Here are my top eight best practices for creating better internal audit reports that hit the mark:
Audit Objective: ensure that the audit objective addresses the risks to the goals and objectives of the organization. It should drive the risk identification and assessment; and be a foundation for the audit workplan and the conduct of the audit. And ultimately, is it the statement upon which the audit concludes.
Audit Workplan: the steps in the audit workplan should address all the audit objectives and sub-objectives. These steps should be supported by stated and accepted criteria; able to be executed; and, when executed, will allow you to conclude on the sub-objective(s).
Finding Statement: Institute of Internal Auditors list the 5Cs (Criteria, Conditions, Cause, Consequence and Corrective Action) of a finding statement. Ensure every finding statement includes all elements and that they are linked (e.g., consequence is based on condition and criteria). If you find a situation where you are not able to find one of the “C’s” (e.g., cause), you need to work more.
Assurance: auditors generally report exceptions; however, their role is to provide assurance on the existence and effectiveness of internal controls. Assurance can be positive or negative. Data analytics allow audits to provide a high-level assurance on both positive and negative assessments producing a more balanced report.
Recommendation: The primary aim of the audit report is to provide assurance to management that the risks are being mitigated. When this is not the case, then the report should drive management to implement effective management action plans. This includes preventive, detective, and corrective action. The audit recommendation should be linked to the audit objective, address the root cause, cost less than the consequence of not acting, and address the highest levels of risk.
Reports: First, the report should not contain any surprises. The management of the area being audited should be informed and aware of audit results as they happen. This allows the auditors to confirm their results and work with client management to develop appropriate recommendations. Second, audit reports to a variety of management functions and different levels, each with their own unique reporting requirements. Management of the audited area needs details regarding the cause; corporate senior management needs to understand the impact/consequences to determine their risk appetite and decide on the actions to be taken; and the Board needs a higher-level picture of the totality of the audit results (e.g., executive summary). Also, readers are different in how they process and understand information. The use of charts, graphs and other visualizations can improve the report’s readability.
Note: An executive summary should provide a more complete, higher-level view, of the audit in its entirety. It is not simply a (shorter) restatement of the findings. It provides context, overall impact, and a call for action.
Timely: If the audit is truly addressing areas of high-risk, then the final product needs to be timely. By keeping management informed throughout the audit, the findings can be validated sooner and, often, management will begin working on the corrective action before the report is even issued.
Data analysis: analytics should be integrated and support every step of the audit, from the planning and risk assessment to the reporting and follow-up. Analytics should be link to specific audit objectives and part of the audit workplan – not an add-on. Maximize the use of analytics to improve the efficiency, effectiveness and scope of the audit and provide a quantified, defensible impact statement. The successful implementation of analytics will add significant value to the internal audit function and your ability to support the goals and objectives of senior management.
Dave Coderre, CAATS.ca
This article has 2 Comments
I know my favorite of these eight “best practices” should be Data analysis, but I have to say I am drawn to the concept of positive or negative Assurance. I love that a well-designed audit, like testing a hypothesis, can provide solid assurance that your controls are working.
Investigators can benefit from this as well by ruling out areas that do not show obvious exceptions and moving on to ensure that all company/agency areas have the chance to be examined.
I agree. I had a hard time keeping down to eight. There are some many places where auditors can moev away from value-add.