Audit findings follow up procedures are not only essential but required by law to stay compliant and avoid penalties.
Understand with us the post audit follow up process explained with steps and example.
Understanding Audit Finding Follow Ups
When an audit is completed, the auditor shares audit findings i.e. the results or observations identified during an audit.
These findings highlight areas where an organization is not following required laws, policies, or internal procedures.
Learn here about:
Following up on audit findings is just as important as identifying them. If findings are ignored, the same issues will continue, which may lead to penalties, legal problems, or reputational damage.
Regulatory Framework for Audit Follow Up in India
Audit follow-ups are not only a good practice for organisations, but they are also a good practice.
Here’s a look at what regulations and laws drive them:
Regulation | Relevance |
Companies Act, 2013 | Requires audit trail, audit committees, and internal audits |
ICAI Standards (SA 265 etc.) | Guide communication and follow-up on control weaknesses |
SEBI LODR Regulations | Mandates audit committee oversight on audit findings |
CARO 2020 | Statutory auditor must report management’s compliance actions |
RBI Circulars | Require banks and NBFCs to report compliance on audit observations annually |
CAG Framework | Enforces structured legislative follow-up on audit findings in public entities |
Public Sector Audit Follow-Up (CAG of India)
Audit follow-up in this sector is driven by the Comptroller and Auditor General (CAG), who audits Union/State governments and PSUs.
After audit reports are tabled in Parliament or State Legislatures, legislative committees like the Public Accounts Committee (PAC) and Committee on Public Undertakings (COPU) review findings.
- Action Taken Reports (ATRs): Audited entities must submit ATRs detailing fund recovery, disciplinary steps, and policy reforms.
- Monitoring & Compliance: CAG tracks ATRs; PAC/COPU assess adequacy and demand further action if necessary, reinforcing transparency.
Private Sector Audit Follow-Up
In the corporate sector, audit follow-up is regulated through the Companies Act, 2013, ICAI Standards, SEBI Regulations, and oversight bodies like NFRA and MCA.
- Section 177: Audit Committees must review audit reports and ensure timely corrective action.
- Section 138: Internal audits are mandatory for specified companies, with oversight by the Audit Committee.
Regulatory bodies like the Ministry of Corporate Affairs (MCA), SEBI, and NFRA strengthen enforcement.
- SEBI (LODR) Regulations, 2015: Listed companies must disclose responses to audit qualifications and review whistleblower complaints.
- NFRA: Oversees audit quality and can penalize auditors, indirectly pushing companies to act on audit issues.
Standards and Digital Compliance
The Institute of Chartered Accountants of India (ICAI) sets out Standards on Auditing (SAs), such as:
- SA 265, 330: Require auditors to communicate internal control deficiencies and follow up on risk mitigation.
Recent rules mandate digital accountability:
- From FY 2023-24, all companies are required to maintain a tamper-proof audit trail under the Companies (Accounts) Rules, 2014, verified by auditors.
Sector-Specific Audit Follow-Up Mechanisms
Reserve Bank of India (RBI):
- Banks and NBFCs must submit compliance reports post-audit.
- Board-level reviews are mandated.
- Delay in action can trigger regulatory sanctions.
IRDAI (Insurance), PFRDA (Pension Funds), and Others:
- Industry-specific regulators issue their own mandates for audit follow-up.
- Includes regular internal audits, compliance reports, and implementation reviews.
Step-by-Step Audit Findings Follow Up Procedures in India
Once the audit is completed, the real work begins: resolving findings and preventing recurrence.Here is how it is to be approached:
1. Issuance and Acknowledgment of Audit Findings
The audit finding follow up procedure starts with the submission of the report.
- Internal Auditor, Statutory Auditor, CAG, RBI, SEBI, or other regulator issue the audit report.
- The report lists observations, control weaknesses, and recommendations.
- Management acknowledges the findings and shares the report with the Audit Committee or Board.
- They then establish official recognition of the findings and ensure they are taken seriously.
2. Root Cause Analysis (RCA)
The process owner and department head are required to provide a formal response for each finding. This prevents recurrence by fixing the root cause, not just the symptom.
This response must include:
- Acknowledgment: Agreement or disagreement with the finding.
- Root Cause Analysis: The underlying reason for the issue (not just the symptom).
- Corrective Action Plan (CAP): Specific, measurable actions to fix the issue.
- Responsible Person: The individual accountable for implementation.
- Target Date: A realistic deadline for completion.
Example: Misclassification of expenses might be due to system flaws, manual errors, or lack of training.
3. Development of a Corrective Action Plan (CAP)
Management, specifically the audited department/process owner, is responsible for addressing the findings and preparing a formal written response and a Corrective Action Plan (CAP).
The plan must be S.M.A.R.T. (Specific, Measurable, Achievable, Relevant, Time-bound). It must specify:
- Corrective Action: The steps to be taken to fix the immediate issue.
- Preventive Action: The steps to be taken to prevent recurrence.
- Responsible Person/Department: The individual or team accountable for implementation.
- Target Completion Date: A realistic deadline for full implementation.
4. Management & Audit Committee Review and Approval
The formulated CAP is reviewed and approved by senior management or a dedicated oversight body.
They validate that the CAP is:
- Practical
- Risk-sensitive
- Budgeted
- Aligned with statutory and regulatory obligations
5. Implementation of Corrective Actions
This is the phase where management implements the agreed-upon actions.
The responsible person within the management executes the agreed-upon actions (e.g., updating a policy, implementing a control, recovering an amount, training staff).
Examples of Actions:
- Policy and SOP updates
- Staff training and awareness
- Technology upgrades (e.g., implementing audit trail software)
- Strengthening internal controls
6. Documentation and Evidence Collection
Documentary evidence or system logs are collected to verify completion of each action. It creates a verifiable audit trail for future scrutiny.
Types of Evidence:
- Updated policies
- System reports/logs
- Communication records
- Proof of staff training
It is submitted to internal Audit, Statutory Auditors, Audit Committee, and/or regulators (e.g., RBI, SEBI, CAG)
7. Follow-Up Audit or Validation
Internal audit (or external auditor for statutory cases) conducts a follow-up review to verify the reported completion of corrective actions. They
- Verify implementation through testing and review of controls
- Conduct interviews, walkthroughs, or data testing
8. Status Reporting to Audit Committee/Board
The internal audit team prepares a Follow-Up Report or a Status Tracker that is presented to the Audit Committee and senior management.
This tracker uses a RAG (Red-Amber-Green) status:
- Red: Action not taken/ineffective
- Amber: Action in progress/delayed
- Green: Action completed and verified
9. Formal Closure of Findings
If the auditor is satisfied that the root cause has been addressed, the risk is mitigated, and the new control is operating effectively, the finding is formally closed in the observation tracker.
The status of all open and closed findings is regularly reported to the Audit Committee and the Board of Directors, providing assurance on the company’s control environment.
Difference Between Public Vs Private Sector Post Audit Follow Ups
Feature | Public Sector (C&AG) | Private Sector |
Primary Driver | Parliament/State Legislature (PAC/COPU) | Board of Directors / Audit Committee |
Follow-Up Document | Action Taken Note (ATN) | Corrective Action Plan (CAP) / Status Tracker |
Validation Body | C&AG’s office & PAC | Internal Audit & Statutory Auditor |
Final Authority | Parliament/State Legislature | Shareholders (via reporting) & Regulators (NFRA, SEBI) |
Focus | Public accountability, propriety, compliance | Risk mitigation, operational efficiency, financial accuracy |
Post Audit Follow Up Checklist- PDF Free Download
Here’s a post-audit follow-up checklist that will help you get a glimpse of what happens after an audit is complete.
Remember this is a sample PDF checklist and needs to be customized based on the industry you operate in, your business size, and regulatory requirements.
Get in touch with PKC’s experts for audit services and complex compliance matters.
Audit Finding Follow-Up Example: LM Manufacturing Pvt. Ltd. (FY 2024–25)
Let’s assume a mid-sized auto parts manufacturer LM Manufacturing Pvt. Ltd. based in Pune underwent its statutory audit for FY 2024–25 as per the Companies Act, 2013.
The auditors highlighted certain issues in the audit report that required follow-up action.
Statutory Audit Finding
Auditor reported:
- Inventory reconciliation was not performed regularly
- Stock discrepancies worth ₹45 lakhs were noted between the ERP system and physical stock
- Indicated weak internal controls in inventory management, violating good accounting practices under ICAI standards.
Post Audit Follow Up Steps
Step By Step Follow Up Procedure After an Audit |
Step 1: Acknowledgement
|
Step 2: Root Cause Analysis
|
Step 3: Corrective Action Plan (CAP)
|
Step 4: Management Review & Approval
|
Step 5: Implementation
|
Step 6: Documentation & Reporting
|
Step 7: Follow-Up Audit In November 2025, internal audit team verifies:
Finding marked as “Resolved.” |
LM Manufacturing Pvt. Ltd. successfully closed the audit issue within 6 months.
It strengthened internal controls and reduced stock discrepancies. This helped them improve compliance with Companies Act, 2013 and ICAI audit standards.
Audit Findings Follow Ups With PKC Vs Others
Aspect | PKC India | Other Firms |
Follow-Up Timeline | ✅ Defined milestones post-implementation | Generic 3–6 month follow-up |
Verification | ✅ Evidence-based validation | 🚫Self-certification or limited checks |
Monitoring | ✅ Continuous support | 🚫 Limited or periodic |
Action Plans | ✅ Client-specific corrective actions | 🚫 Standard recommendations |
Reporting | ✅ Detailed status updates | 🚫Quarterly or annual reports |
Risk Focus | ✅ Proactive risk mitigation | 🚫Reactive compliance approach |
Stakeholder Involvement | ✅ Active board and management engagement | 🚫Minimal engagement |
Documentation | ✅ Full audit trail of actions | 🚫Basic documentation |
Compliance Assurance | ✅ 100% compliance goal | 🚫Best-effort basis |
Industry Expertise | ✅ Sector-specific insights | 🚫Generalized expertise |
Regulatory Updates | ✅ Timely and proactive | 🚫Occasional updates |
Cost Structure | ✅ All-inclusive follow-up | 🚫Follow-up billed separately |
Success Metrics | ✅ Defined KPIs and outcomes | 🚫Basic compliance measures |
FAQs on Audit Findings Follow Up Procedures
They are steps taken after an audit to correct issues and improve compliance. These procedures are guided by the Companies Act, ICAI standards, and regulators like RBI and SEBI.
The company’s management, Audit Committee, and Board of Directors are primarily responsible. Auditors review whether corrective actions have been implemented.
Follow ups depend on the severity of the issue. Serious issues need immediate attention, while minor ones may be checked in the next audit cycle. In India, regulators often prescribe timelines for compliance.
Ignoring audit findings can lead to regulatory penalties, reputational damage, and legal consequences. For listed companies and banks, SEBI and RBI can take strict action.
Yes, the CAG audits government bodies, and departments must submit Action Taken Notes (ATNs). The Public Accounts Committee reviews these for accountability.