Home > Risk > If audit reports were banned

If audit reports were banned

What would you do as CAE if you were forbidden from writing a formal audit report?

Let’s think about this challenge, as it may help us pinpoint the value of these documents.

X

Consider our customers in management first. What do they need to know and how can we best communicate (as the IIA Standards dictate) the results of our engagements?

The first opportunity comes during the audit when potential issues are identified. The auditor should discuss them promptly with operating and other management as appropriate. This enables the auditor to:

  • Share the results of testing of controls
  • Discuss what they mean, such as whether any controls are not functioning consistently as designed
  • Obtain agreement on those facts, or hear why management believes the auditor to be mistaken and perform any additional work that may be appropriate
  • Discuss with management whether there is a risk to the business and the achievement of objectives, including which objectives may be impacted
  • Agree on the severity of the risk and whether corrective actions are required
  • Discuss the options for addressing the issue(s) and which corrective actions, if any, are justified
  • Get to where management owns the issue and commits to taking the actions
  • Agree that management will, by the closing meeting, confirm what will be done, by whom, and when

It is easy to downplay the importance of these conversations. But there is an immense opportunity to work with management by promoting prompt corrective actions and adding value. We have to be careful not to dictate to them, but to approach these discussions with a spirit of collaborative partnership. Listen twice as much as you talk.

X

The closing meeting is an opportunity to confirm the prior communications and management’s corrective actions.

This where more senior management is likely to be involved and they should hear from line management just as much as they do from the audit team.

By the end of the meeting, facts, assessments, and corrective actions should all be agreed.

In some cases, senior management may want time to consider the situation and let the auditors know later what actions will be taken. The auditor should not wait for the audit report to be issued, even in draft form, before meeting again with that senior management to finalize everything.

A memo that summarizes the results and agreed actions from the closing meeting should be prepared (I did this as CAE).

X

At this point, only senior and executive management remain of those we normally reach with an audit report. Usually, we can rely on operating management to communicate with their managers, but the auditors cannot rely on this alone.

If the audit is essentially ‘clean’, with no serious issues, nothing has been lost. The CAE can wait until the next time he or his team meet with those executives to ask if they have any questions about the audit.

If there are more serious issues that merit the attention (i.e., action) of senior or executive management, the audit team should meet with them. In some cases, a phone call may be sufficient. Otherwise, an in-person or virtual meeting is needed.

There are several advantages to a meeting rather than relying on a formal audit report. In a meeting, the executive has an opportunity to discuss not only the issues raised by the report, but to obtain the professional insights and advice of the auditor. The auditor similarly has an opportunity to understand the business consequences of any identified issues, as well as build on their relationship with management.

X

So far, I am not sure the absence of an audit report has hurt us.

What about the audit committee members?

For a start, many CAEs do not send the audit committee copies of every audit report. I did, but I can see that being a problem if the audit team is large and issues hundreds of reports every year. My team issued up to 120 in a year, but we structured the report format so that each could be consumed rapidly. I have discussed the format elsewhere, here and in my books.

The audit committee needs to know:

  • Is there a problem that merits board attention because of the level of risk to achieving our objectives?
  • Is management addressing it satisfactorily?
  • Is there something we need to do ourselves?

If an audit surfaces issues that merit board attention, my preference is to talk to the chair of the committee. We discuss the situation and agree on how best to inform the rest of the committee.

The chairman may request a written briefing document that can be shared and then discussed. That briefing document should be prepared in collaboration with management and focus only on the serious issues that merit board attention.

In other words, the brief is likely to look different from the traditional audit report.

But those situations are, hopefully, rare.

The audit committee can be informed as part of the CAE’s regular update at the next quarterly meeting of the committee.

Rather than including the traditional audit report in the board package, the CAE will have a concise summary of the audits performed that will be used as a basis for discussing them.

X

We have managed to navigate the communication requirement (with one potential exception, which I will come to in a moment) without a formal and traditional audit report.

Have we lost anything? Have we in fact gained because of the additional emphasis on personal interactions and open, collaborative discussions with management?

X

The one exception is where regulators are involved who insist on formal audit reports. In this case, I would meet with them and discuss what they need to know and how best to provide it to them. I expect I can find something different and less time-consuming than the traditional audit report. It may be a simple list of audits performed, issues identified, their significance, and the corrective actions taken.

X

Eliminating audit reports is probably at least one step too far for most. However, I suggest that thinking about the value they provide and whether there is a better way to deliver it will stimulate changes in your practice.

What do you think of all of this?

  1. Bruce McCuaig
    March 3, 2022 at 8:36 AM

    If audit reports are abandoned, as they should be, then we will have recognized that the role of audit is not to provide the elusive thing we call “assurance”. Once that burden is removed we can focus on how to help the business achieve objectives and add value. That’s a huge paradigm shift and it can’t happen too soon.

  2. Joseph Kassapis
    March 3, 2022 at 10:07 AM

    I started negatively prejudiced but was carried by this excellent – simple and clear – argument/analysis. Made me see how much less useful than i thought the traditional report is and how much less traumatic than i felt its phasing out would be. I now clearly lean towards the transition …

  3. Richard Fowler
    March 3, 2022 at 10:16 AM

    What a fantastic thought experiment! We currently address all the items you mention during the course of an audit, so we are meeting the auditing standard for communicating results. Yet we still issue a formal audit report to document the issues and opportunities. I think the positive results from our testing, indicating where things are working well, are part of the “assurance” aspect and not elusive at all – but these might not be communicated so well without the formal report.

  4. Bill Spoehr
    March 3, 2022 at 10:19 AM

    If your IA team defines “reports” as multiple page documents with cover pages, several exhibits, and a table of contents, and if you’re still issuing something that looks like that (in a non-regulatory environment), then by all means “get with the program” and eliminate them from your company.

    We do not share all audit reports with the Audit Committee by mutual agreement. However, as required, they are regularly notified of all reports issued, including a summary of the audit report conclusion. Significant reports are discussed with the AC Chair and the full committee, as needed. Communication is the focus, not “reports”, and communication can and should take many different forms. Flexibility is the key.

  5. March 4, 2022 at 1:25 AM

    Norman, you have started with the meeting to discuss potential issues. I would start with the opening meeting, since good management are often aware of issues, but have not been given the resources to correct them. I have often heard the phrase, ‘We’ve been trying to improve this system for years, but senior management won’t listen. Perhaps if you put it in your ‘report’ they will take notice’.
    The opening meeting is an opportunity to understand what issues have already been identified and to form a partnership with management. This should reduce the need to report some items.

    • Norman Marks
      March 4, 2022 at 6:41 AM

      Very true, David

  1. March 3, 2022 at 9:03 AM
  2. June 7, 2022 at 7:34 AM
  3. June 7, 2022 at 7:46 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: