A short while ago, I was talking to an internal audit manager whom I had been helping with her audit of enterprise risk management at her company.
Not surprisingly, her team found a great many issues. Communicating her opinion, that the risk management team and related activities were not seen as helping management make informed and intelligent decisions, was not going to be easy.
Part of the problem was that there were some significant failings at a detailed level, such as not updating risk limits and other guidance on a regular basis as the business and the business environment changed. It would be too easy to get distracted by the trees, rather than the state of the forest.
In addition, her manager (the chief audit executive) was strongly of the opinion that the organization needed a risk-appetite statement—which the manager realized was not the issue (and we agreed that it was not a great concept and wouldn’t solve the risk management problems at the organization).
Another difficulty was that the CAE had dictated that every audit report had to follow a strictly enforced format. So, even though the best way to communicate an assessment of risk management would be to use a maturity model, that would not be permitted. All I could do was sympathize with the internal audit manager and offer to meet with her CAE. I’d hoped she would find her way through this.
My suggestion was to put a lot of effort into communicating the results of the audit through face-to-face meetings, even if they had to be through Zoom or similar digital communications platform. Constructive give-and-take discussions about what she found and why it matters would be of far more value and far more persuasive than any text document or pre-formatted traditional audit report.
Follow Principles Not Rules
As a former CAE myself, I gave my team a great deal of flexibility when it came to the audit report. There were some rules, of course, but they were principles rather than detailed regulations. I had an exemplar format, but I wanted the team to do what would work best rather than to adhere rigorously to a set standard.
For example, the opinion of the auditor had to be up front, the first thing the customer read – unless it was really necessary to explain the context first.
Another principle was that the auditor needed to use plain English, a rich language that can be used creatively to communicate the auditor’s opinion. Requiring standard language, such as a rating system, is limiting. If the auditor wanted to say that controls, etc. were not effective or adequate, that had to be explained in a way that the customer could readily understand. In fact, I encouraged them to write the same way they would speak.
In addition, I instilled the idea that suggestions for improvement had to be practical and what the auditor would do themselves if they were in charge. The audit report had to be concise and readily consumable by the busy executive. It had to communicate what they needed to know, and no more.
We are not limited to a rigorously enforced standard for communicating in person. Why should we be limited when we are writing? There is value to standardization, but it can also be a drag on effectiveness and the ability to deliver maximum value.
Understanding the Why of Audit Reports
In particular, we need to understand why we are writing an audit report in the first place. I have a fairly lengthy chapter on this in my seminal book, Auditing that Matters – which I strongly recommend for every internal auditor (even though I wrote it). Here are just a few of the main points:
- It is critical not only to audit what matters, but to communicate what matters…. It is not about communicating what matters to the auditor. It is about communicating what matters to each of our stakeholders – in operating management, senior and executive management, on the board, and others as appropriate (e.g., regulators and external auditors).
- Our goal is not to find fault. It is to help management improve their processes, where necessary, through our advice and insight.
- We need to remember that the task is not to write an audit report. It is to communicate… We need to communicate in a way that is easy for the individual with whom we desire to communicate to receive, absorb, and act on the information they need from us.
- The oldest communication tool is talking… When a simple “everything is OK” is insufficient, I believe the audit report is only the start of the communication… A face-to-face discussion where the auditor can explain what he or she found, the implications, as well as share his or her advice and insight is invaluable…. A meeting provides the executive with the opportunity to ask questions and make sure he or she fully understands the situation before making decisions and taking actions… The auditor needs to be disciplined in these meetings, making sure that he or she is listening actively to the executive.
- The auditor doesn’t have to wait for the closing meeting, let alone the audit report, to share information with appropriate management…. I expect the audit team to communicate that information, relevant insights about root causes and so on, and actionable advice about how to correct the situation as soon as possible.
- If management responds with alacrity to correct issues, then this should be recognized in the final audit report.
- There is no harm, and every good, in commending management for their commitment to controls. Apart from complying with Standard 2410.A2 (“Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications”), it helps build a solid relationship with management. In addition, the fact that operating management has shown this commitment should be reassuring to executive management and the board.
- If there is no value in informing more senior management that there was an issue, then I typically won’t mention it – except, perhaps, to say that “additional issues were identified during the audit that were immediately corrected by management”. If I do mention it because the risk, until corrected, was significant, I will also indicate that the risk has now been addressed by management.
- Management needs to know and understand what we found before they can be expected to agree on the facts and their interpretation – does this represent a risk of significance, what action is required, by whom, and when… There is no excuse, in my opinion, for failing to confirm the facts at the Closing Meeting and then having a dispute when the draft audit report is shared with management…. Equally, the audit team needs to listen to the management team and their assessment of the risk represented by any deficiency. Disagreements after the report has been drafted are a waste of everybody’s time and do little for the audit department’s reputation.
- We need to make it easy for busy executives to read, absorb, and then act on the results of our work.
- I believe it is very important for internal auditors, especially the CAE, to understand that the word ‘finding’ can have negative connotations. It can sound like ‘gotcha’ to management, especially if there are financial or other repercussions for a manager should an audit identify control deficiencies.
- Change is our final product… A finding and recommendation has no value unless it leads to a necessary and appropriate change by management.
- We must make every reasonable effort to communicate in a fashion that is not judgmental, is fair and balanced, will not be perceived as ‘gotcha’ auditing, and will influence appropriate and necessary change.
In other words, limiting the communication of audit results to a strict audit report template, as in the example above, can hinder our ability to convey the important messages we need to deliver in the best way we can. (By the way, that CAE never took me up on my offer to talk.)
The most important rule for audit report writing is that the internal auditor communicates in a way that both informs management of what they need to know and promotes positive change. 
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.