How detailed should internal audit reports be? What information should be included? Is it even necessary to issue a written report? Leaders on Kaufman Rossin’s Chief Audit Executive (CAE) Advisory Council gathered recently to discuss these questions and other reporting matters at a recent forum.
The council, which is composed of leading internal audit executives representing some of largest industries and companies in South Florida, meets three to four times per year to tackle emerging issues and other challenges within the internal audit profession.
The topic of audit reporting is a good place to start given the challenges it presents to CAEs.
Limited guidance on report standards
International Standards for the Professional Practice of Internal Auditing do not require a written audit report, but rather state that the CAE must “communicate results to the appropriate parties.” The audit reporting process can also be very time consuming and sometimes will result in disagreements with management over wording that can distract from the essence of the findings.
Despite these challenges, many internal audit groups still issue written reports for almost every project performed. Furthermore, the profession recognizes that stakeholder needs can vary widely for each project and across all industries or geographic regions. As a result, audit reports at different organizations can be drastically different in the amount of detail provided, the variety of elements included, as well as the reporting format.
Prior to the discussions amongst the CAE Advisory Council, a survey of the members revealed interesting findings about how a few South Florida companies handle the audit reporting process. There was a general consensus that reports contain an executive summary highlighting the key aspects of the engagement. There was also agreement that management responses to findings were included in the final report.
However, other survey questions had more mixed results. For example, one-third of respondents said their reports are “usually” balanced to include positive practices as well as control weaknesses. Other responses ranged from “always” to “never” balanced. Additionally, 55% of respondents said they “strongly agree” or “somewhat agree” that their reports only contain findings that warrant attention of management and/or the board (i.e., low-risk findings and best practices recommendations are omitted). The other 45% said they “somewhat disagree” with that statement.
Basic principles and best practices
CAEs are faced with the challenge of communicating the right amount of information to their board and/or audit committee. There is no “correct” template that is used for internal audit reports. However, there are some basic principles (in addition to the international standards mentioned above) that can be used to guide internal audit professionals in communicating the results of their audits:
- Reports should convey a message that will efficiently and effectively address the reader’s questions. The reader (i.e., board or audit committee member) needs to know: a) Is everything OK? b) What should I be concerned about? and c) What needs to be done about it? In a recent blog post by author and thought leader Norman Marks, he indicated the problem with typical audit reports is that they convey what auditors want to say rather than what the reader needs to know. Reports need to be concise. Board members have a great deal of information to process and critical decisions to make and internal audit reports are only a small portion of that. Reports need to make the best use of the reader’s time, otherwise they will not be read.
- Reports should clearly communicate the findings in a language that can be easily understood by the reader. Unnecessary elaboration and technical jargon, which may not be frequently used by those outside of the internal audit profession, should be avoided.
- Reports should be suitable to the amount of risk related to the area under review. Audits that are meant to address critical risks of the business or that resulted in significant findings may necessitate additional details of procedures performed or a comprehensive explanation of results. This information can provide further comfort to the board/audit committee that various aspects of risks were adequately considered.
- A written report may not always be the best way to communicate audit findings. CAEs should evaluate what is the most efficient and effective way to communicate audit results and what the regulatory and/or statutory requirements are when deciding whether to issue a written report. Written reports should provide value to stakeholders.
Our survey and ensuing discussion among council members highlighted the differences of audit report writing across some South Florida organizations. This brought to light the concept that reports can have a different appearance don’t have to follow the same template that has been used in the organization for years. Internal audit reports (if issued at all) are continually evolving. Is it time for a change to your reports?
Contact me or another member of Kaufman Rossin’s risk advisory services team to learn more about best practices for internal audit at your organization.