Home > Risk > Audit reports should be written in the language of the business

Audit reports should be written in the language of the business

Most internal audit departments have evolved from reporting on controls to reporting on how well risks are managed. But when they discuss issues, they usually still talk in terms of the controls failing, perhaps rating them as “high risk”, “medium”, or “low”.

But what does that mean?

Does “high risk” mean something important to the members of the board and executive readers of the report?

They will understand that internal audit thinks it is important, but how do they relate it to their activities, responsibilities, and goals?

Lets turn to a metaphor.

If a city inspector knocked at your front door and told you he had been inspecting the road near your house and needed to inform you that the surface was ‘high risk’, what would it mean to you?

I think you would reflect on how this might impact you. You will think about how you use the road, how others use it, and your responsibilities for maintaining it.

You might ask the inspector questions, such as “how is it ‘high risk’? Is it unsafe for me or for others? Are you going to close the road so I can’t leave my home? What needs to be done, by when, and how does that impact me?”

In other words, you are trying to find out how the finding represents a risk to your objectives, and which ones are affected. Then you will form your own opinion of the severity of the risk.

So, when it comes to an internal audit report, shouldn’t internal audit discuss issues in terms of the level of risk to specific management objectives?

If internal audit says “this is ‘high risk’, they are not communicating in a way that is helpful to readers of the report.

If instead the report says the issue represents a “high risk to accounts payable”, they still leave the reader ill-informed.

But, what if they say that a potential impact of the control failure is that there is a “high risk that vendors will not be paid in time, leading potentially to delays in receipt of materials required in manufacturing, damage to the company’s credit rating, and delays of shipments to customers”?

Now internal audit is talking in the language of the business, communicating effectively, and enabling management and the board to act.

I welcome your comments.

  1. Mike Corcoran
    March 14, 2013 at 2:38 AM

    Norman, Impact statements in audit observations have been around for at least 20-30 years. Nothing new here.

  2. Norman Marks
    March 14, 2013 at 2:40 AM

    Mike, I agree they have been around in about 1% of audit reports. What will be new is when the general practice is to use the language of the business instead of just a “risk rating”.

    • Mike Corcoran
      March 15, 2013 at 5:31 AM

      Norman, where did you get the 1%? Are you suggesting that 99% of the Audit Committee Chairs are dumb axxexx that have not requested audit findings in a business context?

  3. Bob Cates
    March 14, 2013 at 4:16 AM

    Again, going back to the five criteria of a deficiency finding/issue/observation – Condition, Criteria, Cause, Effect, Recommendation. As Mike said, it’s been there a long time, but as Norman says, more and more audit activities have gotten away from explaining the “effect” in the report. But, I believe in many cases, this can be directly related to what management and the audit committee want to see in the reports. If management and the AC would actually ask the questions Norman brings up, or discusses the audit reports in those terms, then “effect” could find its way back into the reports.

  4. Stephanie U.
    March 14, 2013 at 6:46 AM

    I experienced this first hand when I started auditing at a smaller company that had not previously had an Internal Auditor. I assumed they would automatically understand the meaning of the reports as it related to their goals. Entering the first monthly meeting with the President and Senior Management was a revelation to me. Senior managers want the information in a way they can use. They need to take your report and manage with it. Having a clear understanding of the business model and structure was key for me. Since I had basically created the Auditing Department to fill a need that I saw, it was then easy for me to relate the report in a language they could use. I give them the potential problems, suggest some management solutions and then they manage.

  5. Rick Walke
    March 14, 2013 at 7:10 PM

    I agree with Bob above. This is not a new concept for me or my audit departments. I require my auditors to identify the effect by asking themselves “So what?” I have them ask the question until they arrive at a statement that describes the risk in business terms that are understandable to our report users and provides some form of quantification that they understand.

  6. Norman Marks
    March 14, 2013 at 9:38 PM

    That’s excellent, Rick. Do you ask them to spell out what it means from their perspective, or to explain how it might affect corporate plans?

  7. Muhammad Khalil
    March 14, 2013 at 11:49 PM

    Business Acumen is important for every one in the business and one aspect of having acumen is to communicate with clarity. Good communication skills for internal auditors are not a soft skill but a hard skill. Listening to what people in the organization are talking about and telling them how they can manage risks requires communication in a langauge that is common. Internal Auditors are not supposed to be aliens, they are supposed to be earthlings-living on common ground.

  8. Rob Otero
    March 15, 2013 at 2:01 AM

    Rick I completely agree, I have been fortunate to work with management who challenged me on the “so what?” and I myself have always championed the “5 Why’s”, my teams are porbably now fed up of seeing it scribbled on reports and asked in meetings however his has ensured a consistent level of output and engagement by the business in the outputs of Internal Audit.

  9. March 17, 2013 at 7:09 PM

    Beyond the business impact of findings, the report should include insight on any common themes and trends that they may have picked up based on their knowledge and work in other areas … management wants Internal Audit to be “additive”, to connect the dots, and add incremental value…!

  10. Lerato Chaba
    March 19, 2013 at 12:38 AM

    The concept is not new to me either, but I think some times, auditors get “comfortable” with little information. The 4 Cs (Criteria, condition, Cause and Consequence) as well as recommendations have to stem from what speaks to the objectives of the organisation as well as the department.

    What has helped me over the years is making a distinct difference between a risk and a control weakness. The fact that the road surface is a high risk really means nothing if “High Risk” is not defined. Define the control weakness and the risk; the risk is the answer to “So what?” as Rick said. Could it cause damage and/or death, increase traffic, or it a patch everyone has noticed and can easily be avoided? What are the potential impacts to all road users not just me.

    It is all well and done to identify the finding, but if we do not mention what the criteria is (perfect situation, what works for the industry, new trends) and make relevant value add recommendations, what value have you added really?

    I liked the scenario Normal used, “a city inspector knocked at your front door and told you he had been inspecting the road near your house and needed to inform you that the surface was ‘high risk’ “. As auditors our working papers and reports need to stand alone, when management reads the document it should be clear what we are talking about… without requesting us to come in and explain what any part of it means and what the way forward should be.

    Thank you all for your comments and opinions.

  11. Graham Throup
    March 19, 2013 at 4:08 AM

    I think any Internal auditor who is worth his salt would always use in his reports words and sentences which the readers of his report ( be it managers or board members) could fully understand. To do the contrary would be very unusual.
    As far as Risk is concerned, one might expect most organisations to have already defined what high, medium and low mean and this would be contained in their Risk policy, register etc. But if these do not exist, you are quite right to say that just to state ‘ high risk’ without then going on to give more details of the impact and consequences ( and usually suggestions for elimination or mitigation) would be a failing on the part of an Internal Auditor.

    • Lerato Chaba
      March 19, 2013 at 4:30 AM

      Completely agree.

  12. Norman Marks
    March 19, 2013 at 7:45 AM

    Thanks to all for the comments.

    My point is that we should try to put ourselves in the shoes of the top executives and the board. They have a number of objectives for the organization, and in a risk-based audit program we should be considering the risks to those objectives.

    Do you agree so far?

    Since they are thinking and managing in terms of those objectives, we should be communicating to them how their objectives are affected by the issues we found in the audit.

    It’s more than simply saying there is a risk of loss of funds, for example. It’s about telling them whether the risk to the objectives they have set for the organization is higher than they thought and the achievement of those objectives might be at risk.

    Are you with me, or do you disagree?

    • Stephanie U.
      March 19, 2013 at 8:04 AM

      I agree, the objective is to be successful even at sometime incurring risk, just knowing how much can be controlled and if it’s worth it. Even new policy and procedure changes can affect the entire dynamic, bringing a knowledgeable audit team in to evaluate potential losses or risk in the face of change can keep a lot of fires from even starting. Very helpful post and comments here.

  13. March 21, 2013 at 11:51 AM

    Good Comments Norman. I agree. In fact our audit reports list the specific business objectives “at risk”. A novel concept I know.

  14. March 25, 2013 at 8:53 PM

    Good thread. I’m doing a project looking at audit opinions, ratings of issues, grading of reports etc, and interested in latest thinking on what’s new, what’s best and what’s contemporary. I’m seeing good arguments for aligning with the risk rating scale for ERM, and also good arguments for not. Would welcome thoughts.

    • Norman Marks
      March 25, 2013 at 9:00 PM

      Todd, how would you “align with the risk rating scale for ERM?” Wouldn’t you simply say whether any control issue indicates the risk is different from that ascribed by ERM?

      Is it not more important to comment on the validity of management’s assessment than to make our own, in competition?

      • March 25, 2013 at 9:35 PM

        Hi Norman. Thanks for the quick response.

        Great answer in theory, but in practice throws up a few questions.

        1. Assumes management have already assessed the particular criteria or objective. (So rules out immature risk functions, and many which don’t assess at the same level of detail as an auditor).

        2. Not sure exactly how you’d report this in a succinct way to the audit committee (management thought it was medium/low, we thought it was medium/high), the differential is x% of medium… and this is not material enough to report as it’s not high?

        I’ve got a few ideas on the latter, but I always end up circling back to objective-centric assurance rather than risk-based ratings. Before defaulting to type, I’m keen to understand what the brains trust has to say…

  15. Norman Marks
    March 26, 2013 at 7:46 AM

    Todd, my preference is to assess management’s ability to manage risks at desired levels – rather than try to assess the risk level by myself.

    So, if management has established criteria, we can assess how they used them to assess risk and also whether our testing of related controls identified weaknesses they didn’t consider.

    If they have not established criteria, that is probably the first point to make: how do they know they are taking the right risks?

    I think we should work with management and see if we can agree on the level of risk and whether it is acceptable.

    I remain a believer in assessing the processes whenever I can, rather than substantively auditing results of those processes.

    • Mike Corcoran
      March 26, 2013 at 9:42 AM

      Norman, no more accounts payable audits?

  16. Norman Marks
    March 26, 2013 at 10:00 AM

    Good question, Mike. If AP represents a risk to the business that matters and rates as one of the top risks where IA can add value through assurance or consulting engagements, then yes. Otherwise,……….

  17. Norman Marks
    March 26, 2013 at 10:03 AM

    Building on that, how significant is AP risk at most organizations? Moderate. How significant are areas not typically audited, such as manufacturing quality, the processes for designing new products, the ability to hire talented individuals, organizational design, strategy development, the integrity (including completeness and timeliness) of information provided to the board? Major.

    • Mike Corcoran
      March 26, 2013 at 10:10 AM

      Internal audit does not have the skill sets to get involved in these higher risk, value creating bets. The Audit Committee is not involved either and they approve the audit plan! Most internal auditors are from big 4 firms with SOX and financial repoting experience. Is this a huge disconnect?

      • Norman Marks
        March 26, 2013 at 10:45 AM

        So you should audit based on capabilities? No way, Mike. IA should build out the capability to audit the processes around the risks that matter, including using co-source partners.

        This is a point PwC made in their 2013 report, that too many IA departments audit what they can rather than what they should,

        • Mike Corcoran
          March 26, 2013 at 11:02 AM

          Norman, quite the opposite. Audit Committees haven’t a clue they are getting an inferior product. As you know, I have been in the ERM, risk and internal audit co-sourcing business (C&L) since 1997. PWC 2013 is nothing new.

          • Norman Marks
            March 26, 2013 at 11:29 AM

            So, just because it is not new means we should stop talking about it? The fact that it is not new should mean we should talk louder and hope people start acting. Right?

            • Mike Corcoran
              March 26, 2013 at 11:49 AM

              No by all means keep on tallking about it for another 20 years. If I can help you figure out another means or medium to effect change let me know. Appreciate your trying.

  18. March 29, 2013 at 12:46 PM

    My tag line – as I’ve worked in operations, environmental, sustainability, and safety – has been “Learn the language of business, because they will not learn yours.” The discussion is a good reminder.
    Another benefit of making sure the “so what?” is included in an audit finding is that it provides transparency. This helps the auditee! Unfortunately, many auditors focus on getting the “gotcha”, keeping up with work papers, wordsmithing the findings, or crunching on a report to meet a deadline. The auditees are an afterthought. The auditees may be so stuck in “the way we’ve always done things”, or not realize the context – or they may not have the resources to do the job right. Maybe they tried to make improvements and gave up. If the auditees understand WHY our findings are significant, this can help reinforce the importance of doing things right, and change their mindset on making changes – a necessary first step. This discussion is a good tip for auditors, but for the bigger benefit is to the auditees and our organizations.

  19. Sharon llewellyn
    April 3, 2013 at 1:42 PM

    Thank you for the comment, I will keep it mind. As a former auditor, I often interpreted finding for customers who were confused by the wording in the reports. Auditors are not always expected to be able to know what the report means.

  1. March 15, 2013 at 3:53 PM
  2. April 17, 2013 at 7:20 AM
  3. November 12, 2013 at 7:24 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: