Norman Marks on Governance, Risk Management, and Audit
October 18, 2020
I have known my friend Hal Garyn for a long time. He is a gentleman for whom I have great respect and we usually are in full agreement on topics of mutual interest.
But I am only in partial agreement with his recent article, Death of the Audit Report: It’s Time to Reconsider How to Convey Internal Audit Findings.
As usual, I will point to some of his excellent comments:
- …why do we issue audit reports? Are we required to do so? And are there other options? Does the return on investment outweigh the time spent drafting, editing, reviewing, and issuing traditional internal audit reports? We’ll explore these questions in depth, but the short answer is a resounding “no!”
- When most internal auditors consider why they issue audit reports, far too many say it is because “the Standards require us to.” Well, that is not true at all. The Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing states the following regarding reporting the results of internal audit work:
“Internal auditors must communicate the results of engagements.” – IIA Performance Standard 2400.
- So, if the Standards do not say, “you must issue an audit report,” why do we do it? Another common response to the “why” question, beyond erroneously thinking that we need to, is: “Because that’s the way we have always done it.” If we are unwilling to accept a statement like that as an answer from an audit client, then that cannot be an acceptable answer for why we continue to issue standard audit reports.
- Jason Mefford, president of Mefford Associates and CEO of cRisk Academy, agrees that it’s time to rethink the traditional audit report and instead focus on the best way to achieve its objectives. ”We all need to rethink how we communicate the results of our audit work,” he says. “The typical long, jargon-laden internal audit report may not be the most effective way to do that any longer. In fact, if you want to find an extra 30 percent of time in your budget, quit wasting time writing reports,” he asserts. In a time when efficiency matters, the audit report process may be long overdue for an overhaul.
- Remember when our high school writing teachers advised us to begin with the end in mind.
- The report, in the end, is just a means of communication. Communication only has value if what the author wants to say is completely and accurately understood as intended by the recipient of the communication. The communication is in a form that is most easily digested so it can be acted upon in some way by the recipient, in the manner originally intended.
- In a recent poll conducted on LinkedIn of internal audit leaders, 22 percent of respondents said the average length of their standard audit report is more than 10 pages, and another 48 percent said the average length their audit reports ran 5 to 10 pages. With these lengths, it is possible that such reports are not easy to read or digest. Some internal auditors will readily admit that they are not written with the reader in mind.
- Improving our audit reports starts with considering your audience and asking a few simple questions: What information do they need to know?
Hal sets the table well.
The traditional and long audit report needs to be transformed.
It starts, as he says, with understanding:
- Who the intended audience is, the recipients of your communication
- What they need to know
- What the best way is to communicate that information. It has to be in a way that gets their attention, tells them concisely what they need to know, and enables appropriate actions
- How to eliminate what is unnecessary so that the necessary stands out and is easily consumed
My first and perhaps most important disagreement with Hal, and it’s a strong disagreement, is around the purpose of the communication.
I disagree with each of these quotes:
- “The ultimate objective of internal audit reporting is not to describe what we found or to make recommendations for improvement. It should be to persuade readers to take action,” Richard Chambers
- “The goal is risk mitigation and operations improvement, not reports,” Amanda “Jo” Erven
- “Communications must include the engagement’s objectives, scope, and results.” – IIA Performance Standard 2410.
He also makes these statements, with which I strongly disagree:
- What is the best way to sufficiently document the work that was completed? And, most importantly, what is the best way to convey the findings that, when addressed, will make the biggest impact on the organization.
- Regardless of how we communicate the results of our audit work, each ‘finding’ must cover certain elements that are fundamental to good internal audit reporting. There are great articles and other material covering the details, but be sure that each finding addresses these elements if you want to completely cover the matter at hand: condition, criteria, cause, effect, and, in most cases, a recommendation.
This is a vitally important topic and I cover it in detail, with examples and practical suggestions, in Auditing that Matters.
Let’s go back to the point that this is about communicating, not writing an audit report.
It is vital that we realize that our obligation is to communicate the results of our work and to whom that communication will be.
We need to communicate to increasingly senior levels of management and then to the audit committee of the board.
As I say repeatedly in the book, we need to communicate:
- what they need to know rather than what we want to say (and there’s a huge difference)
- when they need to know it (typically at the speed of decision-making)
- in a way that is actionable, eliminating the unnecessary that makes the communication hard to receive
What do they need to know?
As we say in the Core Principles and the Definition of Internal Auditing, we provide:
- Assurance
- Advice, and
- Insight
If you are seeking assurance from a doctor, auto mechanic, or other specialist, do you want a formal report? Isn’t it better to talk to that expert and listen to what they have to say, with an opportunity to ask questions, perhaps (and only perhaps) supplemented by a written report? Maybe the written report can summarize the communication for later reference or sharing.
If you want advice from a parent, attorney, tax accountant, or other authority, do you limit the communication to a formal report? Again, isn’t a real discussion better for you? Maybe a formal report with detail can help, but it is usually not sufficient by itself and may be unnecessary. I don’t want to pay an attorney to write a formal report that summarizes what he or she has just told me.
The whole point of insight is that it is typically not included in formal reporting. It’s the enormously valuable professional opinion of the auditor that may be hard to prove with solid evidence. For example, I have discussed both individual managers and the structure of the organization with executives.
Similarly, when have you ever tried to persuade somebody to do something by writing a report when you can talk to them?
I could continue with challenging the need to document our work (we have working papers for that) or to include all the details such as scope and objectives, criteria, condition, and so on. Our customers don’t need to see all of that. It’s for our benefit – or for history (and only regulators and historians will care).
So I repeat:
- Tell them what they need to know, when they need to know, and in a form that is readily actionable.
- Put in writing only what our customer will want in writing.
- Communicate, communicate, communicate – but don’t forget to LISTEN!
If you focus on listening and talking to management and the board, with a thoughtful discussion of the situation, not only will your objectives be achieved but you will have credibility with them.
This is not going to be easy for everybody – but it will pay off in spades.
I welcome your thoughts.
https://normanmarks.wordpress.com/2020/10/18/death-of-the-audit-report/