After reporting on the agreed-upon action between the internal auditor and client within the specified timeline, the recommendation of the auditor should be reported as closed. Risks identified during the audit process should have been mitigated and residual risks now should be at a manageable level.
2. Highlights Management's Satisfactory Performance
The internal auditor is encouraged to report satisfactory performance observed during the audit review. At the follow-up stage, tests performed by the auditor on the effectiveness of the corrective action that was implemented should highlight management's treatment of the risks that were identified. This action reassures senior management about risks mitigation as well as provides an appreciation of the repair work of the audited department.
3. Underscores Audit's Value
The corrective action (recommendations) proposed by the internal auditor, agreed on by the client, and eventually implemented underscores the auditor's value in the process. This is the stage where the quality assurance aspect of the audit process emerges, certifying the effectiveness of all the work done in the four preceding stages of planning, performing, communicating, and monitoring.
Many internal audit functions — especially small and mid-sized departments — find it difficult to perform follow-up reviews. Staffing constraints and sudden management requests take a toll on an already-full schedule. The main focus is getting the approved annual audit plan completed before year-end.
The internal audit function is a major player in effective corporate governance, and we must make it mandatory to allow management to rely on our activity. Follow-up reviews bring full circle the effectiveness of the work that internal audit started.