For internal auditors out there, do you perform post-audit reviews as part of your QAIP? If so, do you require action plans from your team members to resolve any gaps or improvement opportunities?
Sort by:
Thanks Stephen!
Yes we do perform post-audit reviews to the IIA standards as well as our internal policies and procedures. We have two categories of gap identification; findings and comments. Findings are more severe and would require the team to go back into the file and address large gaps in scope, documentation, etc. These findings always have an action plan that is tracked in our GRC tool. For comments, these are mostly items that we want to point out for future reference but do not require action plans or for the team to make changes to the archived audit file.
Thanks Emily! Currently, we don't require the team to fix the large gaps. We just summarize the gaps in our lessons learned database. But I believe for large gaps they should fix it.
Short answer is yes. Post-audit reviews are performed by an independent team on a sample of audits. Actions to resolve any gaps are agreed and tracked to resolution. The approach to action plans about improvement opportunities is probably less mature.