People have been struggling with the challenge of writing effective internal audit reports since the dawn of time.
A number of books have been written on the topic and every year experts lead classes.
But, I think many if not most have missed the point: We should communicate what our stakeholders need to know, not what we want to say.
I think I can explain my views best with excerpts from my book,
World-Class Internal Audit: Tales From My Journey.
It is revealing that the IIA
Standards do not require an audit report! Standard 2400, Communicating Results, simply says "Internal auditors must communicate the results of engagements."
The audit report, I learned, is not a document that summarizes what we did and shares what we would like to tell management and the board.
Instead, it is a communication vehicle. It is the traditional way internal audit communicates what management and the board
need to know about the results of our work.
The audit report is not for our benefit as internal auditors. It is not a way to document our work and demonstrate how thorough we were. It is for the benefit of the readers of the report, management, and (when I was CAE) the audit committee. It tells them what they need to know, which is typically whether there is anything they need to worry about.
Standard 2420, Quality of Communications, says "Communications must be accurate, objective, clear, concise, constructive, complete, and timely." The Interpretation that follows has some powerful language, including these sentences:
"Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information. Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed. Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions."
The book has some practical advice that is based in part on an experience I had at Home Savings of America where I was a direct report to the CAE:
Mario Antoci, the President of the company, received a copy of our internal audit reports. He tasked his executive secretary with reading every report and highlighting the sections he needed to read. If there was nothing meriting his attention in the report, it was filed. If there were items of significance, she brought that to his attention straight away.
My initial thought was that I would highlight the audit reports for the board and top executives. But then I asked myself why the audit report had sections that they didn't need to read.
I talked to my key stakeholders in management and on the audit committee and listened carefully so I could understand what they needed to hear after an audit was completed.
I heard them say that they wanted to know the answers to two questions:
- Is there anything they need to worry about?
- Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?
In other words, they wanted to manage by exception. They were going to trust internal audit and operating management to address routine issues; they didn't want to waste their time (my expression; they didn't actually use those words) on matters that didn't merit their attention.
January 15, 1995
Audit of Derivatives Trading
- Are there any risk issues of significance to the Audit Committee or executive management? YES/NO
- Are there any outstanding major internal control findings meriting Audit Committee or executive management attention? YES/NO
Executive and Operating Management
I developed a cover sheet that I used for all my audit reports. The box at right provides an example:
If either of the answers to the two questions on the cover page was "Yes," I would include a sentence (at most two) explaining the issue. Then they could read the rest of the report (or at least the Executive Summary) for more.
If the answers were both "No," unless they had a particular interest in the topic addressed by the audit, they might not read further — and they didn't need to.
Would this work for you?
I welcome your comments.
Are your audit reports communicating what the reader needs to know or what the writer wants to say?