Internal audit reports do the function a great disservice
By Norman Marks
January 11, 2017
How do our stakeholders on the board and in top management assess the value of internal audit? What do we give them? What do they have on which to base their assessment? While they probably rely to a great deal on their direct interaction with the chief audit executive (CAE) and perhaps some of his or her team, the primary internal audit product is the audit report.
Let me state the problem as I see it. The typical audit report is boring. The typical audit report does not provide the reader on the board or in top management with the information they need to run the organization. The typical audit report is documentation of the work performed and results obtained. It conveys what we want to say rather than what the leaders of the organization need to know.
The Institute of Internal Auditors (IIA) provides us with mandatory guidance in the Standards. They build on that with recommended guidance in the form of Practice Guides and Advisories. A new Practice Guide (PG) was published very recently on the topic of Audit Reports: Communicating Assurance Engagement Results.
The summary blurb (on the page where you download the PA) gets it right when it says: “As the demand for internal audit value shifts from a retrospective view to a forward-looking perspective, internal auditors are expected to adapt with innovative methods to assess and communicate internal audit results.”
The trouble is that the model described in the PG has been out-of-date for at least a decade. The PG describes a style of audit reports that does not provide our stakeholders with the information they need, when they need it, in a form that is actionable.
Over the last decade or two, a couple of people who write books and provide training on audit report writing have stood out (my apologies to the others I am not referencing).
One is Penni Fromm. On her web page, she says: “Recipients of internal audit reports are busy people. If internal audit and compliance reports don’t tell the risk story quickly, accurately, and efficiently, those reports will not succeed. They will not convey the critical message about risks that are well-managed and other risks that threaten the organization and demand action.”
Another is Angela Maniak. In her Quick Tips, she says:
- Make your writing concise, correct, consistent, and inviting.
- Get your message read, understood, and acted on quickly.
- Establish your professionalism and credibility through your written words.
I could take the PG apart. But that is not constructive. Instead, let me excerpt from my new book, Auditing that Matters. I may not be objective, but I think the guidance in the book on audit reports alone (which is far more extensive than in the PG) justifies the purchase. You will judge for yourself.
- It is critical not only to audit what matters, but to communicate what matters.
It is not about communicating what matters to the auditor. It is about communicating what matters to each of our stakeholders – in operating management, senior and executive management, on the board, and others as appropriate (e.g., regulators and external auditors). Operating management need to know when anything beyond the trivial is not working the way they intend.
I expect the audit team to communicate that information, relevant insights about root causes and so on, and actionable advice about how to correct the situation as soon as possible.
- If there is no value in informing more senior management that there was an issue, then I typically won’t mention it—except, perhaps, to say that “additional issues were identified during the audit that were immediately corrected by management”. If I do mention it because the risk, until corrected, was significant, I will also indicate that the risk has now been addressed by management.
- Executive management doesn’t need all the details; they should be able to rely on their direct reports in operating management to take care of them.
I like to ask the question: “What do they need to know?” They need to know anything that (a) They need to act on; (b) They need to monitor; or, (c) Represents a significant and unacceptable risk to their or the organization’s objectives. Anything beyond that is not just immaterial to them, but can actually degrade the quality of the report.
- We need to make it easy for busy executives to read, absorb, and then act on the results of our work.
- I [want] the executives to be able to read just the first few paragraphs and obtain the most critical information and satisfy their needs.
- I believe internal audit should provide an opinion: their assessment of the condition of controls and whether they provide assurance that the risks in scope are managed at desired levels.
I like, whenever possible, for the reader of the audit report to see that immediately. It’s the most important piece of information we communicate, so it should be front and center.
- If there are facts or issues that don’t require an executive’s attention, why do we need to tell him or her about them?
The executive is entitled to place reliance on operating management to address less significant issues – issues that we communicated in the Closing Meeting. So, every item that the audit team wants to include in the report that goes beyond what I can see an executive needing to know will come into question from me.
- Change is our final product.
A finding and recommendation has no value unless it leads to a necessary and appropriate change by management.
To be fair to the IIA, guidance cannot be too far ahead of practice. As a member of the IIA committee that wrote PGs in the past, I can attest to the challenge of writing useful guidance that will be accepted by the majority but still lead the practice of internal auditing forward. Unfortunately, I don’t think this PG is consistent with best practice today, let alone what is necessary going forward.
Effectively communicating our assurance, advice, and insights is critical to the success of the profession. If we fail to do this, we fail to demonstrate the full value of the function.
That’s my opinion. What’s yours?
Norman Marks is a former chief audit executive and risk manager at several Fortune 500 companies and the author of the books, World Class Risk Management and Auditing that Matters. This article was republished with permission from the blog, Norman Marks on Government, Risk Management, and Audit, Risk Management, and Audit.