communicating internal audit results
TRANSCRIPT
1
Communicating Internal Audit ResultsStandards with Practical Cases
Facilitated By: Kokeb Ashame (MSc, CIA) February 13, 2016
2
Learning Objectives Familiarize with the Standards of
Communicating Audit ResultsUnderstand the purpose of
engagement communicationLearn the features of best practice in
audit communicationBe aware of the issues and risks in
report writing Familiarize with effective strategy in
developing audit reports Familiarize with the ideal structures
of Internal Audit Report
3
Definition of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
4
I. INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING(STANDARDS)2400 – Communicating Results
Internal auditors must communicate the results of engagement
2410 – Criteria for Communicating Communications must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans
5
Standards2410.A1 - Final communication of
engagement results must, where appropriate, contain the internal auditors’ opinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.
6
Standards (Cntd)2420 – Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
Accurate communications are free from errors and distortions and are faithful to the underlying facts.
Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances.
7
Standards (Cntd) Clear communications are easily
understood and logical, avoiding unnecessary technical language and providing all significant and relevant information.
Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness.
8
Standards (Cntd) Constructive communications are helpful
to the engagement client and the organization and lead to improvements where needed.
Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions.
Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action.
9
Standards (Cntd)2421 – Errors and Omissions If a final communication contains
a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.
10
Standards (Cntd)2430 – Use of “Conducted in
Conformance with the International Standards for the Professional Practice of Internal Auditing”
Internal auditors may report that their engagements are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing”, only if the results of the quality assurance and improvement program support the statement.
11
Standards (Cntd) 2431 – Engagement Disclosure of
Nonconformance When nonconformance with the Definition of
Internal Auditing, the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the:
Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved;
Reason(s) for nonconformance; and Impact of nonconformance on the
engagement and the communicated engagement results.
12
Standards (Cntd)2440 – Disseminating Results The chief audit executive must
communicate results to the appropriate parties.
The chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility.
13
Standards (Cntd) The communication will identify:
The scope, including the time period to which the opinion pertains;
Scope limitations; Consideration of all related projects
including the reliance on other assurance providers;
The risk or control framework or other criteria used as a basis for the overall opinion; and
The overall opinion, judgment, or conclusion reached.
The reasons for an unfavorable overall opinion must be stated.
14
Standards (Cntd)2600 – Communicating the
Acceptance of Risks When the chief audit executive
concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.
15
Standards (Cntd) The identification of risk accepted
by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.
16
II. What it is and what it does ?
What it is? Reports are Internal Auditor’s
opportunity to get management’s complete attention.
A perfect occasion to show how Auditors can help Mgt by informing important events they would otherwise not know about.
However, most of the time auditors do not take this golden opportunity. Rather they feel satisfied just for finishing the report writing.
Unfortunately, auditors do not sell their Audit reports as a vendor sells his goods.
17
What it is and what it does ? (Cont’d)•What it does?Alert management to matters needing correction or improvement by:
Communicating – create awarenessExplaining – obtain acceptancePersuading – implementation
If the report fails to deliver this purposes, whatever skillful, constructive and value adding our report is, fails to get the attention and buy-in of the management. Hence, can not be implemented.
18
What it is and what it does ? (Cont’d)Whom it serves?
The auditors themselves
Operating management / higher management / board
External Auditors
Government regulators and courts.
19
What it is and what it does ? (Cont’d)
For the Internal Auditors Facilitates audit follow-up.
Evidence for auditor performance evaluation.
Means to teach and train audit staff.
Summarizes results of the audit work.
20
What it is and what it does ? (Cont’d)For the Operating/ Higher Management &
Board
Facilitates corrective action / improvement. Means to gain support of higher
management for issues that require their attention.
Serves as window in to operation for busy managers.
Means to evaluate operating performance. Source of objective information about
controls and operations. Promotes disciplined operations.
21
Report Writing Frictions
•Which one do we auditors really like?
Auditing or Reporting?
Most of the time brilliant analysis and findings seem to be forgotten during the trauma of report writing. The reasons are:
22
Report Writing Frictions (Cont’d) Supervisory rewriting - leaves the
auditor unpleased. How does it feel ?
Reporting under pressure – the pressure to rush the draft is constant source of irritation. Auditors give more emphasis to answer previous criticism. Hence, auditors always write reports with the anticipation of their supervisor’s correction. And even sometimes issues are left unreported.
23
Report Writing Frictions (Cont’d) Too much time spent on reports: CAE’s
usually set a high standard of reporting and review procedures which take considerable time
Poor Drafts – Auditors most of the time are concerned with auditing than writing.
Poor writing skills – many Auditors are not skillful writers.
Disagreement between Auditors and Supervisors – the disagreement ranges from grammar and spelling to logic, interpretation of observed conditions and rework.
24
Report Writing Frictions (Cont’d Writing report far from the site of
the audit- Many reports are written in the office. As a result, some important information might be missing or issue is totally disregarded. Besides, time tends to dull memories of the Auditor.
Lack of Auditee Interest – When reports are difficult to understand, worst of all, where clients have no obligation to respond to them, hard working Auditors find noting but frustration.
25
Report Writing Frictions (Cont’d)
As a result, most of the time auditors do not enjoy Report
Writing
Audit clients do not enjoy our reports either
26
Report evaluation Do your reports clearly explain the areas
and risks that each individual review has covered?
Do your reports include a clear executive summary including scope of work, risks covered and key issues arising?
Are your reports on average five pages or less?
Are your reports finalized within two weeks of completion of the fieldwork?
Do your reports contain a clear action plan including action, planned date of completion and who is responsible for implementing the action?
27
Report evaluation-Cont’dDo your reports focus on the future
rather than the past?Do your reports contain only the
‘vital few’ recommendations with the minor issues being dealt with elsewhere?
Do you adopt a consistent report format across the whole department?
Is the report balanced and does commend significant accomplishments?
28
Report evaluation-Cont’dDo management really buy-in to
the actions contained in the audit report?
Are at least 90% of the agreed actions actually implemented by management by the agreed deadline?
‘Any No answer is not acceptable for the above questions’
29
III. What is the remedy?
•Unfortunately there are no easy solutions. Courses in report writing concentrate in word choice, sentence length, paragraph structure etc. they do not teach us judgment, empathy, analytical ability .
So Where is the problem?
•The source of audit report problems can often be found in the audit process itself. The process can be improved by taking the following steps.
30
What is the remedy? -Cont’d
Develop a report style manual for the audit activity. This avoids disagreements regarding grammar, spelling capitalization, and the like
For larger internal audit activities an editor to review reports before submitting to the Supervisor should be considered.
31
What is the remedy? (cont’d)
Conduct training in attributes of good report writing and processing of audit reports. Including the standards for reporting, if possible, by auditors themselves.
32
What is the remedy? (cont’d)
The use of formats to ensure the presence of all elements of a finding (Condition, Criteria, Cause, Impact and Recommendation).
This format should be completed in the field and makes report writing a process than a task.
Use of finding write-up sheet. Many auditors wait until after field work to write the findings due to time constraint. This is a big mistake. Proper development of findings starts in the field.
33
Practical CasesCase- The following sample finding is taken from
an internal audit report on a given unit of an organization
Condition – The following long outstanding receivables are observed in the unit
1. ETB25,000.002. ETB125,360.00
Criteria-The operation manual of the unit Impact- Violation of Internal Control Recommendation- As per the operation manual
of the unit the o/s receivables shall be collected
Audittee’s response- Follow-up of the case is ongoing
Auditee’s action plan- The o/s receivables will be settled in a week
34
Practical Cases (Cont’d) Case- 1Major shortcomings of the above
finding report1. Condition:- The word outstanding
shall be specific. At least how long was it o/s?
2. Criteria:- The Criteria element shall also be specific. It shall provide the requirement of the operation manual on that specific finding or the Auditor’s expectation.
35
Practical Cases (Cont’d) Case- 13. Cause:-The standard requires all
elements of findings however, the findings reported above is missing the element of Cause.The internal audit recommendations
basically depend on the Cause element of audit finding.
Therefore, the auditor shall carefully analyze the cause element of a finding and shall state it on the findings write-up sheet.
The cause element of a finding requires the auditor’s careful judgment
36
Practical Cases (Cont’d) Case- 14. Impact:- The Impact element
shall also state the effect of a finding if not rectified as per the recommendation
5. Recommendation:- This element shall provide an auditor’s opinion to be implemented by the auditee. The auditor’s opinion given here depends on the cause element.
37
Practical Cases (Cont’d) Case- 16. Auditee’s response:- This part shall clearly
indicate the Auditee’s acceptance or non-acceptance of the finding. If it is accepted by the auditee, justifiable reason for non-performance shall be given and the corresponding action plan shall also be provided. If not accepted :- here also justifiable reason with supporting document/evidence shall be provided for the higher management consumption.
7. The auditee’s action plan shall state the completion time frame as well as the responsible body for all accepted findings and shall be reported as annex to internal audit report instead of as element of findings.
38
Practical Cases (Cont’d) Case- 1 The standard requires all elements of findings.
Accordingly, my suggestion would be:- Condition – The following outstanding
receivables are kept in the books of the unit for more than a yearDate Amount Description1.------------- -------------------------------------------2. ------------- -------------------------------------------
Criteria- The operation manual of the unit requires to collect such type of receivables in a maximum period of one year otherwise shall be forwarded to the write-off committee
39
Practical Cases (Cont’d) Case- 1 Cause:- Oversight/ workload/ lack of
professional staff/ unawareness of the criteria/instructed by supervisors, etc…. as the case may be
Impact- The organization may incur loss if proper follow-up not conducted and collected on time/The possibility of collecting these long outstanding receivables is very low, therefore the b/s of the unit is showing inflated amount of assets.
40
Practical Cases (Cont’d) Case- 1 Recommendation- As per the operation
manual of the unit o/s receivables shall timely be collected by the unit or shall be written-off. Therefore, timely follow-up shall be conducted by supervisors/ adequate number of manpower shall be assigned to the job/qualified staff shall be assigned to the job/procedures shall be made known to performers of the job/ supervisors shall comply with the units procedures, etc….. As the case maybe
41
Practical Cases (Cont’d) Case- 1 Audittee’s response-
Accepted/Agreed- Even though several reminders were sent to the client , the receivables are still outstanding and it seems un-collectible. Therefore, the o/s receivables will be forwarded to the write-off committee and will be taken action accordingly. The unit will assign professional staff to the job. The action plan is attached.
Auditee’s action plan- Shall be attached as Annex to the report.
42
IV. Important issues to be considered in good report writing1. Discussion with auditee 2. Factual Reports 3. Precision4. Clarity5. Proper Background, scope and
objective.6. Conciseness
43
Important issues ….Cont’d7. Constructive tone8. Perspective9. Audit Conclusion / Opinion10. Audit recommendation11. Auditee Accomplishment12. Interim reports / Preliminary
report 13. Summary reports
44
Important issues …. Cont’d14. Auditee Position15. Timeliness 16. Report Distribution17. Legal considerations 18. Proper editorials 19 Restricted Information
45
1. Discussion with Auditee Confirm facts as you go through /
communicate. It is also important to discuss cause,
effect and recommendation before the report is released. Since clients know better about the operation than the auditors.
Differences with client other than the fact could be stated in the final engagement communication.
Early rectification is facilitated. Avoids surprises. Improved comm. b/n auditor & Auditee
improves report quality.
46
2. Factual Reports Audit reports must always be
completely factual.Report items should be based on
a well documented facts and inescapable logic.
Everything should be what we have observed or validated to be factual. Otherwise source should be disclosed.
47
3. Precision
Reports seek to communicate. If it fails to so, it is worthless.
Use precise words. Imprecise words leave a reader confused (e.g.. Words like sometimes, many, a few, several etc..).
Imprecise reports hardly get comprehended and hence, not implemented.
48
4. Clarity Transferring to the mind of the readers
what was in the mind of the auditor. It is a precondition to be persuasive. Avoid jargons, use simple words. Have a clear understanding of the issue
before writing it. Mental creation precedes physical creation.
Good writing comes from good thinking & good thinking requires including all elements of a finding.
Use active sentences than passive sentences.
Properly structuring of reports and coherence of the flow from beginning to end. Avoid report drift.
49
4. Clarity –Cont’dThe main rule in writing is to know the
reader & their needs.Avoid emotions and feelings.Do not obscure the major finding amidst
trivial issues.Use powerful descriptions, e.g., instead of
reporting “Goods Receiving Notes are not reconciled with invoices,” use “there is no assurance that the company receives what it is paying for.”
Use charts, graphs, tabulations and pictures, if found necessary.
For emphasis, use bullets, boldface, italics, etc.
Use titles / headings that easily lead the reader to the subject matter.
50
5. Proper Background, scope and objective.Sets the stage for the reportingMakes the reader more receptive
and understandingHow audit was initiatedWhat it strives to achieve Coverage / non-coverage
51
6. Conciseness Means cutting out what is
unworthy.Cutting out what is irrelevant &
immaterial.Brevity that does not inform,
however, is not a virtue.The report should have integrated
flow of ideas.As much as possible avoid long
sentences.
52
What is the ideal size of an audit report? In as much as possible the main
audit report should not be more than five pages.
53
7. Constructive toneDo not emphasize the mistake of
individuals.Proper criticism may be necessary
but emphasize on needed improvements.
Audit reports with a constructive tone are more likely to get the buy-in of clients.
54
8. PerspectiveIt relates to objectivity
Requires refraining from puffing up that which is not material or relevant
55
9. Audit Conclusion / Opinion Auditor’s overall opinion in relation to
the audit objective is very important. (e.g. there is adequate control over…., such and such task is being performed efficiently and effectively, or vise versa)
Auditor’s opinion is a must in many progressive audit shops.
The main thing is keeping the main thing the main thing.
If the Auditee deserves to be complemented for its exceptional accomplishment, the auditor should do so. This results in a significant reward.
56
10. Audit recommendation Auditor’s recommendation should only be
considered as options to operating management.
Should not come out as a surprise at last. Should be well discussed with in due course of the audit.
Always operating staff /mgt. are more knowledgeable about operations than the auditor.
Let’s not take the credit for the recommendation.
Have regard for the cost of implementing a recommendation except for compliance and regulatory issues.
57
11. Auditee AccomplishmentMost audit reports are negative in
tone.Objectivity will be in question if
everything in the report is negative (unbalanced).
If reports are not balanced, auditee’s perception towards the audit report will also be negative and defensive.
We should admit that complementing exceptional accomplishment, if any, is value adding.
58
12. Interim Reports / Preliminary Report Useful when early information to
management and timely corrective action is necessary.
Should not be considered as a substitute for a final report.
If the issue raised is adequately addressed, it may be excluded from the final report or may be disclosed accordingly.
59
13. Summary ReportsThe objective of Internal Auditing is
to get sr. Mgt. Interested and read the audit report and take corrective action.
However, executives do not have time to go through the detailed audit reports.
Hence, auditor’s significant findings could be summarized in one page or a maximum of two.
Internal Auditors should be careful enough to put themselves in the shoe of busy managers and raise issues which are of concern to management.
60
13. Summary Reports- Cont’dThe major content of summary
report should be What was audited ConclusionCapsule statement of truly significant findings
Action taken by operating management.
Overall evaluation statement. (Refer sample)
61
14. Auditee PositionAs the standard dictates, no
disagreement should arise between auditor and auditee regarding facts. (Condition and Criteria).
However, disagreement in relation to Conclusion and Interpretation, auditee’s view should be given adequate coverage in the report. This will help management take a balanced and informed decision.
Once agreement is reached, auditee’s action plan could even be attached as an appendix.
62
15. Timeliness Reports are useless if they are not
timely. If not timely, minimizes the
impact of the reported finding.There should be balance between
thoughtfulness and promptness. One way to address this is by issuing preliminary reports.
63
16. Report DistributionTo operating management taking
corrective action.Sr. management who can enforce
corrective action.In case there is important
information to be disclosed or error is found out, the CAE should ensure that a new report is issued clearly highlighting the amendments.
64
17. Legal considerationsFor matters involving legal issues
auditors should always seek for a legal advice.
65
18. Proper editorials Review each report at least 3
times.Get clear understanding of what
is being said.Ensure each sentence is needed
and says what it intends to say.Judge the style, syntax, and
capitalization. Avoid shaky grammar and faulty
punctuation (use grammar and spellchecker).
66
18. Proper editorials – Cont’dPoorly proofread reports can
cruelly blemish and downgrade a well written, soundly documented audit reports.
Simple mistake diverts attention and the reader starts to think about the writer than what is written.
Compare the final with the draft report preferably by another auditor
Check references (references, indexes, figures, etc) might have been wrongly changed in due course of review.
67
19 Restricted InformationCertain information may be
appropriate to be issued separately to a concerned party only in a confidential communication. This facilitates smooth rectification and course of action to be taken.
68
V. Effective strategies for report writingFull wording of acronyms when
first used.Recommendations should be
precise and resolve the problems.Recommendations should cure the
cause not the symptom.Recommend to those who have
the authority to implement them.Include client responses in the
report.
69
Effective strategies –cont’dMake report outline before
starting to writeKeep your writing short.Group similar findings together.Place the most important findings
at the beginning of the report.Use an executive summary of the
findings and recommendations.
70
Effective strategies –cont’dGood audit report is like a bridge
between the auditor and audit client. Any gap / defect in the report will not let your findings to cross over to the audit clients for their implementation & hence, no value.
71
VI. Internal Audit Report
Main Parts of the Ideal Internal Audit Report are:-A. Executive SummaryB. Complete Audit Report
72
A. Executive Summary Provides a high level overview of the audit
and provides a summary of the audit activity
Included are the Introduction, the Objective and Scope, Observations and Recommendations, Summary, and Conclusion
The Executive Summary is submitted to the Audit Committee and the Senior Management.
The entire report (which includes the executive summary) is provided to the individual auditees.
73
Executive Summary (Cont’d)
IntroductionThe Introduction of the Executive
Summary will provide a brief description of how the audit relates to the annual audit plan
inherent risks identified other pertinent information to ensure the purpose of the audit
any other background information
74
Executive Summary (Cont’d)
Objective and Scope of the Audit
The objective of the audit for the Executive Summary will provide an overview with respect to why the audit was conducted
The scope involves what information was examined for the audit
75
Executive Summary (Cont’d)
Observations and Recommendations
This section provides an explanation as to how the audit report is to assist rather than find fault with areas reviewed
76
Executive Summary (Cont’d)
SummaryThis section provides a summary
of the observations and recommendations made
The goal of this section is to provide an overview of the audit work
If specifics are required then the full audit report can be referenced
77
Executive Summary (Cont’d)
ConclusionThis section provides the
conclusion reached by the auditors
A opinion will be expressed with respect to the observations.
78
B. The Complete Internal Audit ReportBackgroundInherent RisksObjective of AuditNature and Scope of the AuditMethodologyAttributes TestedConclusionAppendixes
79
The Complete Internal Audit Report (Cont’d)Background A very brief explanation as to the rationale
for the audit is provided in this section
Inherent Risks This section addresses the inherent risks
involved in the area being audited
Objective of Audit The objective of the audit should answer the
question “Why was this department/area audited?
80
The Complete Internal Audit Report (Cont’d)
Nature and Scope of the Audit This section should answer the
question “What was audited?
Methodology This section describes the audit
program that was developed to conduct the fieldwork
81
The Complete Internal Audit Report (Cont’d) Attributes TestedThis section of the audit report
will discuss the individual issues or areas that we decided to test.
A particular issue is analyzed and captured the information in a set format which includes observations and recommendations as required
82
The Complete Internal Audit Report (Cont’d)
Name of the Attribute Tested For each attribute tested an analysis that
covers the objective, criteria, risks, observations, conclusion, causes, recommendations, and management’s response shall be provided
Objective Criteria Risks Observations Conclusion Causes Recommendations Management response
83
The Complete Internal Audit Report (Cont’d) Conclusion
The final section of the audit report is the conclusion where the audit opinion is expressed.
84
The Complete Internal Audit Report (Cont’d) AppendixesPlanned Management Actions This section is a compilation
of all the recommendations made in the audit report, and includes all of the management responses, who the responsible person is for implementing each recommendation and the time frame
85
The End!Thank you very much!
86
Sources of the Materials Used/References IPPF-IIASawyer’s - The Practice of Modern
Internal Auditing by L. Sawyer Internal Auditing: Assurance and
Consulting Services By F. Kurt (IIA Research Foundation)
Others