Internal Audit Must Connect the Dots, Then Shine the Light

I’m always gratified when one of my blog posts solicits a strong response, whether the reaction agrees with my views or contradicts them. Chambers on the Profession is intended to be a sounding board for professional internal auditors, and their varied views are always welcome.

Last week’s post, C-Suite Owes More Than Simple Awareness of Internal Audit Reports, is one of those that drew numerous comments, many of which questioned the blog post’s premise.

The post made the case that management must do more than simply acknowledge internal audit reports. Management should act on those reports, especially when there is a clear and present risk to the organization. I believe the examples provided illustrated particularly egregious missteps where management’s failure to act ultimately caused the organizations both fiscal and reputational harm.

The post’s secondary message was that internal audit’s work brings transparency to the governance process, and that ability to shine a light on strengths and weaknesses in governance is central to the value internal audit brings to organizations.

Reader comments focused on internal audit’s responsibility to be clear, concise, and relevant in its reports to management and the board. After all, how can executive management respond to internal audit’s recommendations if the findings are buried under overly long or unnecessarily complex examinations? Worse yet, if the internal audit function does not possess a true understanding of the organization’s strategies and goals, its audits and findings could be completely off base and of little use to the organization. I have written on many occasions about the dangers of internal audit not holding up its end of the bargain.

In 7 Deadly Internal Audit Sins, I provided a list of unforgivables, including publishing erroneous reports and submitting incomplete workpapers. In my first book, Lessons Learned on the Audit Trail, I made clear that how internal audit delivers its reports is often as important as what the reports say.

“The content of our audit reports must always add value to the organization, but the way we communicate in our reports will determine how those findings and recommendations are received.

“What we perceive as objective reporting can sometimes trigger fear or anger from those being audited. They may feel as though their integrity or judgment is being attacked; they may also be reading the report while thinking, ‘How will my bosses react when they read this?’ Even if they do not view a report as needlessly critical, they may think their triumphs and successes have been neglected by a process designed to highlight flaws and vulnerabilities. Sometimes, a little well-deserved recognition can offset a whole lot of valid criticism in an audit report.”

Additional internal audit missteps pointed out by my esteemed colleague, Norman Marks, in his comment on my recent audit report post are equally valid and relevant. In his response, he noted:

“When I see a report of 20 pages or more, I am not surprised that executives fail to read it promptly and act on its recommendations.

“When I see an audit report with a table of contents, I am sure it will be read out of duty, not because it has actionable insights.

“When I see a report with recommendations and a management response, I see an internal audit team that has failed to work with management to agree on the correct actions to take.

“When I see a report that talks about risks but not what they mean to the strategies and objectives of the organization, I see a report that is unlikely to communicate what executive management and the board need to know.

“When I see a report that says what IA wants to say rather than clearly and concisely tell leadership what they need to know, I put a lot of the blame on IA.

“When I see an IA function that fails to sit down with leadership and have a discussion rather than rely on a formal, traditional audit report, I see one that does not have a seat at the table, one that is not a trusted advisor.”

Each of Norman’s observations is spot on and similar to points I have made. I would offer five recommendations to internal auditors on writing reports to ensure the results are clearly conveyed, and that significant control or risk-management failures are not overlooked:

• Ensure ongoing communications with management during an audit, and emphasize significant findings and observations that are surfacing from the audit.
• Clearly and concisely convey conditions, causes, and effects in the written report.
• Summarize key findings in an executive summary at the beginning of the report.
• Consider the use of ratings for individual findings or overall reports — for example, identifying conditions that are “unsatisfactory” or “red,” if a color rating system is used.
• Never let the written report serve as the final word. Prepare briefings for management and the audit committee on final audit results if the report discloses significant control or risk-management failures. Then, monitor corrective actions and update management and the audit committee, as appropriate.

Every chief audit executive must strive to create a high-performing internal audit function that understands organizational strategies and objectives and views each engagement through that informed perspective. We must connect the dots for busy executives and board members to give them a clear picture of how the organization is managing risks, and we must be willing to shine a light when those efforts fall short.

That being said, it is ludicrous to automatically assume that internal audit is at fault when management fails to act on its recommendations. The bottom line is that good governance is a partnership of many roles within the organization. Each must carry out its job with respect for the others. For internal auditors, we must unfailingly do our work with exemplary precision and focused passion, thereby removing all excuses not to be taken seriously.

As always, I look forward to your comments.