Home > Risk > Remove the shackles of the audit report format!

Remove the shackles of the audit report format!

September 6, 2021 Leave a comment Go to comments

A short while ago, I was talking to an internal audit manager whom I had been helping with her audit of enterprise risk management at her company.

Not surprisingly, her team found a great many issues. Communicating her opinion, that the risk management team and related activities were not seen as helping management make informed and intelligent decisions, was not going to be easy.

Part of the problem was that there were some significant failings at a detailed level, such as not updating risk limits and other guidance on a regular basis as the business changed. It would be too easy to get distracted by the trees, rather than the state of the forest.

In addition, her manager (the CAE) was strongly of the opinion that the organization needed a risk appetite statement – which the manager realized was not the issue (and we agreed that it was not a great concept).

The CAE had dictated that every audit report had to follow a strictly enforced format.

So even though the best way to communicate an assessment of risk management is using a maturity model, that would not be permitted.

All I could do was sympathize and offer to meet with her CAE. I hope she can find her way through this.

My suggestion was to put a lot of effort into communicating the results of the audit through face-to-face meetings, even if they have to be through Zoom or similar. Constructive give-and-take discussions about what she found and why it matters would be of far more value and far more persuasive than any text document.

As CAE myself, I gave my team a great deal of flexibility when it came to the audit report. There were some rules, of course, but they were principles rather than detailed regulations.

I had an exemplar format, but I wanted the team to do what would work best rather than what would adhere rigorously to a standard.

For example, the opinion of the auditor had to be upfront, the first thing the customer read – unless it was really necessary to explain the context first.

Another principle was that the auditor needed to use plain English, a rich language that can be used creatively to communicate the auditor’s opinion. Requiring standard language, such as a rating system, is limiting.

If the auditor wanted to say that controls, etc. were not effective or adequate, that had to be explained in a way that the customer would readily understand.

In fact, I encouraged them to write the way they would speak.

Suggestions for improvement had to be practical and what the auditor would do themselves if they were in charge.

The audit report had to be concise and readily consumed by the busy executive.

It had to communicate what they needed to know, and no more.

We are not limited to a rigorously enforced standard for communicating in person. Why should we be limited when we are writing?

There is value to standardization, but it can also be a drag on effectiveness and the ability to deliver maximum value.

I welcome your thoughts.

  1. September 6, 2021 at 5:34 PM

    This is so poorly portrayed it should not be in public display Norman.

    • Norman Marks
      September 6, 2021 at 5:40 PM

      Michael, can you explain?

  2. September 6, 2021 at 5:38 PM

    Norman – Thank you. I really have nothing to add. I think you hit it really well. A standard format helps the reader, as long as it’s flexible enough to convey the appropriate message. A standard basic format can help the reader know, for instance, that if they read the first-page summary (and it’s written well) then they’re not going to completely miss any high-level issues. And I’m really a big fan of “general observations” that the auditor may want to include. This might be information that will help the reader develop a more informed and nuanced understanding. And there’s certainly nothing wrong with a short meeting – in person as you suggest – to assure that the finer points actually came through.

  1. September 6, 2021 at 3:45 PM
  2. September 7, 2021 at 9:38 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: