A Satisfactory Audit Report is Unsatisfactory
If you met with your manager and he gave you a “satisfactory” rating on your performance appraisal, how would you feel?
If your child came home with a “satisfactory” rating on his report card, would you be satisfied?
If your mechanic gave your car a safety inspection, or a home inspector went through the home you were considering buying, and they said “it is satisfactory”, would you be happy?
What does a “satisfactory” rating in an audit report mean?
Your guess is as good as mine.
Clearly, the auditors don’t have anything dire to communicate.
But can you rest assured that the risks they reviewed are being managed at acceptable levels? Are the people, processes, systems, and organizational structure in the area covered by the audit performing to your expectations?
A “satisfactory” rating doesn’t tell you.
A “satisfactory” rating is unsatisfactory.
It fails to tell the stakeholder want they need to hear: whether the risks in the area under audit are being managed the way they should.
Are there opportunities for significant efficiency improvements? You can’t tell from that simple and meaningless rating.
Internal auditors need to stop hiding behind rating systems and use the full capabilities of the English (or other language) to inform their stakeholders.
Audit reports are communication vehicles, ways to answer the questions stakeholders need answering, such as “are the risks being managed at acceptable levels”, “do the controls provide reasonable assurance that management is taking the risks they should be taking, and “is there anything I need to worry about?”
But too many audit reports are empty communication vessels.
If the CEO stopped the CAE and asked “how are the controls over derivatives trading, based on the audit you just completed”, should the CAE say “they are satisfactory?”
No, he would provide an answer with full sentences that leave the CEO satisfied.
Audit reports should do the same.