A company president once told me shortly after I joined the organization that he didn't understand why he was receiving copies of internal audit reports. He didn't understand how they were relevant to his work. He had better uses of his time than reading our reports.
He is not alone. Drew Stein, a board member and former CEO in New Zealand, has written, "Almost all of internal audit findings are mundane operational compliance issues."
When organizational leaders don't see value
to them in what internal auditors share — even questioning whether they should waste their time reading audit reports — something is wrong and change is needed. These leaders will only see value if internal auditors' communications are about issues that matter to them and to the organization's success, and provide clear, concise, and actionable information. In other words, auditors must provide them with the information they need to be effective leaders.
In an era of dynamic change, organizations and the managers who run them are also changing how they monitor and run the business. In particular, they must be ready to make decisions quickly because risk and opportunity don't wait for them. A decision delayed is often a decision that is made by a competitor.
In many ways, the internal audit profession has challenged many of its traditional, tried-and-true methods and principles to meet these changing stakeholder demands. One thing that hasn't changed is that many internal auditors are still communicating their findings through a traditional audit report, and that may not be sufficient. They may not realize that the International Standards for the Professional Practice of Internal Auditing does not require a formal, written audit report. Standard 2400: Communications requires that "Internal auditors must communicate the results of engagements." The
communication, and internal auditors should consider how they can
The traditional audit report and its standard format tell stakeholders what
auditors want to say, rather than telling stakeholders what
they need to know. A more effective audit communication tells leaders what they need to know, when they need to know it, in a form that is not only readily understandable but actionable by them. In other words, internal auditors should provide stakeholders with the information they need to be effective. At the end of an audit engagement, the auditor should consider what information — assurance, insight, and advice — will help stakeholders lead the organization to success. What are their challenges, and how can internal audit help deal with them?
What Stakeholders Need to Know
Your young child comes to you crying in the night and tells you she has a tummy ache. Her head seems warm but she doesn't have a high temperature, so you bring her into bed with you and she comfortably cuddles up. But soon she starts crying and curls up into a fetal position. "Mommy, daddy, it really hurts!" she cries. This time when you touch her head, it is hot, and you decide to take her to the emergency room.
Fortunately, she is seen quickly by a doctor, who says he needs to run a few tests. You wait. Then you wait some more. Eventually, a nurse appears. You run to her and ask, "How is she? Will she be OK?"
The nurse hands you a binder and says, "Here's the doctor's report."
You raise your voice. "Is she OK?"
The nurse smiles and informs you that there is an executive summary on page 3 where you will find the information you need.
The leaders of the organization, internal audit's stakeholders, are not that different. They want to know whether everything — the people, processes, and systems relied on to manage risks — is going to be all right (assurance). They also need to know what they need to do (advice and insight).
They don't need to know:
- Why internal audit did the audit. They need to know the results and why they matter, not the audit planning process. The results will include assurance on specific risks and objectives.
- How internal audit performed the work.
- Background information that they should already know and is not relevant to the assurance, advice, and insight internal audit is sharing.
- Details that are being handled appropriately at lower levels of the organization.
Cover Note Example
The note below — originally a hard copy, later in an email — was attached to an audit report sent to executive management and the audit committee at Tosco Corp.
January 15, 1995
Audit of Derivatives Trading
Are there any risk issues of significance to the audit committee or executive management? YES/NO
Are there any outstanding major internal control findings meriting audit committee or executive management attention? YES/NO
The "Cover Note Example" (see right) accompanied an audit report to stakeholders at Tosco Corp. when I was the company's chief audit executive (CAE). The note showed them at a glance whether there was anything they needed to worry about. It gave them the assurance they needed to rely with confidence on the controls around derivatives trading risks.
If we identified significant internal control weaknesses, we did more than rely on a rating system. The cover note would have one sentence that described them at a high level. The executive summary would explain how enterprise objectives might be affected.
Going back to the story about the sick child, if you opened the report to the executive summary and it said your child's condition was "needs improvement," would that be acceptable? Would it provide the assurance you need or the information you need to care for her?
What Do You Mean?
After I left Tosco, I joined Solectron Corp., a global electronics manufacturing company. My first task as CAE was to review and approve the audit report for our audit of the Shenzhen, China facility. My predecessor had developed an audit report format that led with the results presented in a table. There was a row for each area of risk that had been included in scope, with an assessment of the related controls — using a red, yellow, green color-coding system — and the number of significant findings.
In the draft audit report I reviewed, the assessment for every area of risk was "red," and the paragraph directly below the table started with, "The system of internal controls at the Shenzhen facility is not adequate. Significant improvements are required."
I called Audrey, the audit director for Asia Pacific and Japan and a direct report to me. "Audrey, what does this mean?" I asked. Her reply was, after a moment's hesitation, "Norman, the internal controls are not adequate." I repeated my question and she repeated her answer.
"Audrey, imagine that as you are getting on the elevator on the fourth floor of the corporate office in Singapore, you see Chester, the president and CEO for Asia Pacific and Japan. He asks you, 'What do I need to know about your audit of Shenzhen?' I want you to call me tomorrow and tell me what you would say, recognizing that you only have until the elevator reaches the ground floor."
Audrey called me the next day. "I would tell Chester that 'the controls in Shenzhen will not be able to support the 30 percent expansion in manufacturing capacity planned for later this year,'" she said. Instead of blandly saying that controls were inadequate, or even that the listed areas of risk were outside acceptable levels, Audrey was giving executive management actionable information that would help it run the business successfully. This advice and insight was based on an understanding of the organization's strategies, plans, and objectives. It told the executive, in clear and readily understandable language, that the plan to move production from other locations to Shenzhen would probably fail. That assessment was then followed with advice on the changes necessary to address the situation. We changed the audit report to lead with the effect on the business and its strategy. We used the language of the business to share our assurance, advice, and insight, rather than the language of internal audit (risk and controls).
The senior management team and the board are focused on executing on and achieving their strategies and objectives. Internal audit may know how internal control and risk management deficiencies may affect those goals, but unless auditors say more than "the system of internal control is not adequate," there is no assurance that management will appreciate what the audit results should mean to them.
Internal auditors need to communicate the results of their audits in a way that:
- Makes it clear which enterprise objectives might be affected and how.
- Explains which risks to objectives are outside desired levels.
- Helps them identify and then take the necessary and appropriate actions.
For example, our report following an audit of the process for reviewing and approving capital expenditure requests at Tosco led with an opinion statement: "The Authorization for Expenditure process does not meet the needs of the organization. Decisions are not timely and, as a result, business opportunities are lost — rendering null the original business justification."
The first words used the language of the business to highlight the fact that business objectives likely were not being achieved. The opinion continued by saying that capital decisions might be delayed to the extent that revenue opportunities were lost. The audit report went on to explain what was happening, gave an example of a missed opportunity and the cost to the business, and how management had agreed to address the issue. This report prompted change.
Have a Discussion
Many internal audit departments track and report to their audit committee the number and aging of outstanding audit recommendations. One of the reasons management often fails to take all the necessary actions promptly is that internal audit and operating management do not have a common understanding of the potential effect on enterprise objectives.
Some auditors talk about internal audit having to "sell" its audit findings. They complain when management is reluctant to make the change they recommend. But perhaps management is right! Maybe the risk is one they should be taking on business grounds, or there is a better way to address the issue.
Rather than writing a recommendation and asking for a management response, internal audit departments should sit down with operating management and discuss:
- Do we agree on the facts?
- Do we agree that there is a risk to one or more enterprise objectives?
- Do we agree on the significance of the risk?
- What is the root cause of the problem?
- Should the risk be accepted or action taken to minimize it?
- What are the options and which is best?
- Will the actions bring the risk to an acceptable level?
- What is a reasonable time frame within which to complete the corrective actions, and who will own each task?
A constructive, open discussion with management — where everybody is listening and working toward the shared objective of enabling enterprise success — is far more likely to result in the change necessary for success. Internal auditors should realize that their final product is not really the audit report and its recommendations — it's the change that they enable. Informing executive management and the board that internal audit and management have agreed on defined actions is far better than sharing internal audit's recommendation and management's response.
Beyond the Report
Core Principles for the Professional Practice of Internal Auditing talks about sharing not only assurance and advice, but insight. Every good internal auditor has opinions that go beyond what is typically included in the formal audit report. These may be of great value to management — if management gets to hear them. For example, the audit team may have thoughts on:
- The competence of the management team and staff.
- Teamwork and morale in the area audited.
- The level of resources available to the team (people, budget, systems, computers, etc.).
- The ability of the team to deliver optimal performance.
At the same time, management may have questions on these or similar topics and may welcome the opportunity to ask for the audit team's thoughts. Often, these insights are at least as valuable as the assurance and recommendations for change included in the audit report. But there has to be an opportunity for management to hear and discuss the insights of the audit team.
When there is more to say than "everything is fine," a face-to-face conversation with management can be the best communication method, especially in private when difficult topics can be discussed candidly. The most effective communications result in a shared understanding, and this is best achieved when both sides not only talk and listen, but ask questions to make sure they understand the other fully. This is the path to effective change and delivering the full value of internal audit to management.
A meeting or a phone call also may be essential if issues are serious and need to be addressed promptly. If the risk is significant, it doesn't make any business sense to delay corrective action for weeks while the audit report is being drafted.
Forms of Communication
Internal auditors need to communicate in a way that is easy for the individual with whom they desire to communicate to receive, absorb, and act on the information they need. Every CAE should take full advantage of modern communication methods as well as embrace the oldest way to communicate — talking and listening.
CAEs should understand how each of their key partners in management and on the board likes to receive information, especially the information they want to get from internal audit. These days, executives receive most of their information in dashboards and similar forms, as well as in meetings and emails. CAEs should consider asking that the CEO's and chief financial officer's (CFO's) daily dashboards or metrics include a section that highlights audit-related issues meriting that executive's attention. Sometimes, that is enough.
If the executive needs to know that the audit engagement confirmed that controls over a specified risk are working effectively, then that can be communicated with a descriptor and a green light. If controls are not adequate and the CEO's or CFO's attention is necessary, a red light replaces the green one with a link to the details, which may be the audit report in full or abbreviated form.
Listen and Ask Questions
As a CAE, I told my internal audit teams that I don't ever want them to "go and talk" to somebody. I want them to "go and listen." If they are talking more than 40 percent of the time, they are talking too much. Internal audit's communications should provide its audience, its stakeholders, with the opportunity to listen actively — to ask questions and to discuss the situation and its implications.
Communications should start early and be frequent. If internal audit finds something that appears problematic during the audit engagement, it should be talking about it, and listening, to management straight away.
The closing meeting at the end of fieldwork is an excellent opportunity for sharing, not only by the internal audit team but by management. The meeting should conclude with a shared understanding of the facts and issues, the risks they represent to enterprise objectives, and the actions that everyone agrees should be taken. If internal audit has done that well, the audit report simply becomes an after-the-fact summary. Even if there is no formal audit report, everybody should be assured that all issues will be addressed appropriately.
The audit report has value in enabling a discussion with senior management and the board — although serious issues should be communicated promptly in person or by phone. In some industry sectors, the report is necessary to meet the requirements of the regulators. But rather than considering the audit report to be the primary communication vehicle in every case, internal audit should adapt to its stakeholders' needs for assurance, advice, and insight. When internal audit provides the executive team and the board with the information they need, when they need it, to run the organization successfully, it is optimizing its value.