GUEST BLOG POST
I apologize in advance to all my friends who make a living (at least in part) by helping people write what they believe are “effective” internal audit reports. But every so often, we should challenge everything we do. So today, I am focusing on internal audit reports.
The question I pose is: Are internal reports always necessary? After all, does the general counsel write a report after every review they perform of a contract? Does the CIO write a report after each project is completed? In fact, are there any other functions within an organization that feel the need to write as many and as detailed reports as we do?
There are several possible answers on why internal audit feels the need to issue so many audit reports. Let’s discuss some of the more obvious ones.
1. We have always written audit reports. It’s what we do.
This should never be our answer. We don’t accept an answer like this from management during an audit, do we. There has to be a reason based on the value to our customers in management and on the board.
2. We are required to write audit reports by the Institute of Internal Audit’s Standards.
This is also a very weak argument. We should never do something just so we can say we comply or conform with the IIA’s Standards. There has to be at least as much value to our customers as it costs us in scarce resources. Remember that every hour spent on creating an audit report is an hour not auditing or providing advice on a risk that matters. It’s not as if we are going to get sued or fired (with very rare exceptions) for not writing an audit report.
In fact, let’s have a careful look at the new Global Internal Audit Standards:
Standard 11.3: The chief audit executive must communicate the results of internal audit services to the board and senior management periodically and for each engagement as appropriate.
Standard 15.1: For each engagement, internal auditors must develop a final communication that includes the engagement’s objectives, scope, recommendations and/or action plans if applicable, and conclusions.
Note that it requires a “communication” rather than a “report.” Now I believe Standard 15.1 goes much too far when it dictates what must be included in the communication. It’s a rule, when the Standards should be principle-based. In 20 years as a chief audit executive, I would not permit my team to have a section on the engagement “objectives”, and the “scope” would either be described in the title of the final communication or in the first sentence. (Yes, we provided reports, but they were short e-mails with attachments. What our customers needed to know was shared in a half-page email and they could read the attachments for more if they needed.)
3. Management and the board expect a report.
Maybe they do because that is what they are used to. But is it what they need? Do they understand that there are options? Are they reading them out of duty or because they need the information to do their jobs?
In fact, I would bet that the majority of senior managers (and even many if not most board members) don’t read the entire internal audit report. Here are some anecdotes to back up this assertion:
- At Home Savings, the President had his assistant read them and highlight what he needed to know. She would tell him and maybe, only maybe, he would read the report.
- At Tosco, the President used the audit reports to prop his door open. (This was before I joined and talked to him about what he needed.) He relied on his direct reports to tell him if there was anything he needed to know.
- At Solectron, the COO did essentially the same. He didn’t have a door (just cubicles), but he didn’t read the audit reports. (He left soon after I joined, and the new President did read my much shorter and concise communications.)
If the reports contain information they need, do they also contain information they don’t need? What can we eliminate to stop wasting their (and our) time?
4. The regulators require an audit report.
Do they? Again, aren’t they looking for evidence that a source of risk has been audited and the results communicated with management? Is the traditional audit report the only form of evidence we have? I hope not! Maybe we should talk to them and agree on expectations.
5. The reports drive action. It’s how we get management to address issues and make changes.
An audit report is a very poor way of persuading management to make a change. If you haven’t persuaded them when you met and talked about the issues and the risks they represent, why should you think an audit report will be more persuasive?
Remember, we are expected to discuss potential issues as they arise during the course of the audit. We agree on the facts, their implications, and what should be done by whom and when. Remember also that all of this should be discussed and confirmed during the closing meeting.
So, who needs persuading?
6. The report documents the corrective actions that will be taken.
Is it needed just for that? Isn’t there a better way, such as writing a memo to confirm what was agreed at the closing meeting?
7. The audit report demonstrates our value. It shows we did a thorough job of high quality.
If you need to write an audit report to justify your existence…well, you know the rest.
So, why should we write audit reports?
Is there a good reason based on the value to the organization and our customers in management and on the board to write and issue an internal audit report? The answer is, it depends. We need to provide them with the information they need, when they need it, in a concise form that is actionable and easy to consume. We don’t need to provide them with more, making them figure out what matters and what doesn’t. Let’s not hide our gold nuggets in a haystack of trivia.
Do you know what they need? Have you discussed and agreed on it with each customer?
As a generality, they need to know:
- Are there any serious issues that threaten our success and that need to be addressed promptly?
- Is there anything I need to do myself?
- Is there anything I should make sure my team is doing? Is there anything I should monitor?
Maybe you need to write a report. Maybe you don’t. Maybe you only need to write a memo that confirms what was discussed at the closing meeting. Maybe you can rely on regular quarterly meetings with senior managers and the board where you share and discuss the information they need. Maybe you have more open discussions with senior management after each audit–maybe not after every audit, but after a few or when there are serious issues.
But you need to know what information they need and when. You need to have a valid business reason for any and all communications.
Don’t waste their time or yours. When they know that you are only bothering them and asking for their precious time when it’s important, you will have greater credibility and trust. But help them do their job with the assurance, advice, and insight they need from you when they need it.
Let me know what you think? Please provide your thoughts on the topic in the comments section below. 
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.