Mutual understanding between internal audit and its clients can be difficult to achieve. When audit clients hear jargon such as "issues" and "gaps," or read it in an audit report, they often stop listening. They're left with the impression that internal audit doesn't understand the risks their area faces and that its reporting is irrelevant. At the same time, auditors may experience frustration over clients' failure to understand audit issues. Why can't issue communication be easier and more effective? In many cases, it's because auditors don't "speak the same language" as their clients and fail to communicate adequately about risk.
The IIA Position Paper, The Three Lines of Defense in Effective Risk Management and Control, states that risk management and control duties must be coordinated carefully organizationwide "to assure that risk and control processes operate as intended." In reality, that coordination does not always happen. For the first-line business units conducting day-to-day operations, if there are no risks within the immediate processes they manage, there are no issues. At the same time, many internal auditors perform their work in isolation, targeting check boxes without comprehensive understanding of risks, even though second-line risk management and compliance functions are looking at risk appetite and the risk landscape enterprisewide. Effective risk communication can be challenging when internal auditors are out of sync with other assurance providers and adhere to an outdated, myopic approach.
In today's rapidly changing environment, the traditional method of identifying issues simply based on test results for design and operational effectiveness constitutes an insufficient means of risk analysis, reporting, and acceptance. Although test results provide a solid basis for showing how the client failed, they don't provide much insight into why clients should care other than a low score. And if our deliverables lose relevance to the audience, we lose buy-in.
Within the audit report, risk-based information tends to be underdeveloped and fails to provide adequate support for issues. Risk statements often appear merely as a single line in each issue table, and risk analysis may not be presented holistically anywhere in the report. Moreover, risk assessment usually occurs during the planning and scoping phase of an audit. Even if the assessment has been performed well and reveals areas of weakness, key risk indicators would be gradually lost during an audit and toward the conclusion of the engagement, leading to unclear answers about true risk. Risk conversations should instead take place throughout the entire audit.
Before presenting issues to clients, internal auditors should ask, "Did I perform sufficient risk analysis to cover significant areas?" rather than "Have I identified enough findings?" Overall, the goal of issue communication should not be putting down names on the sign-off sheet, but rather mutual agreement on risks and a willingness to address them.