AUDIT REPORTING

Today’s audit reports need

to boil away the unessential
to quickly get to what’s
important to stakeholders.

Norman Marks

Illustration by Sean Yates

A
company president once told me shortly after I joined the
organization that he didn’t understand why he was receiving
copies of internal audit reports. He didn’t understand how
they were relevant to his work. He had better uses of his time
than reading our reports.
He is not alone. Drew Stein, a board member and former
CEO in New Zealand, has written, “Almost all of internal
audit findings are mundane operational compliance issues.”
When organizational leaders don’t see value to them in
what internal auditors share — even questioning whether
they should waste their time reading audit reports — some-
thing is wrong and change is needed. These leaders will only
see value if internal auditors’ communications are about
issues that matter to them and to the organization’s success,
and provide clear, concise, and actionable information. In
other words, auditors must provide them with the informa-
tion they need to be effective leaders.
In an era of dynamic change, organizations and the
managers who run them are also changing how they moni-
tor and run the business. In particular, they must be ready to
make decisions quickly because risk and opportunity don’t
wait for them. A decision delayed is often a decision that is
made by a competitor.
In many ways, the internal audit profession has chal-
lenged many of its traditional, tried-and-true methods and

Information
Distillation
24 INTERNAL AUDITOR APRIL 2018
APRIL 2018 INTERNAL AUDITOR 25
 TO COMMENT on this article,
INFORMATION DISTILLATION EMAIL the author at norman.marks@theiia.org

principles to meet these changing stake- a few tests. You wait. Then you wait a glance whether there was anything
holder demands. One thing that hasn’t some more. Eventually, a nurse appears. they needed to worry about. It gave
changed is that many internal auditors You run to her and ask, “How is she? them the assurance they needed to
are still communicating their findings Will she be OK?” rely with confidence on the controls
through a traditional audit report, and The nurse hands you a binder and around derivatives trading risks.
that may not be sufficient. They may says, “Here’s the doctor’s report.” If we identified significant internal
not realize that the International Stan- You raise your voice. “Is she OK?” control weaknesses, we did more than
dards for the Professional Practice of Inter- The nurse smiles and informs you rely on a rating system. The cover note
nal Auditing does not require a formal, that there is an executive summary on would have one sentence that described
written audit report. Standard 2400: page 3 where you will find the informa- them at a high level. The executive
Communications requires that “Internal tion you need. summary would explain how enterprise
auditors must communicate the results The leaders of the organization, objectives might be affected.
of engagements.” The Standards require internal audit’s stakeholders, are not Going back to the story about the
communication, and internal auditors that different. They want to know sick child, if you opened the report to
should consider how they can communi- whether everything — the people, pro- the executive summary and it said your
cate effectively. cesses, and systems relied on to manage child’s condition was “needs improve-
The traditional audit report and its risks — is going to be all right (assur- ment,” would that be acceptable? Would
standard format tell stakeholders what ance). They also need to know what it provide the assurance you need or the
auditors want to say, rather than telling they need to do (advice and insight). information you need to care for her?
stakeholders what they need to know. They don’t need to know:
A more effective audit communication » Why internal audit did the WHAT DO YOU MEAN?
tells leaders what they need to know, audit. They need to know the After I left Tosco, I joined Solectron
when they need to know it, in a form results and why they matter, not Corp., a global electronics manufactur-
that is not only readily understand- the audit planning process. The ing company. My first task as CAE was
able but actionable by them. In other results will include assurance on to review and approve the audit report
words, internal auditors should provide specific risks and objectives. for our audit of the Shenzhen, China
stakeholders with the information they
need to be effective. At the end of an
audit engagement, the auditor should
consider what information — assurance,
If the executive summary said your child’s
insight, and advice — will help stake-
holders lead the organization to success.
condition was “needs improvement,”
What are their challenges, and how can
internal audit help deal with them?
would that be acceptable?
WHAT STAKEHOLDERS » How internal audit performed facility. My predecessor had developed
NEED TO KNOW the work. an audit report format that led with the
Your young child comes to you cry- » Background information that results presented in a table. There was a
ing in the night and tells you she has a they should already know and row for each area of risk that had been
tummy ache. Her head seems warm but is not relevant to the assurance, included in scope, with an assessment of
she doesn’t have a high temperature, so advice, and insight internal the related controls — using a red, yel-
you bring her into bed with you and audit is sharing. low, green color-coding system — and
she comfortably cuddles up. But soon » Details that are being handled the number of significant findings.
she starts crying and curls up into a appropriately at lower levels of In the draft audit report I reviewed,
fetal position. “Mommy, daddy, it really the organization. the assessment for every area of risk was
hurts!” she cries. This time when you The “Cover Note Example” on page “red,” and the paragraph directly below
touch her head, it is hot, and you decide 27 accompanied an audit report to the table started with, “The system of
to take her to the emergency room. stakeholders at Tosco Corp. when I internal controls at the Shenzhen facil-
Fortunately, she is seen quickly was the company’s chief audit execu- ity is not adequate. Significant improve-
by a doctor, who says he needs to run tive (CAE). The note showed them at ments are required.”

26 INTERNAL AUDITOR APRIL 2018

Internal audit communications “must be accurate, objective, clear, concise,
constructive, complete, and timely,” according to Standard 2420: Quality of Communications.

COVER NOTE EXAMPLE

The note below — originally a hard copy, later in an email — was attached to an audit report
sent to executive management and the audit committee at Tosco Corp.

January 15, 1995

Audit of Derivatives Trading
» Are there any risk issues of significance to the audit committee or executive manage-
ment? YES/NO
» Are there any outstanding major internal control findings meriting audit committee or
executive management attention? YES/NO
Distribution:
Audit Committee

I called Audrey, the audit director and objectives. It told the executive, » Helps them identify and then
for Asia Pacific and Japan and a direct in clear and readily understandable take the necessary and appro-
report to me. “Audrey, what does this language, that the plan to move priate actions.
mean?” I asked. Her reply was, after production from other locations to For example, our report following an
a moment’s hesitation, “Norman, the Shenzhen would probably fail. That audit of the process for reviewing and
internal controls are not adequate.” I assessment was then followed with approving capital expenditure requests
repeated my question and she repeated advice on the changes necessary to at Tosco led with an opinion statement:
her answer. address the situation. We changed the “The Authorization for Expenditure
“Audrey, imagine that as you are audit report to lead with the effect on process does not meet the needs of the
getting on the elevator on the fourth the business and its strategy. We used organization. Decisions are not timely
floor of the corporate office in Singa- the language of the business to share and, as a result, business opportunities
pore, you see Chester, the president our assurance, advice, and insight, are lost — rendering null the original
and CEO for Asia Pacific and Japan. rather than the language of internal business justification.”
He asks you, ‘What do I need to know audit (risk and controls). The first words used the language
about your audit of Shenzhen?’ I want The senior management team of the business to highlight the fact
you to call me tomorrow and tell me and the board are focused on execut- that business objectives likely were not
what you would say, recognizing that ing on and achieving their strategies being achieved. The opinion contin-
you only have until the elevator reaches and objectives. Internal audit may ued by saying that capital decisions
the ground floor.” know how internal control and risk might be delayed to the extent that
Audrey called me the next day. management deficiencies may affect revenue opportunities were lost. The
“I would tell Chester that ‘the con- those goals, but unless auditors say audit report went on to explain what
trols in Shenzhen will not be able to more than “the system of internal was happening, gave an example of a
support the 30 percent expansion control is not adequate,” there is missed opportunity and the cost to the
in manufacturing capacity planned no assurance that management will business, and how management had
for later this year,’” she said. Instead appreciate what the audit results agreed to address the issue. This report
of blandly saying that controls were should mean to them. prompted change.
inadequate, or even that the listed Internal auditors need to com-
areas of risk were outside acceptable municate the results of their audits in a HAVE A DISCUSSION
levels, Audrey was giving executive way that: Many internal audit departments track
management actionable information » Makes it clear which enterprise and report to their audit committee
that would help it run the business objectives might be affected the number and aging of outstand-
successfully. This advice and insight and how. ing audit recommendations. One of
was based on an understanding of » Explains which risks to objec- the reasons management often fails to
the organization’s strategies, plans, tives are outside desired levels. take all the necessary actions promptly

APRIL 2018 INTERNAL AUDITOR 27

 VISIT our mobile app + InternalAuditor.org to watch an
interview with Norman Marks on ensuring stakeholders
INFORMATION DISTILLATION receive the information they need from internal audit.

is that internal audit and operating Internal auditors should realize that When there is more to say than
management do not have a common their final product is not really the “everything is fine,” a face-to-face
understanding of the potential effect audit report and its recommenda- conversation with management can
on enterprise objectives. tions — it’s the change that they be the best communication method,
Some auditors talk about internal enable. Informing executive manage- especially in private when difficult top-
audit having to “sell” its audit findings. ment and the board that internal ics can be discussed candidly. The most
They complain when management is audit and management have agreed on effective communications result in a
reluctant to make the change they rec- defined actions is far better than shar- shared understanding, and this is best
ommend. But perhaps management is ing internal audit’s recommendation achieved when both sides not only talk
right! Maybe the risk is one they should and management’s response. and listen, but ask questions to make
be taking on business grounds, or there sure they understand the other fully.
is a better way to address the issue. BEYOND THE REPORT This is the path to effective change
Rather than writing a recommen- The Core Principles for the Professional and delivering the full value of internal
dation and asking for a management Practice of Internal Auditing talks about audit to management.
response, internal audit departments sharing not only assurance and advice, A meeting or a phone call also
may be essential if issues are serious
and need to be addressed promptly. If
Internal auditors need to communicate the risk is significant, it doesn’t make
any business sense to delay corrective
in a way that is easy to receive, absorb, action for weeks while the audit report
is being drafted.
and act on the information. FORMS OF COMMUNICATION
Internal auditors need to communicate
should sit down with operating man- but insight. Every good internal audi- in a way that is easy for the individual
agement and discuss: tor has opinions that go beyond what with whom they desire to communicate
» Do we agree on the facts? is typically included in the formal audit to receive, absorb, and act on the infor-
» Do we agree that there is a report. These may be of great value to mation they need. Every CAE should
risk to one or more enterprise management — if management gets to take full advantage of modern commu-
objectives? hear them. For example, the audit team nication methods as well as embrace the
» Do we agree on the significance may have thoughts on: oldest way to communicate — talking
of the risk? » The competence of the man- and listening.
» What is the root cause of the agement team and staff. CAEs should understand how
problem? » Teamwork and morale in the each of their key partners in manage-
» Should the risk be accepted or area audited. ment and on the board likes to receive
action taken to minimize it? » The level of resources available information, especially the informa-
» What are the options and to the team (people, budget, tion they want to get from internal
which is best? systems, computers, etc.). audit. These days, executives receive
» Will the actions bring the risk » The ability of the team to most of their information in dash-
to an acceptable level? deliver optimal performance. boards and similar forms, as well as
» What is a reasonable time At the same time, management may in meetings and emails. CAEs should
frame within which to com- have questions on these or similar top- consider asking that the CEO’s and
plete the corrective actions, and ics and may welcome the opportunity chief financial officer’s (CFO’s) daily
who will own each task? to ask for the audit team’s thoughts. dashboards or metrics include a sec-
A constructive, open discussion with Often, these insights are at least as valu- tion that highlights audit-related issues
management — where everybody is able as the assurance and recommenda- meriting that executive’s attention.
listening and working toward the tions for change included in the audit Sometimes, that is enough.
shared objective of enabling enterprise report. But there has to be an opportu- If the executive needs to know
success — is far more likely to result nity for management to hear and dis- that the audit engagement confirmed
in the change necessary for success. cuss the insights of the audit team. that controls over a specified risk are

28 INTERNAL AUDITOR APRIL 2018

How auditors communicate results “may vary based on the organizational structure,
type of internal audit, and related recommendations,” according to The IIA Practice Guide, Audit Reports.

working effectively, then that can be Communications should start early The audit report has value in
communicated with a descriptor and a and be frequent. If internal audit finds enabling a discussion with senior man-
green light. If controls are not adequate something that appears problematic agement and the board — although
and the CEO’s or CFO’s attention is during the audit engagement, it should serious issues should be communicated
necessary, a red light replaces the green be talking about it, and listening, to promptly in person or by phone. In
one with a link to the details, which management straight away. some industry sectors, the report is nec-
may be the audit report in full or abbre- The closing meeting at the end of essary to meet the requirements of the
viated form. fieldwork is an excellent opportunity regulators. But rather than considering
for sharing, not only by the inter- the audit report to be the primary com-
LISTEN AND ASK QUESTIONS nal audit team but by management. munication vehicle in every case, internal
As a CAE, I told my internal audit The meeting should conclude with audit should adapt to its stakeholders’
teams that I don’t ever want them to a shared understanding of the facts needs for assurance, advice, and insight.
“go and talk” to somebody. I want them and issues, the risks they represent to When internal audit provides the execu-
to “go and listen.” If they are talking enterprise objectives, and the actions tive team and the board with the infor-
more than 40 percent of the time, they that everyone agrees should be taken. mation they need, when they need it,
are talking too much. Internal audit’s If internal audit has done that well, to run the organization successfully, it is
communications should provide its the audit report simply becomes an optimizing its value.
audience, its stakeholders, with the after-the-fact summary. Even if there
opportunity to listen actively — to ask is no formal audit report, everybody NORMAN MARKS, CRMA, CPA, was a
questions and to discuss the situation should be assured that all issues will CAE and chief risk officer at major global
and its implications. be addressed appropriately. corporations for more than 20 years.

O V ERC OME YO U R GR E AT E ST RIS K.

RISK | SECURITY | COMPLIANCE | PEACE OF MIND

www.SecuranceConsulting.com • 877.578.0215

APRIL 2018 INTERNAL AUDITOR 29