Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Risks Speak Louder Than Issues

Internal audit communication should focus on the key threats our clients face.

Comments Views

​Mutual understanding between internal audit and its clients can be difficult to achieve. When audit clients hear jargon such as "issues" and "gaps," or read it in an audit report, they often stop listening. They're left with the impression that internal audit doesn't understand the risks their area faces and that its reporting is irrelevant. At the same time, auditors may experience frustration over clients' failure to understand audit issues. Why can't issue communication be easier and more effective? In many cases, it's because auditors don't "speak the same language" as their clients and fail to communicate adequately about risk.

The IIA Position Paper, The Three Lines of Defense in Effective Risk Management and Control, states that risk management and control duties must be coordinated carefully organizationwide "to assure that risk and control processes operate as intended." In reality, that coordination does not always happen. For the first-line business units conducting day-to-day operations, if there are no risks within the immediate processes they manage, there are no issues. At the same time, many internal auditors perform their work in isolation, targeting check boxes without comprehensive understanding of risks, even though second-line risk management and compliance functions are looking at risk appetite and the risk landscape enterprisewide. Effective risk communication can be challenging when internal auditors are out of sync with other assurance providers and adhere to an outdated, myopic approach.

In today's rapidly changing environment, the traditional method of identifying issues simply based on test results for design and operational effectiveness constitutes an insufficient means of risk analysis, reporting, and acceptance. Although test results provide a solid basis for showing how the client failed, they don't provide much insight into why clients should care other than a low score. And if our deliverables lose relevance to the audience, we lose buy-in.

Within the audit report, risk-based information tends to be underdeveloped and fails to provide adequate support for issues. Risk statements often appear merely as a single line in each issue table, and risk analysis may no​t be presented holistically anywhere in the report. Moreover, risk assessment usually occurs during the planning and scoping phase of an audit. Even if the assessment has been performed well and reveals areas of weakness, key risk indicators would be gradually lost during an audit and toward the conclusion of the engagement, leading to unclear answers about true risk. Risk conversations should instead take place throughout the entire audit.

Before presenting issues to clients, internal auditors should ask, "Did I perform sufficient risk analysis to cover significant areas?" rather than "Have I identified enough findings?" Overall, the goal of issue communication should not be putting down names on the sign-off sheet, but rather mutual agreement on risks and a willingness to address them.

Jingwen (Grace) Wu
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Jingwen (Grace) WuJingwen (Grace) Wu<p>​Jingwen (Grace) Wu, CIA, is compliance officer, Risk & Governance, at Silicon Valley Bank in Santa Clara, Calif.</p>


Comment on this article

comments powered by Disqus
  • IDEA_CaseWare_May 2020_Blog 1
  • Galvanzie_May 2020_Blog 2
  • IIA CIA LS_May 2020 Blog 3