Reporting on the Outcomes of Internal Audit Work
A model for reporting the outcomes of internal audit work could be based on the following four elements: internal audit reports, recommendations for improvement, a communication strategy, and an annual internal audit report. These are discussed below.
Internal Audit Reports
Internal audit reports are the most important part of the work of an internal audit function. The report is the culmination of the effort directed toward an audit of a part of the organization. Internal audit can be a costly resource, so reports of its work should demonstrate its value to the organization. Internal audit reports need to be:
-
Timely: reports should be issued in a timely manner.
-
Accurate: reports should contain accurate information.
-
Logical: reports should be logical and valid.
-
Clear: reports should be clearly written and easily understood.
-
Purposeful: reports should state why the internal audit was performed.
-
Written with the audience in mind: reports should be written to suit the intended reader.
The power of a tick cannot be underestimated—it provides balance to an internal audit report. People do not go to work to do a bad job, and they appreciate recognition of good work. What they do not appreciate is an audit report that is negative by exception, says nothing positive, and effectively just gives them stick. So, acknowledge good work, and always say something positive in the report—and not begrudgingly.
Internal audit reports need to tell a story and be insightful. Merely telling people what is wrong cannot be seen as a good use of internal audit resources. That is the easy work, and does not reflect well on internal auditing as a profession. The real value of the work of internal audit comes from an emphasis on cause and effect. It is easy work to find the effect, but much more difficult to ascertain the root cause. Because of this, many internal auditors take the easy way out and just report on what has been found to be operating ineffectively.
Many internal audits could provide additional value to the organization if there was more emphasis on efficiency, effectiveness, economy, and organizational outcomes, with a view to assisting the organization further to improve and streamline business processes.
Recommendations for Improvement
Internal audit reports need to contain recommendations for improvement if they are to have any point. And the recommendations need to be targeted at correcting the root cause.
Locating the cause provides information on accountability relationships, and provides the basis for making improvements. It is important not just to find that something is wrong, but to work out what caused it to be wrong. This can prevent similar problems from happening again. Each recommendation needs to include:
-
Whether it is agreed with or not by the audit customer (and if not, why not).
-
What the audit customer is going to do about it (action plan).
-
By what date the action will be implemented and completed.
-
Who will be responsible for implementing the recommendation.
Recommendations contained in internal audit reports also need to be risk rated. In this way, management with the responsibility to implement remedial action will know which recommendations are most important and should be implemented first.
An important task of the internal audit function is to ensure that agreed recommendations arising from internal audit reports are satisfactorily actioned within a reasonable time-frame. If this is not done, its work will be virtually worthless. Many internal audit functions adopt an approach whereby:
-
Agreed recommendations from internal audit, external audit, and regulatory bodies are entered into a tracking system and monitored on an ongoing basis by internal audit and the audit committee.
-
Management responsible for implementing the recommendations is required to advise internal audit when this is complete, or to provide periodic reports on progress where this may be over a longer period of time.
-
Overdue recommendations are reported to the audit committee.
-
Internal audit periodically follows up to ensure that implementation has occurred as reported by management. This can be by 100% follow-up, by following up only those recommendations of higher risk, or by following up on a sample basis. A full follow-up audit is not generally necessary.
One point worthy of consideration is the necessity to cover off risks if recommendations are not actioned within a reasonable time-frame. Where a recommendation relates to a higher-risk problem and is not dealt with quickly, the chief audit executive should ask:
-
Why has it not been actioned?
-
Should the risk rating assigned to the recommendation be increased?
-
What fall-back or interim risk management procedures have been put in place to mitigate the risks associated with nonimplementation of the recommendation?
-
Should management make a statement accepting the risk associated with nonimplementation of the recommendation?
This information should be reported to each meeting of the audit committee.
Communication Strategy
To develop and maintain a profile within an organization, internal audit should take steps to improve its communication in order to make itself more visible to the wider organization. Some ways in which internal audit might do this include:
Raising awareness
-
Have information about internal audit and its achievements posted on the organization’s intranet.
-
Distribute a small brochure about internal audit, what it does, and its achievements.
-
Further develop relationships with stakeholders by making presentations on the work of internal audit to groups within the organization’s corporate environment.
-
Prepare an annual internal audit report on its activities.
Engaging management
-
Consult with internal audit customers prior to the commencement of each internal audit, and request their input to the objectives and scope of the audit.
-
Facilitate a risk workshop with internal audit customers in the planning phase of each internal audit.
-
When conducting internal audits, internal auditors should spend most of their time in the work areas of their internal audit customers, rather than in the internal audit work area.
-
At the completion of internal audit fieldwork, hold a workshop with the audit customer to discuss and agree possible improvement options.
-
Provide a balanced reporting format by reporting on what management is doing well, in addition to identifying opportunities for improvement.
Providing value-add
-
Plan for each internal audit with a wider view by encompassing objectives relating to efficiency, effectiveness, economy, and organizational outcomes.
-
Have involvement in working groups related to strategic developments within the organization in an observer/adviser capacity. It is considered best practice for internal audit to contribute to such forums by providing opinions, and ensuring that controls are considered and built-in to projects and systems under development, rather than after the event via post-implementation reviews, without necessarily compromising the integrity of later audits.
Annual Internal Audit Report
In some organizations, best practice extends to providing the audit committee and management with an annual report of internal audit activities featuring:
-
Achievements in the year.
-
Analysis of systemic issues identified through the work of internal audit.
-
An opinion on the organization’s overall risk management, control, and governance environment.
This can provide additional assurance to the audit committee, as well as being beneficial in alerting management to issues and risks identified in internal audits but which may also be occurring in other business areas.
- Page 2 of 5
- Previous section Executive Summary
- Next section Reporting on the Quality of Internal Audit Work
www.qfinance.com