16th March, 2016
Perhaps the most challenging part of an auditor’s role is the communicating of results in order to achieve effective remediation of any control deficiencies. Audit reports are, perhaps, the most critical part of the audit process and typically come at the end of the process when schedules are stretched, deadlines are approaching, pressure is on and the report becomes a non-essential item to be completed so that the “Audit Complete” box can be ticked as soon as possible.
1. I have probably suffered some form of cyber-compromise, but don’t know it!
2. If I have not been hacked, I will be!
IIA Practice Advisory 2440-1: Recipients of Engagement Results,
provides guidance for internal auditors with respect to their reporting responsibilities as follows.
"Final engagement communication should be distributed to those members of the organization who are able to ensure that engagement results are given due consideration. This means that the report should go to those who are in a position to take corrective action or ensure that corrective action is taken. The final engagement communication should be distributed to management of the activity under review. Higher-level members in the organization may receive only a summary communication. Communications may also be distributed to other interested or affected parties such as external auditors and the board."
Reports should be reviewed and approved by the head of internal audit before they are issued but this can, itself, lead to significant bottlenecks and auditor dissatisfaction.
The issued audit report is a reflection of the competence and professional image of the whole internal audit function and internal auditing as a profession. In many cases, the report is the only exposure to internal auditing that senior management will get. This image will be reflected not only in the report's technical soundness but also in its clarity, tone, organization and style. The message must be unambiguous and questions raised in the reader's mind must be anticipated and answered within the report since the auditor will not be present to be questioned when the report is read. Any desired mood or reaction to the message in the report must be created by words alone.
Preparing to write starts at the beginning of the audit. From the moment the scope and objectives are approved, all audit work is done with the audit report in mind. At the start of the audit, the auditor should already have a mental picture of the report in mind. The anticipated audience, the subject matter, and the scope and objectives of the report are all known before the audit itself starts.
When the actual process of committing the report to paper starts, free writing may help to loosen up your mental muscles. This technique involves the writing of unrelated texts such as a letter before starting work on the report itself. The theory is that this starts the brain moving in logical communication mode.
Commonly an audit report will involve the co-ordination of several writers' efforts. In such cases is may be wise to read the report aloud in order to recognize the differences in the styles and methods of individual contributors. Reports should follow the same methods and be written in the same style throughout.
The report is written specifically to have a known and desired effect on a predetermined audience. If the report results in effective remedial action being taken on issues encountered, then the whole audit has been effective in corporate terms.
If, on the other hand, nothing is done, nothing gets better, and control deficiencies continue, then the whole expenditure on the audit itself is wasted.
The audit report makes the difference between an effective, professional audit and an amateur job, regardless of how advance the audit techniques and tools were and how professionally the auditors utilized them.
Authored by Richard Cascarino, CIA, CRMA, CISM, CFE
Richard Cascarino has over 32 years of experience in audit training and consultancy. Well known in international auditing, he is a regular speaker to National and International conferences and has written many Internal Auditing books.
This year Richard is facilitating three new Internal Auditing courses with PLUS Specialty Training:
For more information on his courses please contact firstname.lastname@example.org