Auditing That Matters I point out that it's not enough to
audit what matters if you are unable to
communicate what matters — and by that I am talking about what matters to the most important stakeholders: the audit committee and executive management.
Recently, The IIA published a Practice Guide,
Audit Reports: Communicating Assurance Engagement Results.
I cannot over-emphasize the importance of effective communications.
In my presentations on world-class internal auditing, I say that an effective audit report is:
- A communication that is read and acted on right away. Why? Because it is important to the reader, easy to read, and makes business sense
to the reader.
- A communication that matters because what it has to say matters
to the reader.
- Says what the stakeholder needs to know and no more.
We should aim for stakeholders actively wanting to read audit reports rather than reading them because it's their duty.
The IIA has a challenge when it comes to writing guidance on matters like this. I recall, as a member of the committee responsible for developing Practice Guides and Practice Advisories, energetic discussions about whether our guidance should reflect current practices or what leaders of the profession were doing: a more aspirational tone intended to lead the profession forward.
Should they reflect
best practice, or
Unfortunately, my assessment is that this Practice Guide reflects age-old customs that will not move professional practices forward.
As I said, this is a critical topic and I spend longer on the topic in
Auditing That Matters than the Practice Guide. My aim in that book is to help departments upgrade to leading practices.
Here are some key excerpts. (Please read the book for details, with examples.)
- Most internal auditors do not realize that the
Standards do not require that every audit conclude with a formal, written, audit report. The
Standards only require that the results of the engagement be
communicated. They do not specify that the communication has to be in a formal, written report.
- It is not about communicating what matters to the auditor. It is about
communicating what matters to each of our stakeholders — in operating management, senior and executive management, on the board, and others as appropriate (e.g., regulators and external auditors).
- Operating management need to know when anything beyond the trivial is not working the way they intend. I expect the audit team to communicate that information, relevant
insights about root causes and so on, and actionable advice about how to correct the situation as soon as possible.
If there is no value in informing more senior management that there was an issue, then I typically won't mention it — except, perhaps, to say that "additional issues were identified during the audit that were immediately corrected by management." If I do mention it because the risk, until corrected, was significant, I will also indicate that the risk has now been addressed by management.
- Executive management doesn't need all the details; they should be able to rely on their direct reports in operating management to take care of them.
- I like to ask the question: "What do they [executive management] need to know?" They need to know anything that:
- They need to act on;
- They need to monitor; or,
- Represents a significant and unacceptable risk to their or the organization's objectives.
Anything beyond that is not just immaterial to them, but can actually degrade the quality of the report.
- We need to make it easy for busy executives to read, absorb, and then act on the results of our work.
- I believe internal audit should provide an opinion: their assessment of the condition of controls and whether they provide assurance that the risks in scope are managed at desired levels.
- I like, whenever possible, for the reader of the audit report to see that
- It's the most important piece of information we communicate, so it should be
front and center. The only exception is where it is necessary to provide some context before the reader will understand our assessment — what it covers, why it should be important to them, and so on.
- After the opinion, we answer the questions, "Are there any issues of significance?" and "Do they require my attention?"
I am not easily persuaded that anything else needs to be in the audit report.
- The oldest communication tool is
- When a simple "everything is OK" is insufficient, I believe the audit report is only the
start of the communication.
- A face-to-face discussion where the auditor can explain what he or she found, the implications, as well as share his or her advice and insight is invaluable. A meeting provides the executive with the opportunity to ask questions and make sure he or she fully understands the situation before making decisions and taking actions.
Please review the Practice Guide and ask yourself whether the audit reports that would be published based on this guidance would be effective.
Do such reports communicate what stakeholders need to know (and no more), do they communicate what the auditor wants to say (a big difference), or (even worse) are they documentation of the results and an effort to prove audit capabilities?
There are some "magic" words and phrases in a couple of The IIA's Core Principles for Effective Internal Auditing:
The first should focus the auditor's attention on what their assessment should mean to the organization.
While it is important to dive deep into root causes, because only by addressing the root cause can the issue causing the symptom be fixed, it is at least as important to step back and think about the bigger picture: what this should all mean to the executives and the board.
Be future-focused. For example, should there be a change in strategies, plans, or objectives?
Is there a management or staffing problem that could have broader implications?
Should scarce resources be shifted?
In fact, the auditor should be thinking of what they would do, if anything, if they were a member of the board or executive committee. Is simply correcting the control deficiencies sufficient?
What additional insight can he or she share with decision-makers? What needs to be communicated in private rather than in the audit report?
I'm not going to pick the Practice Guide apart. However, this sentence simply annoys me: "A well-written audit report presents an opportunity to
market the internal audit activity by showcasing internal auditors' in-depth knowledge of the organization's business processes and internal audit's willingness to partner with management and provide recommendations for improvement."
The audit report is not about proving how good we are and how thorough our work is. If that is your aim, you are in trouble!
It's about communicating what our stakeholders need to know.
This post is getting very long, but I want to close by asking you to look at the examples of an audit report in the Practice Guide's Appendix D. Answer these questions for me:
- How long does it take you to find the auditor's assessment? Is it front and center?
- Does the assessment explain whether and how it should matter to the executive or board reader of the report?
- Does it include information that the executive or board member does not need to know?
- Where there are issues, is it clear what risks to enterprise objectives (if any) are affected and why that is critical?
- If the assessment is rated Red, how does the executive or board member compare the importance of the issue to an audit of Cyber where the assessment was also rated Red?
- If you were the CEO, would you want to spend your time reading reports like these?
These are my personal views — and I appreciate The IIA's openness to contrary views.
I welcome your thoughts and observations.