Audit reports should be written in the language of the business
Most internal audit departments have evolved from reporting on controls to reporting on how well risks are managed. But when they discuss issues, they usually still talk in terms of the controls failing, perhaps rating them as “high risk”, “medium”, or “low”.
But what does that mean?
Does “high risk” mean something important to the members of the board and executive readers of the report?
They will understand that internal audit thinks it is important, but how do they relate it to their activities, responsibilities, and goals?
Lets turn to a metaphor.
If a city inspector knocked at your front door and told you he had been inspecting the road near your house and needed to inform you that the surface was ‘high risk’, what would it mean to you?
I think you would reflect on how this might impact you. You will think about how you use the road, how others use it, and your responsibilities for maintaining it.
You might ask the inspector questions, such as “how is it ‘high risk’? Is it unsafe for me or for others? Are you going to close the road so I can’t leave my home? What needs to be done, by when, and how does that impact me?”
In other words, you are trying to find out how the finding represents a risk to your objectives, and which ones are affected. Then you will form your own opinion of the severity of the risk.
So, when it comes to an internal audit report, shouldn’t internal audit discuss issues in terms of the level of risk to specific management objectives?
If internal audit says “this is ‘high risk’, they are not communicating in a way that is helpful to readers of the report.
If instead the report says the issue represents a “high risk to accounts payable”, they still leave the reader ill-informed.
But, what if they say that a potential impact of the control failure is that there is a “high risk that vendors will not be paid in time, leading potentially to delays in receipt of materials required in manufacturing, damage to the company’s credit rating, and delays of shipments to customers”?
Now internal audit is talking in the language of the business, communicating effectively, and enabling management and the board to act.
I welcome your comments.