Is audit finding follow up required?
Well, it depends on which standards you are following, who you are auditing, and what your audit objective is. This is one place where audit standards DO NOT align (unlike Jupiter and Mars in the Age of Aquarius), so make sure you know what is required for your audit.
Here are three scenarios regarding audit finding follow up for you to consider:
1. Performance auditors following GAGAS
2. Single Auditors following the Uniform Guidance
3. Internal auditors following the IIA standards
Audit finding follow up for GAGAS Performance Auditors
Performance auditors following Yellow Book standards use the results of previous engagements to shape their risk assessment. Only if the findings are relevant to their audit objective should performance auditors consider prior year findings in their audit planning.
Here is what the GAO says about the results of previous engagements in Chapter 8 of the Yellow Book:
8.30 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives.
So, if the report is entirely unrelated to your subject matter or audit objective, you don’t have to read it, find out whether the client has taken action, or integrate it into your audit planning. For instance, if you are performing an audit of the school lunch program, you don’t have to worry about the study completed last month by the internal auditor regarding the safety of the gym!
Audit finding follow up for Single Auditors
No, I’m not talking about your marital status (although you really should put a ring on it!) – I mean auditors who are conducting the Single Audit – which is an audit conducted on grantees on behalf of federal grantors. The federal grantors designed the parameters of the audit and they definitely want you to follow up on prior year findings. As a matter of fact, the grantee (auditee) is required to create a special summary schedule of prior year findings for the grantor and the auditor is responsible for assessing the truthfulness of this summary.
Here is some of what the Uniform Administrative Rules, Cost Principles and Audit Requirements for Federal Awards says:
Uniform Guidance 200.514 (e) Audit follow-up. The auditor must follow-up on prior audit findings, perform procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with § 200.511(b), and report, as a current year audit finding, when the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding. The auditor must perform audit follow-up procedures regardless of whether a prior audit finding relates to a major program in the current year.
So in this case, even if the audit finding is not relevant to the auditor’s current objectives (let’s say the auditor chooses to audit a different grant than last year), the auditor is still required to follow-up because the grantor wants to make sure that all findings are resolved.
Audit finding follow up under IIA standards
Under IIA standards, internal auditors are required to keep track of findings and assess whether management’s actions to resolve the findings are reasonable. Because management is ultimately responsible for their programs, management can decide if they want to accept the risk brought to their attention by the findings or they can decide to act to reduce risk. If the internal auditor feels that management’s choice regarding how to handle the finding is unreasonable, they need to report their concerns to the board.
Here is what the IIA standards say:
IPPF 2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
IPPF 2600 – Communicating the Acceptance of Risks: When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.
Why is follow up necessary?
Remember that time you were presenting an audit finding recommendation at the exit conference and the auditee, gazing at you with tears of gratitude streaming down their face said, “Just stop, you had me at hello.” Yeah, me neither.
And even if you did have them at “hello,” there are a multitude of bureaucratic, institutional, even personal barriers to action, which may impede the implementation of audit finding recommendations, even those that scream, “No Brainer!”
That is why under IIA standards and Single Audit requirements we auditors keep encouraging (nudging, harassing?) the auditee to implement the action plan they agreed to implement.
Summary: from stringent to flexible
As you can tell, this is one place where the audit standards DO NOT align. So make sure you know which standards you are following and what you are required to do.
Let me summarize the requirements regarding audit finding follow up from the most stringent to the most flexible for our three scenarios:
- If you are working for a federal grantor conducting the Single Audit, auditors must follow up.
- If you are an internal auditor, the auditor creates a system to follow up but can’t force management to comply with recommendations.
- And if you are a performance auditor using Yellow Book standards, you take management’s actions regarding audit findings from prior years into account when planning your engagement only if the findings are relevant to your current audit objective.
If you are in that unique situation where you have to follow two sets of standards at the same time, I recommend that you follow the more stringent standard!
To learn more:
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: