On the Frontlines: Are Your Corrective Action Plans SMART?
Blogs Gabriel Fabiyi, CIA, CISA, CDPSE, CA Aug 06, 2024
Audit observations and recommendations are not very effective without corrective action plans that address the identified control vulnerabilities. Putting these plans into action promptly is crucial to effective enterprise risk management. Corrective action plans that are delayed, partially implemented, or not followed at all could lead to injury, financial loss, compromise of sensitive data, litigation, brand erosion, and reputational damage to the organization.
Has this ever happened to you? You spend eight weeks completing a risk-based audit engagement that includes the testing of 10 key controls and several stakeholder interviews. However, you realize to your frustration that audit clients are not completing corrective action plans. How do you move forward from here?
It could be an issue of how SMART (Specific, Measurable, Achievable, Risk-based and Time-bound) your plans are. Many people use a version of the SMART model (in other uses, the ‘R’ is for ‘relevant’) for their performance goals, but not everyone is familiar with using it to create audit management action plans. Using the SMART model to develop corrective action plans will prevent implementation deadlock.
Management Action Plans SMART Model
S-Specific: This addresses the “what” is to be done. The corrective action plan must be identifiable, relatable, unambiguous, and sufficient to address the control gap or risk. For instance, “The chief information officer will create and communicate an acceptable use policy for mobile devices to all employees to prevent unacceptable uses of corporate phones and electronic devices.”
M-Measurable: This covers the “how” features of the action plan, which should be reliable, properly documented, and easily verifiable by the auditor and other stakeholders. There must be a way to measure the proposed control. Work not documented is work not done — and work that cannot be correctly measured.
A-Achievable: This is the second “how.” Action plans must be actionable and not vague. Consideration must be given to available resources, budget, and internal capacity to attain the control action. Resources are evaluated, action plans are assigned to a responsible stakeholder, and expectations are set as part of job functions.
Risk-based: This could be described as the “So what?” Action plans must be proportionate to the identified risk, and the cost of implementing the control must not greatly exceed the cost of the risk. Applying an agile business approach and considering the materiality of the observation and existing controls is crucial. It is also important that the plans are prioritized based on addressing the higher risk items first.
Time-bound: This is the “when.” For instance, “The director of human resources will create and communicate information on the non-disclosure policy and obtain employee attestations by Q3, 2024.” The timeline for the plan must be reasonable and capable of addressing the risk.
Beware of Setbacks
Here are some variables that can cause setbacks in action plans:
Insufficient management buy-in. A corrective action plan may be greatly impaired if there is no or low strategic stakeholder buy-in. Internal auditors should inform, consult with, and seek the approval of key stakeholders.
Inadequate validation meetings. It is essential to conduct periodic validation meetings to discuss gaps, control weaknesses, and potential risks with relevant stakeholders at each audit phase. This helps clear any ambiguities and avoids future pushback or disagreement. It also helps to identify roadblocks or constraints that could jeopardize timely completion of action plans.
Lack of agile solution mindset. Working to mitigate risks, even before the end of the audit, could prevent further risk impacts and reduce the severity of losses, rather than waiting until the reporting or follow-up phase.
Suboptimal audit observations. A corrective action plan developed for an observation may be ineffective if the audit finding is insufficient, irrelevant, unreliable, or biased and adds no value to the business.
Inadequate communication and follow-up. An audit report should be sent to stakeholders with the authority to influence the implementation of action plans. Continuously tracking progress, sending periodic reminders, and submitting outstanding and past-due reports to relevant stakeholders (C-suite, audit committee) will help eliminate setbacks.
Internal audit professionals should adopt a forward-thinking approach, ensuring that management action plans are SMART. This approach involves thorough planning, meticulous execution, comprehensive reporting, and diligent post-audit follow-up. Embracing an agile mindset throughout the audit engagement lifecycle and following a SMART model for management action plans is crucial to preserving the value of internal audit within an organization.