Effective internal audit reporting

September 2015

RUTH IRELAND PARTNER AND NATIONAL HEAD, RISK AND ADVISORY

SERVICES

Agenda

• How good are we as a profession at reporting?

• What is encompassed in ‘reporting’? – the reporting cycle

• Constructing an effective internal audit report

• Meeting the needs of management and the Audit Committee

• Adding value

• Internal audit performance reporting

• Closing comments

2

How good are we as a profession at reporting?

My assessment - “Could do better”

• Too focused on the formal audit report – not enough consideration to other

elements of the reporting process

• Reports are often long and detailed – and don’t always cater for different

audiences

• Hide behind rating systems

• Not always getting to the root cause, therefore recommendations lack impact

• Insufficient focus on adding value

• Focus on the formal written report and give insufficient thought to how our

work is presented

• Need to be better at measuring and reporting on internal audit performance

3

How good as a profession are we at reporting?

Internal audit reporting is about more than the report itself

• It confirms credibility and trust in the audit function/service or conversely can

undermine trust and credibility

• It is an extension of your brand

• Good reporting can reinforce internal audit’s position and importance

4

What is encompassed in ‘reporting’? – the

reporting cycle

• What are the various opportunities to report on internal audit activity?

• Map the deliverables to the various recipients and consider how they should be

communicated

• Need to plan both the production of the document and how it will be presented

Each is an opportunity to promote the work of internal audit

Deliverables

Audit

Committee CEO/CFO

Audit

Sponsors

Relevant

Staff

Annual Internal Audit Plan

Individual internal audit planning documents

Wash up/closing meeting points for discussion

Draft Internal Audit Reports

Final Internal Audit Reports

Progress Reports / KPI performance

Annual Internal Audit Report

What is encompassed in ‘reporting’? – the

reporting cycle

Wash up /closing meetings (building on regular communication

throughout the audit)

• Ensures early identification of auditor mis-understandings of facts.

• Early identification of differences (auditor v management) that are

judgement based.

• Management will have had more time to consider issues, discuss with

colleagues, and come up with their own ideas for solutions.

• The relationship may have been developed to a better level by the time

the formal reporting phase starts.

6

What is encompassed in ‘reporting’? – the

reporting cycle

Include:

• Formal agenda with key points documented for discussion

• Reminder of the context of the audit for those not fully involved, and

of the approach to undertaking the work

• Good practice identified as well as areas for development

• Full exploration of the issues that will be fed into the formal report

• Confirmation of timelines for a formal report to be issued.

7

Constructing an effective internal audit report

8

• Reports have a purpose – what is the key message you are trying to convey?

• What do you want people to do in response?

• Too long / too short?

“Cut the length of audit reports wherever possible” Chair of Audit Committee - Aberdeen Asset Management

But this is our big moment!

Constructing an effective internal audit report

Question

Could the future be a one page audit report?

9

Constructing an effective internal audit report

Signpost the overall opinion (if used) early on

Use an Executive Summary!

This might include:

• A reminder of the work undertaken

• Context – include facts and figures and some history, if relevant

• Acknowledgement of good practice

• Summary of key findings, pulled together into themes

• Overall conclusions.

Avoid repeating the individual findings from the audit.

Constructing an effective internal audit report

Writing style

• Keep it short and punchy

• Use clear messaging

• Simplify your language

• Avoid jargon and unexplained acronyms

• Less is more when it comes to the number of words!

Constructing an effective internal audit report

Some thoughts on the detail

Presenting findings:

Description – what is the issue? This should be factual and free of interpretation.

• Example:

We reviewed twenty-five payments and found ten of the payments were not

approved in accordance with the organisation’s policy.

Cause – what is the root cause of the problem – the why question

• Example:

This has been caused by a lack of training for new accounts payable personnel.

The cause should be discussed with client prior to writing the report.

Constructing an effective internal audit report

Impact

What is the impact on the organisation? You may consider:

• What is the risk?

• Why should management be concerned?

• Does this issue have the potential to impact the organisation’s strategic

objectives?

• Could this lead to a material misstatement in the organisation’s financial

statements?

• Could this lead to a loss of reputation?

Constructing an effective internal audit report

Prioritising findings

Findings should be rated and prioritised in order of importance

• To assist the reader to understand the relative importance of the issues

• To also allow management and the Audit Committee to compare the criticality

of issues across internal audit reports.

Meeting the needs of management and the Audit Committee

Tailoring reports to the audience

Have you asked the Audit Committee and management what they want?

Audit Committee Management

Need to know the headlines in terms

of how risks are being managed. May

need educating on the implications,

should the risk materialise.

Will be interested in core themes

and should understand the

consequences, should risks not be

mitigated. Will also need to know

who, what, when and why.

Should be able to understand the

issues from reading a few pages of

the report.

Should be able to understand the

issues from reading a few pages of

the report.

Shouldn’t be pulled into the detail

of individual findings.

Need the detail.

Meeting the needs of management and the Audit Committee

Question

• Do you use the same audit report format for Audit Committee and

management?

• What are the benefits/drawbacks of using one report for different audiences?

Audit Committee reporting

What reporting might the Audit Committee typically expect?

• Summary of individual audit reports

• Management action in implementing recommendations

• Internal audit performance – KPIs (qualitative and quantitative)

• Audit coverage and progress:

Audits completed against the Annual Audit Plan

Actual days input compared with Annual Audit Plan

• Audit planning and reporting

• Good practice ideas and benchmarking information

Audit Committee reporting

Not just the report itself but how we present it:

• Should be able to assume the report has been read

• In presenting individual assignment outcomes, tell a story to the committee:

The context of the audit and why was it done

Any relevant history of the area under review

What did internal audit do to come to its opinion

The main themes and risks emerging and management’s response.

(And ensure individual presenting has good presentation skills)

18

Adding value – considerations

• Varying Internal Audit roles which starts with planning our work, and flows

through into reporting:

Assurance provider

Consultant

Critical friend.

Are we good at reporting on all these elements of our role?

Adding value - roles of Internal Audit

COMPLIANCE

EFFECTIVENESS

EFFICIENCY

ADEQUACY PERFORMANCE Maturity of

controls

environment

and risk

management

processes

Level of

experience

and skills in

the IA

function

VALUE

PRESERVATION

VALUE

CREATION

OPERATIONAL (policies, procedures, controls) (emerging risks, priorities) STRATEGIC

Adding value – foundations

Adding value is underpinned by good foundations:

• A deep knowledge of the organization, including culture, key stakeholders,

context and strategic aims

• Innovative internal audit practices

• Staying abreast of value added practices

Need to communicate our achievements

(not just report on activity)

EXCEED STAKEHOLDER EXPECTATIONS!

Adding value

Myriad ways to enhance audit reports

Consider:

• Benchmarking

• Use of surveys

• Comparing policies/procedures with good practice

• Showing the effectiveness of processes graphically

Adding value – examples Real examples of added value from internal audit reports.

Adding value – examples Real examples of added value from internal audit reports.

Adding value – examples Real examples of added value from internal audit reports.

Adding value – examples Real examples of added value from internal audit reports.

Adding value

Question

• Do you have any other ideas to share?

Internal audit performance reporting

Typical KPIs:

• Elapsed time for issue of reports – completion of

audit work to draft report

• Elapsed time for issue of reports – draft to final

report

• Number of unsatisfactory audit opinions (as % of

total)

• Number of audit assignments completed (versus

number planned)

• % of recommendations accepted

• % of actions fully implemented.

4

6

4

1

1

36

31

5

6

1

Summary of

conclusions on the

design of internal

controls

Substantial

Moderate

Limited

No

Summary of number of

recommendations

raised

Summary of

conclusions on

operational

effectiveness of

internal controls

High

Medium

Low

Substantial

Moderate

Limited

Internal audit performance reporting • Qualitative measured using satisfaction questionnaires and end of

assignment reviews, such as:

• Internal Audit understand the business and processes of the company

• Risks identified for the assignment were appropriate for the organisation

and the area under review

• The people carrying out the assignment asked informed, relevant

questions to identify the controls against the risks already identified

within the audit area

• Progress was clearly communicated during the course of the audit and a

debrief meeting was held at the end of the fieldwork

• The findings and recommendations in the draft report agreed with those

discussed during the debrief

• Findings within audit reports are accurate, clear and unambiguous

• Recommendations in the audit report are practical and relevant to the

needs of the area reviewed

• Customer satisfaction survey issued after every audit assignment.

1

3 1

1

2

2

1

Feb-14 May-14 Jul-14 Jan-15

1. Internal audit understand the business and processes

of the Organisation

Internal audit performance reporting – examples

30

Key

The bar graphs show the responses to each question with the colour of the bar

reflecting the response received and the numbers representing the quantity of

responses. The colours of the bars reflect the responses received as follows:

Very satisfied

Dissatisfied

2 2

1

2

1

2

1

Feb-14 May-14 Jul-14 Jan-15

2. Risks identified for each assignment were appropriate for the

Organisation and the area under review.

1

2

3 1

1

2

1

Feb-14 May-14 Jul-14 Jan-15

3. The staff undertaking the internal audit assignment asked informed, relevant questions to identify the controls against the risks already identified above within the audit area

Denotes where a question has not

been answered.

Internal audit performance reporting

31

1

2

3 1

1

2

1

Feb-14 May-14 Jul-14 Jan-15

4. Progress was clearly communicated during the course of the internal

audit and a debrief meeting was held at the end of the fieldwork.

2 2

1 1

1

1

2

1

Feb-14 May-14 Jul-14 Jan-15

5. The findings and recommendations in the draft audit report agreed with

those discussed during the debrief meeting.

1 1

2

1 1

1

1

2

1

Feb-14 May-14 Jul-14 Jan-15

6. Findings within internal audit reports are accurate, clear and unambiguous.

1

3

1

1 1

1

2

1

Feb-14 May-14 Jul-14 Jan-15

7. Recommendations in the internal audit report are practical and relevant

to the needs of the area reviewed.

Product Quality

11%Financial Reporting and

Disclosure

4%

Continuity of Supply

7%

Tax and Treasury

2%

Environment Health & Safety

and Sustainability

8%

Protection of Electronic

Information and Assets

11%

Patient Safety

17%

Intellectual Property

12%

Research Practices

16%

Business Continuity

4%

Commercial Practices

8%

32

Internal audit performance reporting – examples

Deviations from annual audit plan

• Variations

• Reasons

• Impact risk context

Expected Actual

Average time to issue reports after field work

Actual vs. planned audits

IA budget to actual

Training hours per Internal Auditor

Audits Complet

ed, Complet

e, 58, 58% Audits

Completed, WIP, 12, 12%

Audits Completed, Not started, 30, 30%

Complete WIP Not started

76%

24%

On time Overrun

58%

12%

30%

Implemented WIP Not started

Audits

Completed

Audits

Overruns

Audits Recommendations

implemented

Audit Completed, by Inherent Risk

Audit Group Headcount Budget Actual

Group

Manufacturing

Environmental Health, Safety &

Sustainability

Research & Development

Total Number Of Audits

Total Number Of Audits With An

“Unsatisfactory” Rating

Audits withwith an “unsatisfactory” or “critical” rating

Title of audit report Star Rating

*

*

**

Closing comments

• Plan as diligently for the reporting as the audit itself

• Always consider the audience and what they need

• Presentation – verbal and written is crucial!

34

BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a

member of BDO International Limited, a UK company limited by guarantee, and forms part of the

international BDO network of independent member firms. A list of members' names is open to inspection at

our registered office, 55 Baker Street, London W1U 7EU. BDO LLP is authorised and regulated by the

Financial Conduct Authority to conduct investment business.

BDO is the brand name of the BDO network and for each of the BDO Member Firms.

BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate

within the international BDO network of independent member firms.

Copyright ©2015 BDO LLP. All rights reserved.

www.bdo.co.uk