What are internal auditors doing wrong with audit reports?
HUBBLE Internal audit reporting often is not part of a broader stakeholder communication plan. Before internal auditors determine their approach for audit reports, they should understand the various internal audit stakeholder expectations and establish a plan for formal and informal communication. As report preferences will vary by organization, and even individual, having a comprehensive reporting plan will ensure internal audit is communicating the right information, in the right format, at the right time. Specifically, internal auditors commonly create very long reports with a lot of context their particular readers may not find valuable. This makes finding the important information difficult, or it is potentially missed altogether. Internal auditors can use other forms of reporting, including verbal communication and memos, for smaller groups of recipients.
PUNDMANN Internal auditors sometimes issue audit reports that look more like workpapers, with lots of words and data, providing few — if any — relevant insights and action items. If internal auditors really want to be seen as adding value to their stakeholders, they need to start reporting more strategically, with information relevant to the reader, leading with insights and action items instead of data.
What is often missing from the audit report?
PUNDMANN Audit reports are often missing the "why does this matter?" aspect. Auditors diligently try to write their findings using the condition, cause, criteria, and effect format. But, many times they don't convey the risks or opportunities, which tell readers why they should care. Formatting also is key. Can readers easily scan the report to quickly get the information they need? Does the report include an executive summary, key insights, and graphics? Audit reports should provide perspectives on what the project did not cover to avoid offering a false sense of security. For example, a cyber audit could mean many different things to different stakeholders. Did you conduct an attack and penetration audit? Did you look at resiliency? Clarifying which areas were in and out of scope can prevent the false comfort that comes with assuming auditors assessed something.
HUBBLE Insight! Internal auditors can demonstrate the most value when they translate their internal audit results — observations as well as leading practices — into meaningful information from a business perspective. Internal auditors should ask themselves "So what?" when drafting the first paragraph of the audit report. They should think from a business leader perspective and communicate in a way that enables the business to understand the connection of the audit report to the business operation and to achieving its strategic objectives. Internal auditors also need to apply professional judgment and be comfortable giving insight on overall control environments without testing the entire control set within a particular function or process. By clearly articulating the scope of the audit, risk priorities, and their assessment of management's control awareness, internal auditors can apply their business acumen and provide insight from audit results that go beyond the number of control weaknesses identified.
What should auditors leave out of the report?
HUBBLE Information that has no correlation to the risks deemed as high priority in the risk assessment. Often, we see internal auditors performing end-to-end audits over an entire department or process, testing controls that pertain to risks that are not seen as a priority for the organization. I've seen where low issues are not included in an audit report, though I would caution if an audit plan is truly risk driven, these issues should still be worthy of written documentation. I suggest auditors evaluate, during the audit planning phase, what control activities are correlated to priority risks and the overall audit objective. Continuing to consider the "so what" factor, the auditor will sharpen the audit scope. This way the auditor not only avoids documenting information that is not pertinent to the audit objective, but also does not spend time testing these areas. The level of detail for testing and reporting is something leading practice internal audit functions discuss with their stakeholders, explicitly with the audit committee or governing body. As reporting is a function of the assurance provided, it is essential that the auditors include or omit information as aligned with the internal audit mandate and risk assessment and audit plan approach.
PUNDMANN Auditors don't need to share the entire journey of how they arrived at a finding. Appendixes can be used to provide supporting data and facts for the reader who wants more information. Exclude extraneous words and data that don't add value to the report. How many audit findings start out with "During our review we noted that …?" Filler words take away from the far more important insights elsewhere in the report. Crispness is key.
What types of visuals can enhance an audit report?
PUNDMANN Lengthy reports that don't call attention up front to the most important items miss an opportunity to effectively communicate with the reader. Stakeholders want a quick view of priority areas first to help them get context and perspective, so they can discern where they need to dig in more deeply. Those quick views could come in the form of graphics, charts, infographics, ratings, or dashboards. We've particularly seen dashboards work well by offering visualizations or heat maps of internal audit assessment areas.
HUBBLE Charts are always a favorite, as they are quick and easy to gauge results from a comparison of data. I suggest internal auditors start using interactive dashboards to further reinforce the notion that reporting is one piece of ongoing communication. Through interactive dashboards, report recipients can navigate the information and ask questions, allowing them to consume the information in a customized, organic way.
Are there any adjustments for audit reports that will be read on smartphones?
HUBBLE Regardless of how a report is viewed, internal auditors should consider how the reader will consume the information. Of course, reports will be read on smartphones and formatting needs to be considered. Internal audit should align its communication plan with the organization's overall digital transformation — a strategic initiative in many organizations — specifically, as organizations shift to using apps in place of smartphone enabled, web-friendly browser views. Internal audit should lead by example and consider how it can communicate through a more holistic digital channel, such as using apps to communicate and interact across the function and with its stakeholders.
PUNDMANN We need to assume that all audit reports will be read on a smart device. Beyond putting those reports in a device-friendly format, internal audit should try to get its key messages across up front in an executive summary or in the body of an email without forcing the reader to open endless attachments.