Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​On the Frontlines: Not All Findings Are Bad

Comments Views

​Early in my internal audit career, my manager asked me to begin an audit closing meeting in front a large group with the good remarks we noted during the audit. I was quite embarrassed, as I was not prepared for that. I probably managed the situation, but not very well. "Be fair with your auditee," my manager said later. "If they are not all bad, what stops you from telling them that?"

That was a life lesson for me.

The internal audit report is the only document that presents the outcome of a practitioner's entire audit work to the reader. The audit plan, outcomes of risk assessment, preliminary study, data analysis, control testing, and interviews do not communicate anything, themselves, unless they result in an audit finding. It is the internal audit report that compiles the audit findings, highlighting deficiencies and nonconformities of an audit client's function that require management's attention and action.

Does all audit testing produce a negative result? Obviously not. In most cases, the opposite is true.

Internal auditors frequently find that most of the audit client's activities are running smoothly, and therefore do not lead to any audit finding. These facts, which indicate the existence of good controls in the client's processes, are audit findings in the positive sense and should be included in internal audit reports.

Unfortunately, internal auditors never report these favorable findings. Instead, the findings are buried in the audit files for future reference, often indefinitely.

However, internal auditors should balance the audit report by mentioning these positive outcomes of their review. Although a traditional audit report leaves little or no room for positive remarks, auditors should consider accommodating them briefly. For example, before going into the detailed audit findings, auditors could mention the important controls they tested that were working well. Trying to balance the positive with the negative can be tricky, though, because focusing too much on the positive may cause the audit report's focus to shift.

The positive remarks may be discussed in the audit closing meeting and even in meetings with the audit committee. Before starting discussion of the audit observations, the lead auditor or the chief audit executive may take a few minutes to acknowledge the good controls and best practices that auditors came across during testing. This is particularly important if there have been improvements from the previous audit.

I strongly advocate including positive remarks in an internal audit report not only to offset the negative impression of the readers, but also to give them a fair impression about the audit client's function by noting that "It is not all bad." Moreover, positive comments help build a good relationship between the auditor and client. They can give the client a positive impression of internal auditors and the audit process, as well as help them accept the auditor as a business partner who works fairly to assess their function and make encouraging comments, where appropriate.

However, positive remarks in an audit report, closing meeting, or audit committee meeting should be succinct and kept to the bare minimum. They do not require the same level of elaboration and discussion as audit findings. However, auditors should bear in mind that achieving a balance is important, considering the readers' primary requirement of knowing the gaps in the process under audit.

As the term "reasonable assurance" is used for audit opinion, the same applies for positive audit remarks. The readers should be made aware that the positive notes are "reasonable" based on the evidence and samples examined by the auditors.


Tahsinur Rahim, CIA, CRMA, is head of Audit and Compliance at Guardian Life Insurance Ltd., in Dhaka, Bangladesh.

Want to be a part of Your Voices? Click here to learn how to contribute a blog post.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • CPE-Reporting-December-2021-Blog-1
  • Training-Catalog-December-2021-Blog-2
  • IAF-and-Deloitte-Report-December-2021-Blog-3