GUEST BLOG POST
I apologize in advance to all my friends who make a living (at least in part) by helping people write what they believe are “effective” internal audit reports. But every so often, we should challenge everything we do. So today, I am focusing on internal audit reports.
The question I pose is: Are internal reports always necessary? After all, does the general counsel write a report after every review they perform of a contract? Does the CIO write a report after each project is completed? In fact, are there any other functions within an organization that feel the need to write as many and as detailed reports as we do?
There are several possible answers on why internal audit feels the need to issue so many audit reports. Let’s discuss some of the more obvious ones.
1. We have always written audit reports. It’s what we do.
This should never be our answer. We don’t accept an answer like this from management during an audit, do we. There has to be a reason based on the value to our customers in management and on the board.
2. We are required to write audit reports by the Institute of Internal Audit’s Standards.
This is also a very weak argument. We should never do something just so we can say we comply or conform with the IIA’s Standards. There has to be at least as much value to our customers as it costs us in scarce resources. Remember that every hour spent on creating an audit report is an hour not auditing or providing advice on a risk that matters. It’s not as if we are going to get sued or fired (with very rare exceptions) for not writing an audit report.
In fact, let’s have a careful look at the new Global Internal Audit Standards:
Standard 11.3: The chief audit executive must communicate the results of internal audit services to the board and senior management periodically and for each engagement as appropriate.
Standard 15.1: For each engagement, internal auditors must develop a final communication that includes the engagement’s objectives, scope, recommendations and/or action plans if applicable, and conclusions.
Note that it requires a “communication” rather than a “report.” Now I believe Standard 15.1 goes much too far when it dictates what must be included in the communication. It’s a rule, when the Standards should be principle-based. In 20 years as a chief audit executive, I would not permit my team to have a section on the engagement “objectives”, and the “scope” would either be described in the title of the final communication or in the first sentence. (Yes, we provided reports, but they were short e-mails with attachments. What our customers needed to know was shared in a half-page email and they could read the attachments for more if they needed.)
3. Management and the board expect a report.
Maybe they do because that is what they are used to. But is it what they need? Do they understand that there are options? Are they reading them out of duty or because they need the information to do their jobs?
In fact, I would bet that the majority of senior managers (and even many if not most board members) don’t read the entire internal audit report. Here are some anecdotes to back up this assertion:
- At Home Savings, the President had his assistant read them and highlight what he needed to know. She would tell him and maybe, only maybe, he would read the report.
- At Tosco, the President used the audit reports to prop his door open. (This was before I joined and talked to him about what he needed.) He relied on his direct reports to tell him if there was anything he needed to know.
- At Solectron, the COO did essentially the same. He didn’t have a door (just cubicles), but he didn’t read the audit reports. (He left soon after I joined, and the new President did read my much shorter and concise communications.)
If the reports contain information they need, do they also contain information they don’t need? What can we eliminate to stop wasting their (and our) time?
4. The regulators require an audit report.
Do they? Again, aren’t they looking for evidence that a source of risk has been audited and the results communicated with management? Is the traditional audit report the only form of evidence we have? I hope not! Maybe we should talk to them and agree on expectations.
5. The reports drive action. It’s how we get management to address issues and make changes.
An audit report is a very poor way of persuading management to make a change. If you haven’t persuaded them when you met and talked about the issues and the risks they represent, why should you think an audit report will be more persuasive?
Remember, we are expected to discuss potential issues as they arise during the course of the audit. We agree on the facts, their implications, and what should be done by whom and when. Remember also that all of this should be discussed and confirmed during the closing meeting.
So, who needs persuading?
6. The report documents the corrective actions that will be taken.
Is it needed just for that? Isn’t there a better way, such as writing a memo to confirm what was agreed at the closing meeting?
7. The audit report demonstrates our value. It shows we did a thorough job of high quality.
If you need to write an audit report to justify your existence…well, you know the rest.
So, why should we write audit reports?
Is there a good reason based on the value to the organization and our customers in management and on the board to write and issue an internal audit report? The answer is, it depends. We need to provide them with the information they need, when they need it, in a concise form that is actionable and easy to consume. We don’t need to provide them with more, making them figure out what matters and what doesn’t. Let’s not hide our gold nuggets in a haystack of trivia.
Do you know what they need? Have you discussed and agreed on it with each customer?
As a generality, they need to know:
- Are there any serious issues that threaten our success and that need to be addressed promptly?
- Is there anything I need to do myself?
- Is there anything I should make sure my team is doing? Is there anything I should monitor?
Maybe you need to write a report. Maybe you don’t. Maybe you only need to write a memo that confirms what was discussed at the closing meeting. Maybe you can rely on regular quarterly meetings with senior managers and the board where you share and discuss the information they need. Maybe you have more open discussions with senior management after each audit–maybe not after every audit, but after a few or when there are serious issues.
But you need to know what information they need and when. You need to have a valid business reason for any and all communications.
Don’t waste their time or yours. When they know that you are only bothering them and asking for their precious time when it’s important, you will have greater credibility and trust. But help them do their job with the assurance, advice, and insight they need from you when they need it.
Let me know what you think? Please provide your thoughts on the topic in the comments section below.
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
You are right. As a retired CIA, CISA, CFE and CAE in Fortune 500 firms, there were many times when I just gave my CFO a verbal report, mostly concerning people actions and fraud.
Examples include. I also did it out of loyalty to my division so the holding company did not need to know about issues that were resolved.
– I invited a Division President to dinner and told him about how a daughter of an esteemed administrator was working as a plant accountant and screwed up the pricing, causing prices to be 3% below cost, causing negative profit variables. They gave permission to a new plant manager to fire her.
– At Nissan Motor Corp, in the 1990’s, I informed the CFO who supervised the international racecar program that the unit CFO, hired from a Savings & Loan, didn’t understand cost accounting and let managers run up balances on obsolete racecar parts to $25-million. That was coincidentally the materiality cutoff for the CPA firm and funny, they suggested internal audit look at inventory balances. The result was a $25-million write off, and closing down the international race car division (run by marketing.
– In Iraq, I found that the US Air Force, responsible for procurement for the Iraq Reconstruction Program has mismanaged Procurement and lost about $200-million in reconstruction orders, which we found were sitting in warehouses due to out of date addresses and phone numbers of the ordering unit. So we printed out the warehouse inventory list and gave it to all the separate program managers (hospitals, water, transportation) to read and get what they lost over several years. We couldn’t wait for a written report because that would go through the State Dept and they would sit on it.
My personal opinion is IIA standards are way to restrictive and not relevant. We aren’t CPAs whoi must develop workpapers and reports to protect against lawsuits.
This is the new insight about internal audit report writing. It’s helpful when this accepted with the standard of My country Ethiopia Audit report presentation. Thank you Norman Marks.
A consistent communication method would ensure all issues have been raised to management, if necessary. I agree what auditor’s report is extremely important and, therefore, should not just be a short email. I have worked in organizations that practically wrote a novel at the end of each audit. The time taken to write something like that would be better spent assessing controls. I have also worked in organizations with proforma reports that ensured management was aware of scope, objectives, findings, and recommendations, among other things. What was different in these reports is that they included management’s response before being published. This acknowledged management’s accountability. I am in favor of this method although here is room for improvements. I would rather see the reports be less wordy and more bullet point. Concise information gives you the best chance that management will read the report.
Regardless of format, reporting must be consistent and occur after each assignment as a permanent document of audit’s actions. However, the most important element of reporting is follow-through. Management must know that recommendations are made seriously and there is an expectation that the auditee will implement what they agreed to.
As long as the report is sectionalized – with Execute Summary and main details, for different stakeholders to take their pick. In this way, each target reader can pick out what they need to take relevant actions. Certainly, details may be needed for guidance and record purposes, for those taking actions, to ensure non-repudiation.