This section outlines the policy and procedures for follow-up of recommendations in audit reports issued by Internal Audit.
Policy and Procedure
A Recommendation Implementation Status Summary (RISS) document will be created by the auditor and sent to the audited department 90 days after the final audit report date for any audit recommendations not yet implemented. The RISS lists outstanding audit recommendations and is to be addressed to the individual(s) whose responses are reflected in the final audit report. In the RISS, addressees are asked to provide the status of the open recommendations, provide targeted implementation dates, or descriptions of alternative actions implemented or planned. The completed RISS documents are saved in the audit work paper folder on the audit shared drive.
The RISS Procedure
- A Recommendation Implementation Status Summary (RISS) document will be created by the auditor and sent to the audited department based on implementation dates stated in the final audit report, or if no dates exist, 90 days after the final audit report date for any audit recommendations not yet implemented. The RISS lists outstanding audit recommendations and is to be addressed to the individual(s) whose responses are reflected in the final audit report. In the RISS, addressees are asked to provide the status of the open recommendations, provide targeted implementation dates, or descriptions of alternative actions implemented or planned. The completed RISS documents are saved in the audit work paper folder on the audit shared drive.
The RISS procedure is as follows:
For each audit report issued, auditors will:
- Record final audit report dates in the audit log,
- Record summarized audit issues and management action plans in the Audit Issue Tracker on Internal Audit’s shared drive;
- A designated auditor (or if not available, another Auditor assigned) will prepare the RISS document. An auditor on the engagement will send out the email to the addressees on the audit report. The addressees are instructed to add the current status of their action plans on the RISS document and return it to the Internal Audit Department within 30 days.
After the completed RISS document is received by Internal Audit, the Auditor updates the Audit Issue Tracker spreadsheet with the current status of recommendations and indicates whether the recommendations are still open, in-process, or closed. The Auditor discusses with the Manager/Director if planned or implemented actions or the respective timeline have changed significantly from what was included in the audit report.
- For any unimplemented recommendations, the auditor will continue following up by resending a RISS form containing the unimplemented recommendations based on new implementation date information.
- Due dates, aging, and completion dates of RISSs are tracked in the Audit Issue Tracker spreadsheet on the shared drive, and periodically by the Managers and Director. In addition, a summary of outstanding recommendations, focused on long outstanding items is prepared at least annually for the manager’s and Director’s review and approval.
- Significance of reported issues, timeliness of corrective actions and other factors are considered in determining whether follow-up audit procedures will be performed to validate the implementation of recommendations or acceptable alternative actions. Any such procedures planned will be scheduled in the audit plan by the Director (current or subsequent period).
- Significant recommendations that have not as yet been implemented after one year are reported to the Audit Committee of the Board of Trustees at least annually, generally in the December and/or May meetings. (Significant items arising in current year audits are also reported in the “results” section of the May Audit Committee meeting).