After each audit has concluded, ARAS conducts quarterly follow-up procedures on open audit items/management action plans. The high-level process is detailed, below.
We conduct follow-up procedures in accordance with the following general timeline:
Quarter/ Board Mtg
Obtain Client Status
|1Q/ November BOT||9/1|
|2Q/ February BOT||12/1|
|3Q/ April BOT||3/1|
Once we obtain the initial status update, we evaluate if enough work has been completed in order for us to conduct validation testing. Once all validation testing has been completed, the audit item will be closed and reported as “implemented” through the respective VC, and ultimately, the Audit Committee.
We apply the following general expectations as it applies to timeliness of remediation, using our risk-based approach:
Critical Finding – risk mitigated within three months. If this is not feasible, interim action plans must be developed.
High-Risk Finding – risk mitigated within six months. If this is not feasible, interim action plans should be developed.
Moderate-Risk Finding – risk mitigated within nine months. If this risk is not addressed within one year, we will ask management to attest regarding risk acceptance and report accordingly to the board.
Low-Risk Finding – risk mitigated within one year. If this risk is not addressed within one year, we will ask management to attest regarding risk acceptance and report accordingly to the board.
If it is determined by leadership that the cost outweighs the benefit of remediation, the Vice Chancellor is able to propose risk acceptance, rather than devote resources to remediation. The process for this is as follows:
Generally, it is expected management will implement all risk mitigating actions noted in audit communications within 12 months. After 12 months, ARAS will consider the risk as being “Accepted by Management”. Note, ARC leadership may provide extensions to management for more complex action plans or in consideration of extenuating circumstances.
To document management’s acceptance of a risk, approval must be obtained from the department’s respective Vice Chancellor for low and moderate risks. The Enterprise Risk Committee must approve acceptance of high and critical risks. Approvals should be obtained by the necessary parties and provided to ARC. The department should utilize ARAS’s form Documentation of Risk Accepted by Management to document the approval of the risk.