Please enable JavaScript.
Coggle requires JavaScript to display documents.
Part II Sec D1, 9) Monitoring/Follow-Up of Disposition of Engagement…
Part II Sec D1
9) Monitoring/Follow-Up
of Disposition of
Engagement Results
b) Types of Follow-Up Procedures
Process owner
is responsible for following up
(weakest form of audit evidence)
Auditor conducts a targeted follow-up
review
(only target action items of high priority
related to sign risks)
Auditor conducts a follow-up
audit
(the strongest evidence)
c) Determining Appropriate Follow-Up
type of f/u procedure to use and on its specific scope may be affected by:
Significance of the reported observation/ recommendation
Degree of effort and cost needed to correct the reported condition.
Impact that may result should the corrective action fail.
Time period involved.
d) Securing Action (focused on the issue of audit follow-up)
Is the recommendation still valid?
Were the recommendations’ obj met by an alternative approach?
Is there anything else that can be done to change mgt’s mind about
implementing the recommendation?
Should implementation of the recommendation be delayed?
Is the recommendation key to resolving issues of control in this area?
Can the recommendations be revised - to make them more achievable
-> therefore more palatable to mgt?
e) Conducting Follow-Up
gather data to confirm the status
of its recommendations to mgt
IA's goal:
corrective action is in progress
focused on the root cause
benefits are accruing to the area
and to the organization
measured benefits and savings
f) Documenting Progress
progress made -> doc
not being made, doc the reasons
-> talking through issues with mgt
-> developing alternative approaches
-> additional follow-up monitoring
g) Reporting Adequate Mgt Corrective Action
CAE has determined mgt’s corrective action
has been adequate or inadequate
-> submits periodic activity reports
(include the results of the monitoring
activities conducted to follow up)
need to continue monitoring
ability to cease monitoring
declare an issue resolved
(remove monitoring engagement items)
-> doc the monitoring plan’s results specifically
criteria may be qualitative or quantitative
a) Responsibility of CAE to
Monitor Engagement Outcomes
audit report produces recommendations
-> CAE establish precedures ensure that
mgt responds to those recommendations)
The info tracked and captured:
observations and its risk to org
nature of the agreed corrective actions
timing of the corrective actions
mgt/process owner responsible
current status of corrective actions and
IA confirm with the status
6) CAE Responsibility for
Assessing Residual Risk
Step for IA:
addresses residual risk - acceptable to the
risk appetite of org (system of IC) ?
evaluate and determine whether additional cost-effective ctrls should be implemented
must discuss the matter with senior mgt
not been resolved, CAE to comm the matter to the board
Mgt must consider other options:
transferring part of the uncontrolled risk to a willing, independent third party through insurance or outsourcing
sharing the uncontrolled risk.
accept a higher level of risk and adjust risk appetite
determine whether or not they want to continue the activity
7) Communicating
Risk Acceptance
IA observation - a sign risk to the org
-> requires a prompt and effective mgt response
if mgt is not (unwilling to) respond
-> escalate the matter to the senior mgt/ the board
8) Assessing Engagement
Outcomes
a) Planning
key to success in
monitoring outcomes
of engagements
The monitoring plan based on:
Who monitor?
IA/ cooperated party
What will be monitored?
recommendation
-> measurable and observable
How the monitoring - accomplished?
ongoing/ f/u engagement
When monitoring will be conducted?
time frame (urgent matter - immediately;
complex solution- by stage)
Issue-Tracking Systems
scheduling software
(record follow-up periods for @ engagement)
automated system
(automatic schedule reminders)
-> To ensure that follow-up is conducted
on the agreed-upon schedule
Monitoring Procedures
specific monitoring procedure
-> predetermine a threshold - evaluate
(COSO - monitoring)
common -> sampling
the level of risk - remains
after mgt executes
its risk responses
Follow up: a process - IA assess
adequacy, effectiveness, timeliness
of actions taken by mgt