Home > Risk > Internal audit reports do the function a great disservice

Internal audit reports do the function a great disservice

November 12, 2016 Leave a comment Go to comments

How do our stakeholders on the board and in top management assess the value of internal audit?

What do we give them? What do they have on which to base their assessment?

While they probably rely to a great deal on their direct interaction with the chief audit executive (CAE) and perhaps some of his team, the primary internal audit product is the audit report.

Let me state the problem as I see it.

The typical audit report is boring.

The typical audit does not provide the reader on the board or in top management with the information they need to run the organization.

The typical audit report is documentation of the work performed and results obtained. It conveys what we want to say rather than what the leaders of the organization need to know.

The Institute of Internal Auditors (IIA) provides us with mandatory guidance in the Standards. They build on that with recommended guidance in the form of Practice Guides and Advisories.

A new Practice Guide (PG) was published very recently on the topic of Audit Reports: Communicating Assurance Engagement Results.

This post could well get me fired by the IIA. (In addition to posts on this site, I also write posts for the IIA’s own blog site. We take great care to make it clear that when I write I do not represent the IIA or its positions. My posts are my own thoughts. But posts like this one I would not place on the IIA site for obvious reasons.)

So let me say it: this new Practice Guide is not helpful.

The summary blurb (on the page where you download the PA) gets it right when it says:

As the demand for internal audit value shifts from a retrospective view to a forward-looking perspective, internal auditors are expected to adapt with innovative methods to assess and communicate internal audit results.

The trouble is that the model described in the PG has been out-of-date for at least a decade.

The PG describes a style of audit reports that does not provide our stakeholders with the information they need, when they need it, in a form that is actionable.

Over the last decade or two, a couple of people who write books and provide training on audit report writing have stood out (my apologies to the others I am not referencing).

One is Penni Fromm. On her web page, she says:

“Recipients of internal audit reports are busy people. If internal audit and compliance reports don’t tell the risk story quicklyaccurately, and efficiently, those reports will not succeed. They will not convey the critical message about risks that are well-managed and other risks that threaten the organization and demand action.”

Another is Angela Maniak. In her Quick Tips, she says:

  • Make your writing concise, correct, consistent, and inviting.

  • Get your message read, understood, and acted on quickly.

  • Establish your professionalism and credibility through your written words.

I could take the PG apart. But that is not constructive.

Instead, let me excerpt from my new book, Auditing that matters. I may not be objective, but I think the guidance in the book on audit reports alone (which is far more extensive than in the PG) justifies the purchase. You will judge for yourself.

  • It is critical not only to audit what matters, but to communicate what matters.

It is not about communicating what matters to the auditor.

It is about communicating what matters to each of our stakeholders – in operating management, senior and executive management, on the board, and others as appropriate (e.g., regulators and external auditors).

Operating management need to know when anything beyond the trivial is not working the way they intend.

I expect the audit team to communicate that information, relevant insights about root causes and so on, and actionable advice about how to correct the situation as soon as possible.

  • If there is no value in informing more senior management that there was an issue, then I typically won’t mention it – except, perhaps, to say that “additional issues were identified during the audit that were immediately corrected by management”. If I do mention it because the risk, until corrected, was significant, I will also indicate that the risk has now been addressed by management.
  • Executive management doesn’t need all the details; they should be able to rely on their direct reports in operating management to take care of them.

I like to ask the question: “What do they need to know?” They need to know anything that (a) They need to act on; (b) They need to monitor; or, (c) Represents a significant and unacceptable risk to their or the organization’s objectives.

Anything beyond that is not just immaterial to them, but can actually degrade the quality of the report.

  • We need to make it easy for busy executives to read, absorb, and then act on the results of our work.
  • I [want] the executives to be able to read just the first few paragraphs and obtain the most critical information and satisfy their needs.
  • I believe internal audit should provide an opinion: their assessment of the condition of controls and whether they provide assurance that the risks in scope are managed at desired levels.

I like, whenever possible, for the reader of the audit report to see that immediately.

It’s the most important piece of information we communicate, so it should be front and center.

  • If there are facts or issues that don’t require an executive’s attention, why do we need to tell him or her about them?

The executive is entitled to place reliance on operating management to address less significant issues – issues that we communicated in the Closing Meeting.

So, every item that the audit team wants to include in the report that goes beyond what I can see an executive needing to know will come into question from me.

  • Change is our final product.

A finding and recommendation has no value unless it leads to a necessary and appropriate change by management.

These and other points are discussed in detail with examples.

To be fair to the IIA, guidance cannot be too far ahead of practice. As a member of the IIA committee that wrote PGs in the past, I can attest to the challenge of writing useful guidance that will be accepted by the majority but still lead the practice of internal auditing forward.

Unfortunately, I don’t think this PG is consistent with best practice today, let alone what is necessary going forward.

Effectively communicating our assurance, advice, and insights is critical to the success of the profession.

If we fail to do this, we fail to demonstrate the full value of the function.

That’s my opinion. What’s yours?

  1. Kaya Kwinana
    November 12, 2016 at 10:48 PM

    Norman, you are correct in noting that “The Institute of Internal Auditors (IIA) provides us with mandatory guidance in the Standards. They build on that with recommended guidance in the form of Practice Advisories.”

    In this article, the recommended guidance you don’t agree with is a Practice Guide, not Practice Advisory, which like others, carries the following disclaimer, “The IIA accepts no responsibility for anyone placing sole reliance on this guidance.”

    To be fair, you should have referred to that disclaimer, and to the mandatory guidance which says, “Communications must be accurate, objective, clear, concise, constructive, complete, and timely.” 2420

    If the mandatory guidance is the unqualified view of the IIA, why should this article get you fired by the IIA since what you say is fundamentally what the mandatory guidance says?

    You do undermine the mandatory guidance by using the other sources rather than it to beat the reporting you lament with, as if what they carry more weight than the mandatory guidance.

    Best practice is criterion, condition, finding. The mandatory guidance is the criterion, The boring reports are the condition. The finding is that the reports are not conforming. Unless internal auditors were engaged in “ambush auditing”, the engagement client knows the cause and what to do to address it.

    But findings are by the way, are they not, regarding what the internal audit report is about – the conclusion, the assessment – the overall view having considered all the findings (both positive and negative)!

    The mandatory guidance says you should provide “an independent assessment on governance, risk management, and control processes.” – definition of assurance services.

    Your take? – “I believe internal audit should provide an opinion: their assessment of the condition of controls and whether they provide assurance that the risks in scope are managed at desired levels.”

    Assurance that the risks in scope are managed at desired levels!

    That view is not an improvement on the mandatory guidance, it is worse and goes straight to the issue of what the internal audit report should be discussing.

    If the governance, risk management, and control processes are adequate and effective, there is reasonable assurance that organisational objectives will be achieved.

    Can the same be said of “assurance that the risks in scope are managed at desired levels”?

    If any of the governance, risk management, and control processes are not adequate or effective, which ones are those and what accountability and oversight arrangements, for example, are there to ensure that they are? Why did it have to take internal auditing, in a week or two, to find this out? Is that not what executive management would like to know?

    Norman, the focus of the article is on the 2410 and 2420 requirements regarding internal audit reports. I am glad you have now accepted the need for a written internal audit report. But why call it an “audit report” instead of “internal audit report”?

    Consulting engagements also need to be reported on! There was an engagement objective to provide advisory services on any or all of the governance, risk management and control processes. Was there any assessment to see whether or not the advice was understood?

    Reporting on objectives goes to the heart of best practice internal control or risk management practices! One does not have to be asked, “How did it go?”.

    The fact is, unchallenged, these terminology lapses (to be kind) establish a particular narrative, difficult to challenge later.

    Very interesting and instructive – your account of the IIA process of developing recommended guidance!

    • Norman Marks
      November 13, 2016 at 8:43 AM

      Kaya, thanks for pointing out this is a PG and not a PA. I have corrected the post.

  2. David Leong
    November 13, 2016 at 1:08 AM

    I did not like the specimens in the Practice Guidance. They appeared cumbersome. On the other hand, I don’t quite agree on the practicality of communicating only what management and the board need to know. This can be manipulated by a dishonest CEO. Because he already knows the issue , he was not happy about the report but it turned out that the board was not kept in the loop. My approach is that the report always has a story to it, what management needs to do and how well they do it against the benchmarks set.

  3. Tom Wong
    November 13, 2016 at 1:16 AM

    Norman,
    I agree with your opinion, especially where you say, “The typical audit does not provide the reader on the board or in top management with the information they need to run the organization. The typical audit report is documentation of the work performed and results obtained. It conveys what we want to say rather than what the leaders of the organization need to know.”

    I would like to add that what management needs to know are not only gaps in internal controls dealing with safeguarding assets, accuracy of records, compliance, but especially with the 4th element of internal control- operational efficiency and effectiveness. The report should inform management of gaps in the use of best practices in many areas of operation, such as strategic planning, policy and procedures, root cause analysis of problems, communications, best strategic practices within their specific industry. With carefully thought out audit planning and programming, these operational efficiency and effectiveness risks- both potential and actual- can be identified and reported to management. The correction of these risks should be of a larger concern than your “typical audit report findings.”

  4. November 13, 2016 at 2:46 AM

    Norman. When it comes to reports, I like to think of two scenarios:

    You enter the room and proudly announce to your partner that you have just screwed in 36 screws, hammered in 40 nails and attached two handles. He/she is not impressed.

    You enter the room and tell your partner that he/she can finally clear the pile of clothes from the spare bed and hang them up because you have finally assembled the IKEA wardrobe. He/she is delighted.

    The work is the same, the reporting of the outcome is different. The first scenario is similar to how many audit departments report their findings, ‘Controls were found to be satisfactory’. The second scenario relates the work directly to the organization’s objectives.

    Although the work is the same, with just a different way of reporting it, there may be a need to make it more relevant to the governing body. You won’t get much praise for building a wardrobe if you haven’t fixed the leak in the roof.

    I’ve tried to follow the principles of a good internal report format in the example I use (Book 4, http://www.internalaudit.biz). The report:

    – Has an overall opinion
    – Relates this opinion to the organization’s objective addressed by the audit
    Is concise
    – States any work to be completed by management

    I’ve used accounts payable as an example, since it’s a system to which most auditors can relate. However, the principles can be applied to more strategic audits.

    • Norman Marks
      November 13, 2016 at 7:18 AM

      Brilliant, David

  5. November 13, 2016 at 6:22 PM

    An audit report needs to highlight to the auditee and his management where risks are not adequately covered by controls or where controls are badly designed or no operated as intended. That often requires details. A short Executive summary with the overall opinion expressed in one defined term and the High Risks that were encountered, should be less than a page and readily understandable to Executives and the Board. This will allow both stakeholders to focus on what they need to know, do or supervise. Can’t be much simpler than that (and indeed it works)

  6. J Jassal
    November 15, 2016 at 10:38 PM

    Thanks! I thought I was the only person finding Audit Reports dull and boring! Good to know I have company. I recently presented my report to the Audit Committee of a large company. Waiting for me to conclude was one of the big four. I had just five slides for presentation, decoding my observation through simple English, focused on risk, system gaps and way forward. We had suggested changes and had also done an ATR (action taken report) on the same. The big four guys had 34 slides and spoke of processes, execution, sample technique, general observation and recommendations. They had beautiful slides, graphs, colors, but the observations were lost in the maze and left the Audit committee members confused. There was no conclusion. Was the system better now? Does it have a serious impact? Can it be improved? Who is the process owner? What are the target dates? Nothing was figured out. But yes it was a great presentation!

  7. Amir Ibrahim, CPA, CIA , CGMA
    November 23, 2016 at 12:45 AM

    It depends on the structure of the report. including sort of details is useful but having an executive section is a must.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: