (more than 100 per annum), this became a significant activity to the point that I put it on the audit plan and issued audit reports with the results.
This was fine until I presented the status of management actions at an audit committee meeting. This is roughly what happened as I answered questions from the directors:
Q: Does this represent what you believe is the current status of action plans?
A: It represents what management is telling me the current status is.
Q: Does that mean it might be incorrect? Have you audited the status they report?
A: It is possible, but I have no reason to believe their reported status is incorrect. We have not audited the status of every action…
