Home > Risk > Let’s talk about audit reporting

Let’s talk about audit reporting

Richard Chamber, the former CEO and President of the IIA, has moved on to a new stage in his professional career. That includes a new consulting firm, Richard F. Chambers and Associates, which is where he now shares his blog posts.

His latest is Internal Auditors: It’s What You Say – AND How You Say It!

As you might expect, Richard’s comments are valuable and merit our attention.

I think there is more to be said.

In particular, we need to understand why we are writing an audit report in the first place.

I have a fairly lengthy chapter on this in my seminal book, Auditing that Matters – which I strongly recommend for every internal auditor (even though I wrote it).

Here are just a few of the main points:

  • It is critical not only to audit what matters, but to communicate what matters…. It is not about communicating what matters to the auditor. It is about communicating what matters to each of our stakeholders – in operating management, senior and executive management, on the board, and others as appropriate (e.g., regulators and external auditors).
  • Our goal is not to find fault[1]. It is to help management improve their processes, where necessary, through our advice and insight.
  • We need to remember that the task is not to write an audit report. It is to communicate… We need to communicate in a way that is easy for the individual with whom we desire to communicate to receive, absorb, and act on the information they need from us.
  • The oldest communication tool is talking… When a simple “everything is OK” is insufficient, I believe the audit report is only the start of the communication… A face-to-face discussion where the auditor can explain what he or she found, the implications, as well as share his or her advice and insight is invaluable…. A meeting provides the executive with the opportunity to ask questions and make sure he or she fully understands the situation before making decisions and taking actions….The auditor needs to be disciplined in these meetings, making sure that he or she is listening actively to the executive.
  • The auditor doesn’t have to wait for the closing meeting, let alone the audit report, to share information with appropriate management…. I expect the audit team to communicate that information, relevant insights about root causes and so on, and actionable advice about how to correct the situation as soon as possible.
  • If management responds with alacrity to correct issues, then this should be recognized in the final audit report[2].
  • There is no harm, and every good, in commending management for their commitment to controls. Apart from complying with Standard 2410.A2 (“Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications”), it helps build a solid relationship with management. In addition, the fact that operating management has shown this commitment should be reassuring to executive management and the board.
  • If there is no value in informing more senior management that there was an issue, then I typically won’t mention it – except, perhaps, to say that “additional issues were identified during the audit that were immediately corrected by management”. If I do mention it because the risk, until corrected, was significant, I will also indicate that the risk has now been addressed by management.
  • Management needs to know and understand what we found before they can be expected to agree on the facts and their interpretation – does this represent a risk of significance, what action is required, by whom, and when… There is no excuse, in my opinion, for failing to confirm the facts at the Closing Meeting and then having a dispute when the draft audit report is shared with management…. Equally, the audit team needs to listen to the management team and their assessment of the risk represented by any deficiency. Disagreements after the report has been drafted are a waste of everybody’s time and do little for the audit department’s reputation.
  • We need to make it easy for busy executives to read, absorb, and then act on the results of our work.
  • I believe it is very important for internal auditors, especially the CAE, to understand that the word ‘finding’ can have negative connotations. It can sound like ‘gotcha’ to management, especially if there are financial or other repercussions for a manager should an audit identify control deficiencies.
  • Change is our final product… A finding and recommendation has no value unless it leads to a necessary and appropriate change by management.
  • We must make every reasonable effort to communicate in a fashion that is not judgmental, is fair and balanced, will not be perceived as ‘gotcha’ auditing, and will influence appropriate and necessary change.
  • The only rule I have is that the auditor communicates in a way that both informs management of what they need to know and promotes positive change.

I want to highlight the next lengthy excerpt, which makes points that are at the core of any disagreement I may have with Richard’s post.

The traditional approach is for internal audit to write the finding and a recommendation. Then they ask management to write a response. So, for each finding there is an explanation of the issue by internal audit, a recommendation by internal audit, and a management response. That response may include commentary on the issue and its severity by management as well as a description of the corrective action, if any, they will take.

In most cases, the recommendation and the management response are aligned. But, sometimes there is a difference of opinion.

A report where there is a difference of opinion between internal audit and management is a ‘lose-lose-lose’ situation.

Internal audit loses because they appear:

  1. at odds with management;
  2. unable to agree with management on the assessment and the appropriate and necessary corrective actions that should be taken; and
  3. to have either failed to understand the business and its operating constraints or to explain to management why the issue is significant and requires correction.

Management loses because the audit committee will question their:

  • commitment to controls and the management of risk;
  • inability to ‘educate’ internal audit in the business and its operating realities;
  • cooperation with the audit team; and,
  • inability to resolve disagreement before it comes to the audit committee.

The audit committee loses because:

  1. they are not sure whom to believe;
  2. they do not receive the assurance they need to fulfil their oversight responsibilities and have to be the judge between audit and management;
  3. their confidence in internal audit effectiveness wilts when the CAE seems unable to work with management; and,
  4. their confidence in senior management wanes when they are unable to work effectively with internal audit.

These days, the great majority of internal audit functions work hard to avoid disagreements with management. While they retain their control and ownership of the audit assessment or opinion, they make every effort to listen to management to understand their perspective. Where disagreement remains, they work equally hard to explain their point of view.

People may disagree. That is real life.

But, when it comes to serious issues, all sides should be able to come together.

If the issues are not serious, perhaps they can be handled without the need to display disagreements in front of top management or the audit committee. In fact, they may not rise to the level where they need either party’s attention and can be omitted from the audit report.

I don’t like the appearance of the format that includes a finding, recommendation, and response.

As a rule, the recommendation and response should be the same – so there is little value in repeating the same information in different words.

I prefer to communicate the issue and then the agreed action items.

If we agree on the actions to be taken, then why disguise them as recommendations and responses.

Let’s call them what they are: ‘agreed action items’.

This sends a clear message that internal audit and management are working together to define and then solve any problem.

The audit committee wants to see this almost as much as they want to understand whether there are any serious issues.

They need to have confidence in both internal audit and the management team.

They want to see a commitment from management to controls and the management of risk, and that internal audit and management are working effectively together to resolve problems and effect positive change.

The agreed action items will show:

  • What will be done
  • By whom
  • When

I have highlighted this because Richard focuses on ‘findings and recommendations’, while I far prefer ‘agreed action items’ and even leaving out issues that don’t really matter.


There’s a ton of points in what I have quoted – with much more in the book.

But there is one more point to be made.

While valuable-to-the-business change is one measure of our contribution to the success of the organization, we should not underestimate the value of assurance.

There is value to the board and top management when internal audit assures them that management’s systems and processes should be effective in addressing a significant source of risk.

There is value, even when there is no change. Our leaders can now go forward, relying on their systems and processes, to direct and manage the organization.


I welcome your thoughts.

[1] The value and quality of internal audit work should never be judged on the basis of how many issues they find.

[2] Consistent with Standard 2410.A2.

  1. July 26, 2021 at 12:25 PM

    Norman, I totally agree with you, except I prefer the word ‘opinion’ to ‘assurance’. Assurance is a nice cosy word which implies everything is fine but internal audit may find issues which are far from cosy and may have to give an opinion that the organisation’s objectives will not be achieved because risks are not being bought to within limits considered acceptable by the board.

    • Norman Marks
      July 26, 2021 at 12:42 PM

      David, I certainly endorse the requirement for an opinion – and discuss it at length in the book.

      I like the idea of assurance because as a CAE I was told by the members of my audit committee that our work “helped them sleep through the night”.

      The opinion provides assurance – which may have caveats about additional actions.

      • July 27, 2021 at 1:28 AM

        I had problems once when I reported on a subsidiary company, ‘Everything is fine, except….’ when I should have reported, ‘The systems are shot through with serious deficiencies and I don’t trust the management to put them right.’ There are times when the Audit Committee may have to experience the occasional sleepiness night.

  1. July 26, 2021 at 10:50 AM
  2. July 28, 2021 at 1:30 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: