Following Up
on
Internal Audit Reports
(non-financial corporates)
by
Ingrid Azzopardi/Eugenio Privitelli
INTERNAL AUDIT TOOLS







Executive summaries
Use of presentations
Identify and communicate best practice
Timely reporting
Grading of audit reports
Agree findings and action plan with auditee
Follow up on recommendations
Practice Advisory 2500 - Ingrid Azzopardi/Eugenio Privitelli
2
INTERNAL AUDIT APPROACH
 Constructive Appraisals: - Blanket criticism is not seen to have a role
within IA. The long-term objective is to support management as far as
possible by taking a reasonable view of their efforts and any constraints
that they might face.
 Teamwork Approach: - The IA and management function as a team. This
approach brings audit closer to a consultancy role.
The Group’s Internal Audit Charter states that Follow-ups will be conducted
after a period from the date of the audit report which will vary according to the
requirements of each particular audit.
• Follow-up to determine the stage reached in the implementation of the
recommendations.
• management is responsible for deciding the appropriate action to be taken in
response to reported audit findings.
• Internal Audit is responsible for assessing the management action and the
timely resolution of the matters reported as audit findings.
• Depending on the degree of recommendations implemented, Internal
Auditor will decide whether or not another follow-up is warranted.
Audit Reporting
• Draft report comprising the audit conclusions is discussed with the
Auditee during the exit meeting.
• Auditee is invited to comment on the recommendations made and to
give dates by when same recommendations will be implemented.
• Both the Auditee and the Chief Officer responsible for the audited
area need to sign off the report.
Audit Reporting
Sample Reporting
Key Function
Risk Classification
Risk
No
Detailed Risk
Likehood
of
Occurrence
Risk
Impact
Controls
REPORT
REFERENCE
OPERATIONAL /
Revenue
Control/Front
Office
Reservations/
Operational
1
Front office staff although allocated individual floats are still making
use of a shared float of Czk 100,000.
Medium
Low
Medium
SECTION 3.1 PAGE 32
2
Although the number of Open Pay Masters appears to be under
control there are a couple of pay masters that need to be analysed
and closed immediately given that they date back a couple of
months (May - August). PM 9033 Kom nearmere; PM 9037
ANSA ; PM 9039 MF Society Cyprus , PM 9204 - Kulicevskis
Nikita; PM 9209 - Kontra;.
Low
Low
Medium
SECTION 3.1.1
- PAGE 36
Revenue Control/
Rebates/Financial
3
The rebates process needs to be revised given that current
rebates/adjustments are not properly backed up with the
appropriate documentation justifying individual transactions nor are
these being fully crossed checked by FO Management / Night
Auditor and Income Auditor.
Medium
Low
Medium
SECTION 3.1.2
- PAGE 37
Revenue Control/
Cashier Spot
Checks/Financial
4
Cashier spot checks are not being conducted within the hotel
outlets on a regular and random basis.
High
High
Low
SECTION 3.1.4
- PAGE 38
Night Audit/ Rate
Check/
Operational
5
All guests in-house should have the rate checked against the actual
contracted rate irrespective if it is a group or third party booker or
direct payment.
High
Medium
Medium
SECTION 3.1.5
- PAGE 38
Front Office - Pay
Masters
/Financial
Sample Reporting
Sample Reporting – Response Date
Audit Follow-Ups
• Carried out to determine the stage reached in the implementation of
the recommendations after a period from the date of the audit
report.
• Audit will assess the action taken by management to implement the
recommendations contained in the audit report.
• Once Follow-up is conducted, depending on the degree of
recommendations implemented, a decision is taken by Audit on
whether or not another follow-up is warranted.
Auditee’s Responsibilities
• In keeping with the commitment of the Group to optimize the
benefits of Internal Audit, the following policy will apply:
• Managers in whose area of responsibilities shortcomings are
revealed, are fully responsible to ensure that prompt corrective action
is taken.
• Commitment to such corrective action will be included in the final
audit reports so that the CEO and the Audit Committee can assess the
adequacy of the corrective action taken or planned.
Sample Reporting – Auditee Response
Discussion of Recommendations
• Should any shortcomings or observations come to light during the Audit
Fieldwork immediate action is taken by the Auditor to draw the attention of the
Auditee and to try and work out a better way of enhancing the controls in the
area, or for coming up with recommendations to enhance the efficiency and
effectiveness in the audited area.
• The element of surprise is eliminated
• Auditee is kept aware of the findings as the Audit proceeds
• Discussions are entered into to come up with the best recommendations to
address the particular situations.
• Recommendations brought up by the Auditees themselves stand a better chance
of getting implemented timely as the Auditees will own those recommendations.
At the Exit Meeting
• Report discussed with the Auditee and his superior.
• Recommendations need to be assigned an owner, and the latter needs to give his
comments in relation to that recommendation.
• Auditee will also need to confirm if he agrees or not with that recommendation
and if in the affirmative he needs to give a date by when that recommendation
will be implemented.
• Depending on the committed implementation dates by the Auditee, the followup date is determined, but this is usually after six months.
Recommendations
•
•
•
•
Ratings of Recommendations:
Minor
Medium
Major
• All recommendations are followed up at the time of the follow-up however
• In the case of major recommendations, these are considered as Key
recommendations and are followed up on a monthly basis and reported upon,
at the same frequency, to the Audit Committee.
Follow-Ups
• At the First Follow-up all recommendations which had been agreed upon at the Exit
Meeting are followed up and checked to determine the stage reached in their
implementation.
• Various types of testing may be performed to verify implementation. This depends on
the recommendation itself.
• Auditee may be required to provide evidence to prove implementation of
recommendation by showing documentation leading to the implementation of the
recommendation.
• At times IT systems may need to be used to determine implementation and at other
times data analytics.
• The important thing is that the Auditor is convinced through the audit evidence available
that the recommendation has been implemented.
• It may however be the case that some of the recommendations are not found
implemented. These may be found to be partially implemented, being addressed or not
implemented at all. In other instances it may be the case that the Auditee has decided
otherwise on a recommendation and may no longer agree with its implementation, in
which case the Auditee will need to provide the necessary arguments which need to be
documented in the Follow-up report to be issued.
Additional Follow-Ups
• Why?
• Who Decides?
• When?
• Is there a need to re-assess recommendations
found implemented in previous follow-ups?
• How many Follow-ups are required?
• What if a key recommendation remains pending?
Following Up
on
Internal Audit Reports
(Banks)
by
Anna Camilleri/Jackie Aquilina
Standard 2500
considerations
Bank A
Bank B
The types of
observations
monitored
Observations rated as High or Medium
risk are reported formally as findings to
management. Management is informed
of low risk findings outside of the audit
report. Agreed actions to address High
and Medium risk observations are
monitored.
Findings are assigned a Low, Medium or
High Risk in the report drawn up to
Management and to the members of the
Audit and Risk Committee, to ensure that
all recommendations are implemented.
How and with what
frequency the status of
outstanding corrective
actions is determined
Each agreed action with management is
set a target date for implementation.
Internal Audit monitors the status of
outstanding corrective action on an
ongoing basis.
The entity is given 6 weeks for
implementation of recommendations put
forward. If any issue is still outstanding, a
dispensation is sought from the CEO with a
target date when this is expected to be
finalised.
Standard 2500
considerations
Bank A
Bank B
The level of
automation and detail
The internal audit process is fully
automated through the use of the
MetricStream tool. Automation also
covers the audit findings reporting
process and the monitoring of
implementation of agreed action points.
The process is not automated but closely
monitored by the Internal Audit
department.
When internal audit
independently
confirms the
effectiveness of
corrective actions
Internal Audit confirms the effectiveness
of corrective actions once implemented.
Confirmation of implementation is
recorded by management on the
automated tool. Management also
attaches evidence supporting
implementation of action on the tool.
Internal audit sample tests the
effectiveness of the enhanced controls
implemented
The Head of Department/Manager of
entity confirms that all findings have been
implemented. Internal Audit then carries
out sample checks on findings raised to
ensure that these had in fact been done.
In rare cases, should these have not been
effected these are in turn reported to
Senior Management/Audit and Risk
Committee.
Integrated internal audit management
tool that enables:
• The conversion of audit reports into
audit findings and management
action plans for tracking
• Automated tracking of due actions
through the sending of reminders
(emails) to management and internal
audit
• Status of action at periodical
intervals is recorded by management
• Allows for the upload of information
and documentation supporting the
implementation of corrective action
taken
• Action status is tracked – open,
closed by management, closed by
audit etc.
• Facilitates the generation of status
reports for tracking purposes
Standard 2500
considerations
Bank A
Bank B
The frequency, style
and level of reporting
performed
Internal Audit formally reports on status
to a risk management committee. The
status of corrective actions is also
reported quarterly to the Audit
Committee, with particular emphasis on
any overdue actions.
Reporting typically includes an analysis of
actions that are within their target
implementation dates and those which
are overdue, as well as status of
corrective action.
Every two months Internal audit reports
to the Audit and Risk Committee, progress
re audits which have not yet been closed
together with outstanding dispensations.
Any overdue actions are examined and if a
reasonable explanation given for the
delay, a further extension is obtained
from the CEO, for implementation.
Information tracked
and captured for
outstanding
observations
• Observation communicated to
management and its risk rating
• Agreed corrective actions and target
date
• Owner of each action point
• Status of corrective action – on plan,
overdue, closed by management, at
audit for validation, closed by audit
These are regularly monitored and
tracked by the Internal Audit with
respective dates for implementation.
Updates are relayed to the Audit and Risk
Committee every 2 months.
Following Up
on
Internal Audit Reports
(INTERNAL AUDIT & INVESTIGATIONS DEPARTMENT (IAID) )
by
Kenneth A. Farrugia
Chapter 461 – Laws of Malta
Internal Audit & Financial Investigations Act
Article14(1): The Director shall, as soon as may be, after
concluding a financial investigation or an internal audit,
transmit a report thereof to the Permanent Secretary
under whose supervision the auditee falls. The Director
may also transmit a copy of such report to the auditee.
Article 14(2): Within one month of receipt of such report,
the Permanent Secretary shall give such instructions to
the auditee as may be necessary to remedy any
shortcomings, and shall inform the Director accordingly.
Chapter 461 – Laws of Malta
Internal Audit & Financial Investigations Act
Article15: The Director shall conduct such follow-up
reviews as may be necessary after an internal audit
and financial investigation.
Chapter 461 – Laws of Malta
Internal Audit & Financial Investigations Act
Follow up reviews are included in the Yearly Internal Audit Plans.
The plans are approved by the Internal Audit & Investigations
Board.
Follow up reviews are carried out in order to determine the
extent to which recommendations put forward in audit reports
were implemented by Management.
The Follow up review report will highlight actions not
implemented and any other observations noticed during the
follow up review.
Chapter 461 – Laws of Malta
Internal Audit & Financial Investigations Act
As from Year 2016, the Internal Audit & Investigations Department (IAID)
commenced to conduct a follow up review on all recommendations emanating
from the NAO Annual Report – Public Accounts. The Internal Audit &
Investigations Board approved that such follow up review is conducted on an
annual basis.
https://opm.gov.mt/en/PublicService/Documents/Action%20on%20the%20NA
Os%20Annual%20Report%202014.pdf
Thank You