Internal auditors strive to identify audit issues and report them to the Governing bodies/Audit Committees, however, many times such issues are placed on the back burner by the Governing authorities as time elapses and new priorities emerge. This situation arises primarily when there is lack of sustainable monitoring or tracking of the implementation progress of prior audit issues. What really matters in this situation is that identified significant risks and root causes remain unmitigated and thereby presenting surprises in future. Specially when prior audit issues are sensitive like fraud risks or potential red flags that could cause significant damage to the reputation of the company. Technology is generally a black box for the senior most management and if prior audit issues around technology – authority/access controls are not addressed they could result in material weaknesses impacting the financial reporting of the company.
SIA 390 issued by ICAI
Internal audit practitioners are now guided by the new Standard on Internal Audit (SIA) 390, “Monitoring and Reporting of Prior Audit Issues” framed by the Institute of Chartered Accountants of India. This standard deals with the responsibility of the Internal Auditor in monitoring and reporting of prior audit issues, usually in the form of an “Action Taken Report (ATR) of previous audits”.
The scope of this standard applies to all prior internal audits where audit issues remain open, pending the implementation of audit recommendations within pre-agreed timelines. The term “Monitoring and Reporting” used in this Standard refers to the periodic tracking of issues raised during prior audits and evaluation of the corrective actions undertaken by the auditee to resolve them and to report any open and pending matters to the management and those charged with governance (e.g. Audit Committee).
This standard is yet not notified by the Council of ICAI and therefore is recommendatory at this stage. The standard has recommended automating the process of follow up and monitoring the progress of implementation of prior audit issues so that all concerned parties are alerted continuously. The standard spells out that the primary responsibility of implementing the prior audit issues is with the management of the company, however, the Chief Audit Executive is responsible for developing a formal tracking program
Monitoring and Reporting of Prior Audit Issues is a matter impacting Corporate Governance and part of direct responsibilities of Board of Directors
1. Continuing internal control deficiencies: – Once audit issues have been identified and reported they need proper closure with satisfactory audit evidences. If satisfactory and timely closure is not achieved, may result in continuing internal control deficiencies leading to major surprises such as Frauds and Errors.
2. Process maturity and capacity building: – Internal auditing is about building process maturity and aligning the culture of the organisation to an acceptable level of conduct. If previous audit issues are not tracked for timely closure by those charged with governance,it directly reflects on the Board’s responsibilities.
3. Budgeting for Corrective actions: – Where monitoring and tracking of open risks is not carried out it may be difficult for the organisation to develop a resourcing budget to effect the corrective actions as most of the recommendations made by internal auditors for example; would lead to changes in configurations of systems, investment in learning and development initiatives, formulation of procedures and so forth.
Chief Audit Executive is duty bound to monitor and report prior audit issues that are open and unresolved especially sensitive and high-risk items. The Chief Audit Executive can present the rate of implementation as an efficiency measure to the Audit Committee/ Board.
The Chief Executive Officer and Chief Financial Officer who certify the adequacy of internal financial controls are duty bound to track and monitor the implementation of prior audit recommendations.
Monitoring and satisfactory closure of prior audit issues implies that the management understands the impact of open risks items and by taking timely corrective actions assures stakeholders that they are fully committed in effectively managing such risks. Further, in timely closing of open prior audit issues the management sends a clear message that they are acting within the risk appetite of the company.