Home > Audit, Governance, GRC, Risk > A Satisfactory Audit Report is Unsatisfactory

A Satisfactory Audit Report is Unsatisfactory

If you met with your manager and he gave you a “satisfactory” rating on your performance appraisal, how would you feel?

If your child came home with a “satisfactory” rating on his report card, would you be satisfied?

If your mechanic gave your car a safety inspection, or a home inspector went through the home you were considering buying, and they said “it is satisfactory”, would you be happy?

What does a “satisfactory” rating in an audit report mean?

Your guess is as good as mine.

Clearly, the auditors don’t have anything dire to communicate.

But can you rest assured that the risks they reviewed are being managed at acceptable levels? Are the people, processes, systems, and organizational structure in the area covered by the audit performing to your expectations?

A “satisfactory” rating doesn’t tell you.

A “satisfactory” rating is unsatisfactory.

It fails to tell the stakeholder want they need to hear: whether the risks in the area under audit are being managed the way they should.

Are there opportunities for significant efficiency improvements? You can’t tell from that simple and meaningless rating.

Internal auditors need to stop hiding behind rating systems and use the full capabilities of the English (or other language) to inform their stakeholders.

Audit reports are communication vehicles, ways to answer the questions stakeholders need answering, such as “are the risks being managed at acceptable levels”, “do the controls provide reasonable assurance that management is taking the risks they should be taking, and “is there anything I need to worry about?”

But too many audit reports are empty communication vessels.

If the CEO stopped the CAE and asked “how are the controls over derivatives trading, based on the audit you just completed”, should the CAE say “they are satisfactory?”

No, he would provide an answer with full sentences that leave the CEO satisfied.

Audit reports should do the same.

Do yours?

  1. Matthew Smith
    May 16, 2014 at 10:25 AM

    Excellent point! Reminds me of the CAE playing golf with the CEO, the CEO hits a hole-in-one and the CAE congratulates him by saying “That was satisfactory”.

  2. Sundar
    May 16, 2014 at 9:56 PM

    A “satsifactory” article. !!!

  3. Costas Tsolakkis
    May 17, 2014 at 8:58 PM

    Very relevant for audits of bank branches and conclusions where in the past we are using meaningless ratings.

  4. May 18, 2014 at 6:23 PM

    If I received an audit report with a one word rating on it I would look for another auditor! Obviously the rating, whatever it is, needs to be read in the context of the findings and recommendations made in the body of the report, and that, hopefully is where the gold nuggets are.
    Aside from that, I have a point of view that a more meaningful type of rating mechanism is a maturity rating, which places the outcome on a continuum ranging from a “basket case” level through to someting akin to “dynamic”, which indicates a comprehensive, realtime, collaborative state of compliance. These ratings lend themselves to a fuller description of the actual maturity of culture, systems, documentation, records, and compliance activities.

  5. Norman Marks
    May 18, 2014 at 10:28 PM

    I like maturity models in general, but the report has to inform the stakeholder whether the risks are being managed within acceptable ranges and whether there is a potential effect on the achievement of enterprise objectives.

    It should answer the questions:
    – Is there anything that merits my attention?
    – Is there anything I should worry about?

  6. Ansar
    May 19, 2014 at 1:02 AM

    I Like and agree

  7. May 19, 2014 at 5:56 AM

    Norman, you keep trying to make auditors into risk managers. That is like making the police become city planners. I do not see it. I am reminded of auditors in the 80’s when they tried to take responsibility for IT systems. They could not describe what they wanted; all they could do was report that what they found was not acceptable based upon some grounds known only to them. This direction will hurt any movement toward broadening the use of risk management disciplines.

  8. Norman Marks
    May 19, 2014 at 9:05 AM

    Tom, I do not want to make internal auditors into risk managers. That is management’s responsibility. I want internal auditors to matter, by auditing how well the risks that matter are managed, and providing information that matters to their stakeholders.

    Do you disagree with that objective?

  9. Andy Gill
    May 20, 2014 at 9:44 AM

    So are you saying that IIA PG2 needs update or better application by IA Departments?

    Are you seeing any change from your May 24, 2011 post – An Internal Audit Opinion That Means Something?

    Regards, Andy

  10. Norman Marks
    May 20, 2014 at 11:25 AM

    Andy, I don’t know which PG2 is. If it is the one on audit opinions, the Standard has to change first to require opinions.

    I am seeing more people writing overall opinions, which is encouraging.

  11. Scott J Webb
    May 24, 2014 at 10:59 PM

    Hi Norman,

    Where I work I have introduced into our reporting an overall rating of internal control effectiveness on a five point scale from fully effective to not effective. This is basically an attempt to showcase the degree to which the underlying risks are being appropriately managed. The report has in an appendix the detailed definition of what each scale reading means. Of course, there is a narrative description in the Exec Summary that supports the rating. All findings are individually risk rated as well.

  12. Norman Marks
    May 24, 2014 at 11:44 PM

    Scott, if your audit committee can understand how well risks are managed then you may be ok. The risks are not “underlying” in my opinion. Managing the risks is the purpose of internal control, and I prefer to make it crystal clear which are managed well and which are not. Otherwise, I am asking my stakeholders to guess or just focus on control s.

  13. Scott J Webb
    May 25, 2014 at 5:05 PM

    I work in the New South Wales (Australia) public sector, which mandates combined Audit and Risk Committees, so they should understand the risk pretty well. The risk discussion is constant and ongoing, as it should be.

  14. James Lytle
    May 27, 2014 at 9:53 AM

    It seems to me that you’re arguing that all audits (and I do mean all audits, both internal and external) should offer substantive information to managers; and based on my understanding of the professional standards with which I am to conduct myself as a CPA, that is what I am required to accomplish for my clients, whether I am acting as an internal auditor or an external auditor.

    That said, I was just on a consulting engagement which prompted my review of the external audit reports of the entity over the past ten years. In none of those reports was the reality of chaotic and arcane business processes, requirements of heroic efforts to complete financial reporting, and the inability of the entity’s systems to produce timely, actionable business information mentioned in any external audit report. Essentially, shareholders were denied the information they needed to make financial decisions regarding their investments, by the entity’s external auditors. What I found through research and inquiry did not jive with the “alls well” that was implied by the audit reports I read.

    One can only conclude that auditor independence is suspect in that situation, and it seems to me that internal auditors are often similarly challenged with respect to independence. Let’s face it folks, no one likes to hear bad news; and we auditors are constantly forced to report bad news to people, like CEO’s, who really don’t want to hear it. Until we find a way to ensure that bearing bad news will not result in retaliation within a corporate setting (i.e. until we can actually tell a CEO that his entity’s business processes and or systems are not well designed, and we are rewarded for bearing that bad news rather than being fired), CAE’s are going to publish audit reports that state that offer “satisfactory” opinions. Those will be published unless a CAE is absolutely forced to publish findings and recommendations because the audit evidence screams, “we have a problem Houston.” That’s just the way businesses seem to want things. In the best of all possible worlds, CEO’s would want to run the companies for which they are responsible as efficiently and effectively as is possible, and they would welcome hearing about tweaks and corrections that could be made from CAE’s. We do not live in the best of all possible worlds. It is unfair to expect CAE’s to operate as if we do.

  15. August 30, 2014 at 3:52 PM

    From experience in a large firm, I know their reluctance to say anything positive (risk management committees, etc.). I recently steered a client through an assessment done by a large firm. The entity’s program included several features that were best in class – hands down. The entity wanted something positive in the report – to show management, maintain team, maintain budget, gain confidence – all the usual reasons. Despite three pointed requests (and even drafting language laden with qualifiers and weasel words), the consultancy steadfastly refused to do so. The conclusion was along the lines of “satisfactory, but then it’s a fast-changing field and we can’t be too sure, and the conclusion may not be that for long.” It was infuriating. The lack of any real opinion has created risks to the entity’s program and budget. The consultant’s obsession with risk management has led to increased risk on the part of their client.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: