To maximize its value to the organization, an internal audit should not only identify issues — it also needs to elicit support and action on recommendations. Internal auditors can ensure this occurs, as well as improve their relationship with management, through appropriate communication of audit results.
In fact, the communication of internal audit observations presents many opportunities and should be one of the most thoughtful tasks an internal auditor performs. That isn't to say that audit planning, scoping, and testing are not important, but to achieve the greatest value from the work performed in those phases, the outcome needs to be communicated to the appropriate audience in a way that allows them to understand the results, appreciate the significance of the issue, and take action. Communicating internal audit results is significant enough that the International Standards for the Professional Practice of Internal Auditing (Standards) has an entire series dedicated to it (see Standard 2400: Communicating Results).
The benefits of communicating results go beyond getting to wrap up an audit and informing management of the need to move forward with issue resolution. When handled appropriately, communication of audit results to management can help enhance rapport, even if the relationship was stressed during the audit. Additionally, communicating results can enhance internal audit's reputation with the audit customer and beyond by showing that the auditor understands the business and legitimate risks and is looking to provide meaningful recommendations.
There are several considerations to keep in mind when determining how best to communicate audit observations.
Make Sure the Observations are Correct While this seems obvious, issues are not always validated before they are communicated to management. Having an audit observation challenged and not being able to support its validity can harm internal audit's ability to convince management to take action on legitimate issues and can significantly harm internal audit's reputation. When new information is presented that changes the audit results, the auditor should be able to identify why internal audit did not have the information before the point of communicating the results. The auditor should give management credit for providing the new information, note why the information was not known, and adjust as necessary.
Plan the Timing of Issue Dissemination Management needs to know about observations as soon as possible, but not so early that the auditor cannot support the issues identified. This is a balancing act and needs to consider each manager's potential actions when receiving the information. Some managers will immediately react, regardless of the significance of the issue or their preparedness to resolve the issue, which may or may not make sense, depending on the issue's nature. Considering what they know about managers and their temperaments before presenting issues can help auditors present appropriately and at the right time. The one constant: Surprising management with all issues at the end of an audit is damaging to the auditor–management relationship and to gaining management's support for audit's efforts.
Write in Clear Prose It is important not to soften an observation to the point that a reader does not realize the importance of, or value in, remediation. On the other hand, a report written in a strictly negative tone also may limit management's engagement in the observations and desire to work with internal audit to resolve noted items. There is more than one way to say something, and typically there is a way to say something so it is accepted and another way to make people defensive. While some may see this as being political, a lack of appropriate wording may result in the recipient not seeing the value in internal audit's work. If the goal is to create action to mitigate risk and resolve concerns, the specific words internal audit uses are important.
Exercise Diplomacy Internal audit can improve its relationship with management even when communicating observations by exercising diplomacy. For example, taking the opportunity to acknowledge the audit customer's team achievements or its efforts to mitigate significant risks shows management that internal audit is not only focused on the identification of issues.
Understand the Business and Associated Risks Internal audit's customers understand their business. They know what their department does, and they have considered the risks related to their function. Therefore, if internal audit cannot show that it also has a handle on each of these items, it may be hard for auditors to communicate observations in a way management is willing to listen to or can understand. One of the quickest ways to lose management's respect is to make it clear that internal audit does not understand what it has been auditing. The answer is to take the time to learn the business, processes, and risks associated with the audited area.
Focus on Legitimate and Reasonable Risks Not every risk is a high risk. Not everything needs to be considered at the greatest possible failure. For example, many auditors identify when there is a lack of policies and procedures. While it is reasonable to notify management that it does not have the appropriate documents to support its processes, it does not mean the department will ultimately collapse without them. The department has probably operated that way for years and could likely operate for a considerable time without it actually creating a problem. That said, the issue should still be identified, but the internal auditor should do it in a way that indicates he or she understands the level of risk it is truly causing and the benefit of continuity that policies and procedures can provide a department.
Internal auditors can actually enhance their reputation with management while working toward remediation of issues. There will be tense situations and disagreements; however, if those situations never arise, internal audit is not doing its job. On the other hand, the internal auditor role is not automatically in conflict with the client — everyone is working toward the same goals of ensuring mitigated or appropriate risk levels, adequately controlled processes, and a successful organization.