Management Disagree with Audit’s Judgment about Findings and Remediation Needs

As the assignment progresses, auditors will share their findings with management. However, it is not unusual to find that, on hearing that audit have a concern, management may offer counter-arguments. These can include:

• The existence of another process or control, that compensates for the weakness audit has found (often referred to as “compensating controls”);
• A belief that the issues audit is raising are within management’s risk appetite, so no additional action is needed (which can include the argument that additional action is not justified on a cost/benefit basis);
• That they recently became aware of this issue and “are working on” it, so should be given credit for this;
• That the issue has recently been fixed.

I have heard many auditors explain that assignments would run to time, were it not for these frustrating, often last minute, challenges from management. The impact of these challenges often results in auditors having to “run around” for additional information, as well as having to decide whether management should be given credit for areas that are being, or have been, remediated. This can be particularly frustrating for auditors when they suspect that during the audit assignment, managers have been busy “building their documentation” to demonstrate that some or all of the auditor’s concerns are either not founded or have now been addressed.

The Audit Quality Process Introduces Delays and Frustrations

Depending on the approach taken to quality control by the audit function, the review of audit work papers and the draft audit report may require auditors to carry out additional testing and obtain additional documentation to justify key conclusions. From one perspective this additional work is not wasteful if it helps to ensure audit comes to robust, value adding, conclusions. However, from the perspective of management, it can appear that audit is having a “second bite at the cherry”, and drawing out the assignment.

In addition, the audit quality process can introduce delays towards the end of an assignment as auditors share working papers and draft audit reports up the chain within the audit function. Delays are sometimes due to the fact that audit managers and/or CAEs are very busy and therefore work papers and draft reports can sit on their desk for several days, even weeks, before they are signed off.

In some instances, this audit quality control process can be considerable. Here is a reflection from Jonathan Kidd (CAE, UK Met Office):

“At its worst you used to have situations where the audit methodology would state that, if a report was drafted by a junior auditor it would need to be checked by a senior auditor, and it would then need to be reviewed by an audit manager, and then it would require sign off by the CAE.”

In addition to introducing delays, multiple reviews within the audit function can create a culture in which auditors feel that “someone else will check or change what I have done to suit their needs”, reducing the sense of personal accountability for quality.

Ironically, despite the fact that an audit quality process is intended to add value, it is very often cited by auditors as a time when significant value can be lost – after all, small changes in a report may not be noticed by a manager, but they will notice the fact that the audit report has been issued a month after the fieldwork was completed! In addition, morale within the audit function is typically reduced when there is extensive “tweaking” of audit reports – something I have been guilty of myself.

Challenges without (and with) Audit Management Software

There are some audit functions that I speak to that make limited use of audit software to capture the work performed during the assignment. As a result, time is spent filing papers, copying extracts from certain documents into an audit folder and then into the audit report, resulting in a lot of administrative tasks for the auditors. Needless to say, the time and effort spent on such tasks is waste (Muda).

At the other end of the spectrum, there are some audit functions that make extensive use of audit software, where work papers are stored and exceptions noted and an audit report can be produced at the push of a button. However, the use of an audit system may not be waste free since I have heard many auditors speak about the amount of time they spend “feeding the system”.

In addition, whilst one of the attractions of an audit system is that it can quickly generate an audit report, there is a danger that this automated approach to reporting may not be the most value adding. One CAE explained:

“I don’t always like the push button to generate a report approach, because it drives the auditor away from what is really important and what is going to be of most value to your customer, be it audit committee or management.

If you generate a report by system you are in danger of getting an exception report, which you might get from a compliance team. This is not the same as a proper audit report that tells you what your real risks are. Furthermore when you press a button to get a report, you run the risk of missing root causes and deskilling your audit function.

Of course we should improve the efficiency of the reporting process, but there is a trap when we press the button that we miss the really important issues in relation to the GRC framework, accountability and resource issues. You can go too far on automation.”

Thus, being a lean audit function does not simply mean rolling out audit software. This is the superficial version of lean thinking where efficiencies ignore questions about the insightfulness of the report, its impact on management, and the value it will deliver to the end customer.

Report Findings, Wording and Ratings

Another area identified as wasteful by auditors is when managers challenge audit over what they believe to be minor points, either in terms of the organizational importance of the issue, or the way the points are contextualized or explained in the report.

Furthermore, whilst it might appear that having a greater number of points in an audit report is the sign of comprehensive work by audit, management may share the opposite view. Helen Maneuf (CAE, Hertfordshire SIAS) observes:

“I am increasingly aware that low level recommendations about minor issues can be used to discredit any more serious points we are trying to make.”

Roger Timewell (former Head of R&D audit at AstraZeneca, now consulting in clinical trial auditing) has an interesting “war story” that highlights the problem of overly lengthy audit reports:

“I had an experience a few years ago where I was asked to sit alongside an auditor to give the company comfort about the quality of auditing. It was one of the worst audits I have ever seen. The auditor wrote a 25-page report about a site with a massive list of detailed facts, with no focus on what the real issues were. For me, there were two really big issues. But when you read the report – and even I who was there at the site – I couldn’t see the important issues get clearly captured – so it certainly wouldn’t come out to a reader who hadn’t been there.

Sadly a number of auditors have got a box-ticking mentality and find it hard to dissect out what really matters.

This is key because most senior managers who get audit reports are not going to do this sort of sifting. They either don’t have the time, or they don’t have the ability, but in any event we shouldn’t be expecting them to do this.”

Richard Chambers (President & CEO, IIA) offers some interesting reflections in relation to the difficulties auditors have with brevity:

“I have thought about this a lot over the years. It’s drilled into us from the earliest days as a profession that the single most important attribute of an audit is accuracy.

But think of the audit process as an inverted pyramid. If you break it into three parts, the widest is the accuracy of the report, the middle is its usefulness, and the bottom is its timeliness. So, it’s almost like timeliness is the least considered of all of the attributes.

I’ve seen some ridiculously long audits in my time. On one occasion, we got an audit report for an area that had been deactivated two years earlier! That’s how long it had taken them to issue the audit report.

We have an insatiable obsession with being accurate. The cardinal sin would be to put something in a report that’s erroneous. But I think that also tends to make us loquacious. We spend so much time auditing, we feel we must spend a lot of time talking about what we found. In fact, the longer a report is, the less likely it’s going to be read.”

Associated waste (Muda) in relation to audit reporting can include an extensive “to and fro” of interactions between audit and management around the wording of the final report, management comments, proposed action items, accountabilities and timescales and – sometimes an even more contentious issue – the proposed rating of the report (if applicable).

The Closing Meeting Becomes Difficult

Many auditors will recognize that meetings to close an assignment are bound to be contentious to a greater or lesser extent, especially if audit identified many issues and areas for action.

The reasons for difficulties are many-fold, but an experienced Health & Safety auditor highlights a key problem area:

“It’s not great when audit pulls a rabbit out of the hat in the closing meeting. That makes for a much more difficult time at the end and will probably extend the audit because management can start to say they now need to find evidence that the auditor has not found and so on.”

The key point is to recognize that it is to be expected that management will challenge audit during the closing meeting, not simply if there is a factual disagreement but also if there is a disagreement around the seriousness about what has been found or how best to remediate it. Of course, the audit perspective is often: “I told them about these issues during the assignment,” but the management version of this is often: “What you have written down in the report is not the same as what you said to me verbally.”

Address Compensating Controls Early on and Be Clear about How Control Remediation Will Be Regarded

In addition to my work on lean auditing, I also do work as an External Quality Assessor for the IIA UK. In both capacities I am asked to look at the audit methodology of an audit function. In several instances where there has been a pattern of carrying out additional testing at the last minute, I have found that the question of compensating controls is not explicitly addressed in the audit methodology. My advice is simple: auditors should always be mindful of the problem of encountering compensating controls, and therefore this is something that they explicitly addressed when developing and discussing test plans of key risks and key controls. From my perspective, good practice in an audit methodology is to include guidance on how to “head off” issues with compensating controls.

In addition, senior management (and the board if necessary) should be engaged on the question of how management efforts to remediate faulty controls should be regarded. I have seen a distinction being drawn between remediation that was already underway before the assignment started as part of the normal management process, and remediation that is started when audit said they were going to visit. This is why it is important to ask management about “known or suspected issues” or control improvement initiatives planned, or underway, at the start of an assignment. If this question is asked early on and then documented (e.g. in a short note of meeting), it can make it less easy for management to say later in an assignment: “Come to think of it, I’ve found out that we have actually been working on improving that area for a few weeks now.”

Audit rating criteria should also explicitly address the issue of how to rate an area that is in the process of being remediated, or has just been remediated. Some audit functions adopt the principle that, if an issue has been remediated it need not be reported, on the basis that management and the board value things being fixed, and only need to know about open issues. Other functions adopt the approach that whether or not an issue has been remediated, the key point is to ensure all key weaknesses are known, even if just recently remediated, so that questions of root causes and wider lessons for the organization can be captured. My personal preference is to ensure that key issues and weaknesses are logged, even if remediated, on the basis that the external customer would want the organization to learn lessons to ensure their needs were met and other problems headed off.

Actions for Internal Audit to consider:

• Address how to approach compensating controls in the audit assignment methodology;
• Clarify how improvement actions should be regarded for the purposes of audit findings and any final audit ratings.

Ensure that Criteria for Rating Findings Is Understood Early in the Assignment

Earlier on in this book, I discussed the importance of tuning in to management’s risk appetite early on in an assignment. Another important step auditors can take is to be more up-front about the basis upon which assignments will be rated (just discussed in the context of remediation progress). Two key points need to be considered:

• The criteria by which facts will be judged and translated into “findings”;
• The criteria by which any findings will be rated.

For standard assignments in relation to compliance or financial control issues, the criteria for judging facts will often be a policy, procedure or stated risk appetite (e.g. additional approval will be needed above a certain threshold). In these instances an absence of a process, or documentation will clearly become a finding (or part of a finding) because the facts differ from the approved policy process or procedure.

However, for non-standard assignments, (e.g. the management of an emerging risk area), the criteria for rating the facts may be less clear, resulting in time-consuming disagreements (i.e. how good should the risk assessment of the emerging risk area be? How quickly should actions be implemented?).

In order to create a more streamlined, value adding, assignment process it is vital that auditors should engage management at an early stage about the criteria for judging facts if there is any doubt about what the criteria will be. In the case above; what expectations, if any, have been set for the risk assessment of an emerging risk and the timeliness of actions? The timing of audit engagement with management on appropriate criteria matters, because, if audit raises an issue towards the end of an assignment without being clear about the criteria up front, there may be a tendency for management to say that what audit has found is not a real problem, and that it is within their risk appetite (especially if nothing bad has happened up to that point).

If auditors are expected to rate an audit (e.g. Good, Satisfactory, Poor, or Red, Amber, Green), this should be based on criteria agreed in advance with senior managers and the board. Good practice is that ratings criteria should be known by, and accessible to, management, so that any audit rating is not a surprise. This can be achieved by posting the criteria for assignments ratings on any intranet site maintained by audit. Good practice is to try to align any audit rating criteria with any other key rating criterion in use in the organization (e.g. that of risk or other key assurance functions). However, human behaviour is often to deny that the specific facts audit has found apply to this particular assignment, often resulting in wasteful discussions. Therefore, it is good practice for the audit team to explain assignment ratings during staff and manager briefings, using concrete examples of how ratings were decided. It is also good practice to specifically discuss ratings at the start of an assignment, for example: “These are the criteria that management and the board want us to use, so that means that if we found X, it would be rated Amber; does that make sense to you? Do you think any of the areas we are about to look at could be rated Red or Amber?”

It is worth noting that sometimes the criteria for assignment ratings can be a cause of disagreements and difficulties, because the audit ratings system is not in line with the way management thinks. When I was CAE of AstraZeneca, following our work on lean ways of working, we implemented a new approach to rating audits that was more in tune with key questions about value and risk. In particular, we implemented a distinction between our assessment of risk management and control effectiveness (“How bad”) and our assessment of how important the issues were in organizational terms (“How big”) (see Figure 15.1). This new approach was cited as a best practice by the Audit Director Roundtable in 2008, and is something I regularly explore with CAEs who are trying to take some of the “heat and light” out of the assignment ratings process.

Work very recently with one CAE has resulted in us raising the bar in relation to ratings, supported by senior management and the board. The new ratings system has revised its Green rating from “Satisfactory” to “In control”. The change is intended to signal that a basic level of compliance and control is not sufficient in the modern risk and regulatory environment. Instead being “In Control” requires genuinely embedded, adaptive and improving risk management. The result of these changes will be many more Amber and Red audit reports, but this action has been taken consciously as a way of overcoming a degree of management complacency in relation to risk and control matters (see Figure 15.2).

Actions for Internal Audit to consider:

• Consider how much waste is caused by disagreements on findings or ratings and consider the reasons for this;
• Create a manager’s guide explaining how ratings are determined, seeking clarity concerning how this is aligned with other ratings criteria (e.g. risk);
• Provide examples of how assignments have been rated to bring this to life and ensure this is communicated to key managers, especially at the start of assignments;
• Consider whether the current ratings system is really adding value in terms of its impact on the organization – ensure that audit ratings make sense in the wider organizational context (e.g. by distinguishing between control effectiveness and organizational impact), and are not engendering a sense of inappropriate complacency.

Identify Opportunities in Relation to Audit Software

The key lean message is that audit tools and software are a means to an end, not an end in their own right. Audit software should help the audit function focus on the most important issues and drive efficiencies. The audit methodology should emphasize that a value adding report may require careful thought and not just pushing a button to get a list of exceptions.

Actions for Internal Audit to consider:

• If the audit function is not using audit software, examine options for using audit software, or even the functionality in existing software available to the audit team;
• If audit software is in use, discuss what is working well/less well;
• Ensure that any automated reports are properly considered for their insight and value add, including the identification of root causes.

Audit Work-papers Should Not be an Objective of the Assignment

A fundamental hallmark of a value-oriented approach is to have a balanced approach to working papers. Andy Weintraub (experienced internal audit leader) sums up a progressive approach:

“Work papers are important – there’s got to be enough to substantiate your findings, and if there are no findings you’ve got to have enough to substantiate why the area is clean.

However, I don’t believe auditors should just write pages and pages of notes without being very clear what this is for. Of course, you’ve got to have evidence noted against key areas of scope, but to document every single meeting in detail? I’m not so sure. Maybe document who you met with and when and some of the key points and actions that arose in a brief note, but I’m not looking for documenting for the sake of documenting. Often information from meetings, etc, can also be captured in risk control templates.”

One CAE offered an interesting perspective about working papers:

“I’d probably say that, after working in internal audit for over twenty years, I don’t think I’ve ever had an audit sponsor say, let me see the audit file so I can judge how good the audit was. It just doesn’t happen.”

They also observed:

“Sometimes less good assignments can have quite a lot of the audit file, but the danger is that making the file look good has been the focus of the auditors, not engaging the business, thinking about what the findings really mean, or properly preparing for the closure meeting.”

Actions for Internal Audit to consider:

• Consider the time spent on audit work papers and the audit file. Is there waste?
• Agree the core requirements for working papers, but try to drive a culture in which working papers are seen to be a means to an end, not an end in themselves.

Think Carefully about the Audit Quality Process and Emphasize Quality Control “In Flight”

It should be self-evident that “getting it right first time” is one of the key objectives of a lean approach. As a result, the audit quality control process should be aiming for this and – as far as possible – built into the way assignments are managed. QC or quality assurance (QA) after the assignment is completed runs the risk of rework, or not delivering the better assignment in real time, which is where value is added. This is a change we made in the audit function at AstraZeneca, paying more attention to “in flight” quality control, rather than QA some time after the assignment.

In addition, the amount of QC should depend on the specifics of the assignment and the staff allocated to it. Jonathan Kidd (CAE, UK Met Office) explains his approach, which is typical of progressive practice:

“One of the things I did was make the methodology a lot more flexible round QC and made the QC process a bit more dynamic, and made it more dependent on the situation. Say you’ve got an audit that’s been done previously. It’s following a testing method we’ve done before, and the person doing it is experienced and they know what they are doing, then really we probably don’t need that much QC at all. We just need someone to check they’ve not completely messed up and are we comfortable.

If it’s a new area, an audit that is particularly strategically placed, it is very high risk to the organization in terms of what it is looking at, then you might want to have the level of QC ramped up. That’s something you decide at the planning stage.

We have changed our QC approach so that you don’t get to the end and go, right, now we’ve got to do five days of QC. What we want to do is fold it into the audit process and make sure that the QC is proportionate to the importance of the audit itself.”

Jonathan’s approach highlights the key shift in leaner ways of working, carrying out QC on a proportionate basis, in real time. Ivan Butler (CAE Denbighshire County Council) uses the analogy of formula one racing, calling QC during an assignment “pit stops”.

In addition, the QC should not just focus on documentation and compliance with standards, but also look at progress against the assignment timeline and the value add emerging from the assignment.

Norman Marks (GRC thought leader) highlights the shift that arises when thinking with a progressive added value mindset:

“When it comes to assignment quality control, personally, I prefer to talk to the auditor. And have a discussion about what has been happening, what they did, what they found. What is not in the work papers is perhaps more important than what is documented in the work papers.

Sadly, filing work papers is often a defensive cover yourself activity. This is again coming back to what lean is all about. What are we trying to do? Let’s make sure we really understand what we need to do, because if we can focus on the key set of actions necessary to deliver the best value to our customer, then we can eliminate so much of what we traditionally do.”

I have encountered a few instances where assignments are completed, but audit files (and draft reports) are then sent for review to the CAE or an audit manager, and this then takes days or even weeks (I wish I was joking). The reason for the bottleneck is that the manager or CAE is so busy they don’t have the time to review the file immediately.

Two root causes need to be addressed here. The first is booking ahead the time for the management review (cf. earlier comments about managing assignments as projects); the second is agreeing a maximum time that a file can await a quality sign off and reconsider whether all of these files require sign off in this way.

Remember, as time passes some managers may be wondering where the report is, whilst others may be delighted it is being held up. However, an external customer would expect the report to be done as quickly as possible.

Further insights in relation to bottlenecks can be found in articles concerning the Theory of Constraints by E M Goldratt.

Actions for Internal Audit to consider:

• Ask the audit function what value they are getting from the current quality control process and what value the stakeholders of audit are getting;
• Consider how to make the amount of quality control proportionate to the value of the assignment;
• Examine options for more real time quality control activities, (rather than post assignment quality assurance) focusing on value and efficiency questions as well as other quality related issues;
• Identify and address any bottlenecks or constraints in the quality process (especially in relation to audit report reviews), so that time is not lost.

Engage Management Throughout the Assignment

In a recent External Quality Assessment (EQA) review for the UK IIA, I looked at the audit methodology of a large UK audit function and found just one mention of the need to engage management during an assignment. It stated: “Management should be advised of any significant audit findings before the closing meeting.” Readers should not be surprised to learn this audit function was experiencing “slippage” in assignment delivery due to late disagreements with management about what audit was finding. One of our conclusions from the EQA was that a much greater level of management engagement should be expected throughout assignments, and made much more explicit in the assignment methodology, as well as a focus of assignment supervision. An experienced Health & Safety auditor sums up a better approach:

“I like the no surprises approach, bringing the management team with you.

I prefer a completely open and transparent communication approach. The only exception is when you are looking at potential fraud or corruption, but an investigation is a very different beast from an audit assignment.”

One CAE explained:

“It’s so important to listen and to communicate regularly with managers because you might be technically very strong but if you don’t tune your communication and your analysis to the perspective of key managers and stakeholders, what you will come up with risks the danger of being in a bubble.”

Thus management engagement should include asking them whether any compensating controls have been missed (as discussed earlier) and also sharing the proposed wording of sections of the audit report, to allow them to acclimatize to the words that audit is proposing to use, and to consider the actions that should be taken as the assignment progresses, rather than leaving this all to the end.

Actions for Internal Audit to consider:

• Ensure the audit methodology requires ongoing, timely communication with management about what is being found as assignments progress;
• Follow up in writing at appropriate points in relation to audit findings, so that management can comment early on the way issues are being described and start to consider action steps to be taken;
• Coach those auditors who have a tendency to keep things to themselves, drawing lessons from issues that have arisen as a result, so they can understand the importance of this way of working.

Be Clear about the Purpose of Any Report before it is Written

In order to avoid the painful, time-consuming and demotivating process of auditors drafting audit reports that are then rewritten, it is vital for auditors and audit managers to agree, as much as is practical, the proposed contents of any assignment report before the report is written. Andy Weintraub (experienced internal audit leader) explains:

“Before we put pen to paper and waste our time, let’s write up a list of findings and first of all decide whether we agree these are all important.

After that we can look at the findings and the proposed corrective actions and start to see whether there are patterns, so that they can be combined.

This approach makes sure that audit reports are more focused, with less need of rewriting. It also helps you to combine points making reports as concise and readable as possible, and also helping stakeholders better judge the relative significance of what is being found.”

This approach requires that audit managers who supervise assignments should keep sufficiently close to what is being done so that they can guide auditors to step back and determine what is important. Often this requires greater discipline to summarize the work in progress during assignments, and setting aside time, towards the end of fieldwork, to go through key points before the audit report is written.

At AstraZeneca auditors were asked to plot their proposed findings from each assignment against the framework of “How big” and “How bad” before the report was written. This was an excellent tool to focus discussions about the key points to be made in the audit report, since it would enable us to adjust perspectives on the importance of specific points as well as to spot root causes and the need to aggregate issues. In addition, this approach was invaluable when it came to assignment ratings.

Actions for Internal Audit to consider:

• Set aside a time towards the end of fieldwork to go over all key points before the audit report is finalized;
• Consider findings in a structured way (e.g. How big and How bad) and consider their root causes and respective importance;
• Agree the key points that should be made in the assignment report to reduce time spent composing it, and to avoid rewriting it.

Properly Prepare for and Manage the Assignment Closing Meeting

Experienced auditors recognize that if there is appropriate preparation before the closing meeting, the less problematic the closing meeting is likely to be. Ideally key facts, the criteria by which they should be rated, and proposed actions, action owners and timescales should be mostly agreed before any closing meeting.

I recommend that auditors should carry out their own risk assessment ahead of the closing meeting to consider the extent to which any sensitive matters are still open. Sensitivities might include the way a point is described or positioned, the nature of the action being proposed or the organizational or political context that may influence the staff and managers involved. Once these risks are understood, auditors can then agree a plan of action of preparatory meetings or lobbying, to maximize the chances of a comparatively smooth closing meeting.

Of course, it is not always possible to lobby key stakeholders in advance of a closing meeting. When this is the case, and there is a concern that the closing meeting is going to be “interesting,” auditors should consider rehearsing the meeting. The rehearsal should be run as if it was the closing meeting, using another auditor or audit manager to act in the role of the key manager who needs to be persuaded at the closing meeting. The idea is to focus on what the likely real life dynamics of the closing meeting are going to be about, not just the straightforward factual issues. The outcome of these rehearsals can be to help the lead auditor be much more careful about the language they are going to use in the closing meeting, and to have thought through the supporting evidence and documentation or other evidence (e.g. “killer facts”), that they will need to bring the meeting to a satisfactory conclusion. It can also help the auditor who is leading the assignment to become clearer about their negotiation strategy if there is push back (e.g. what can be conceded and what key points must be defended).

When I coach auditors at pre-closing rehearsals, I often ask them to “rewind” what they have just done, so they can have a second, or even a third attempt at presenting a key point. The result is often to help auditors build up greater awareness of how to position key points and to increase their confidence and resilience in relation to what might happen.

Of course, these rehearsals never quite match what actually happens in the real closing meeting, but my experience is that the time invested upfront (which may seem wasteful at face value) normally pays dividends in terms of both the speed of coming to a mutually satisfactory conclusion as well as maintaining good relationships between management and audit. It also builds a greater awareness in the auditor in terms of their style and strengthens their ability to manage effectively in key meetings. From a range of perspectives, therefore, this can be a value-adding thing to do.

Actions for Internal Audit to consider:

• Carry out a risk assessment of the way in which audit points are going to be received;
• Lobby on key points as needed before the closing meeting;
• For the most high stakes closing meetings carry out a rehearsal, concentrating on not just what is going to be said, but how to say it and what counter arguments should be prepared for.

The Report Wording and Word Count Does Matter, but so Does Balance

Whether or not a draft audit report is available for any closing meeting, it is clearly going to be of value to share any written conclusions and proposed action plans as soon after the closing meeting as possible. Some audit functions are able to issue the final version of the assignment report (with agreed actions) within five days of any closing meeting. To write a report in the most efficient way, with minimal delays, a number of good practices are worth highlighting.

Karen Dignan (CAE, Group Head Office, OMG):

“Put yourself into the mind of the person that you are writing your report for. What is the business language and the business context we need to tune into rather than just our audit speak?

It should be about substance not form. The temptation as an auditor is to list what you have done in a very prescribed way, but you have to move on from that to consider: what does this all mean? And how do we best get that message across to the client?”

Phil Gerrard (CAE, Rolls-Royce) explains:

“Assume the reader is a reluctant reader, is how I’d phrase it.

The readers of most audit reports are senior people. They don’t have a lot of time. So just psychologically if they see 20 or 30 pages land on their desk or inbox, it won’t be encouraging for them to read. Keep it concise, to the point; it needs to join the dots for the reader so the business impact of issues is clear.”

Helen Maneuf (CAE, Hertfordshire SIAS):

“The goal is to present a report in a way that’s going to make people pay attention to it. If you fill it up with trivia nobody’s going to give it any attention. The important things that you might be saying will get overlooked.

I recently read an audit report, it had nine recommendations and one key thing in the report was the ninth recommendation. By the time you got to it you would have given up.”

(See Figure 15.3).

Timeliness is another key theme. Norman Marks (GRC thought leader) notes:

“It really comes back down to, what is it we need to deliver? It’s not just the assurance that is valuable, but how quickly that assurance is delivered and how it is packaged.

So do you want to give the CEO a 15-page report? Or do you just want to say, ‘Everything is good except for these, one, two three, issues’. And ‘I’ve talked to management about fixing these points, and they’ll work on them over the next few months’.”

Greg Coleman (CAE, ITG) continues this theme:

“On balance, in most cases, I would much rather have an audit report issued in a timely way, than have a report which drags on and only is finalized weeks or months afterwards. The process may not be perfect, and sometimes there are areas that, with the benefit of hindsight, we think we could have spent more time. But the benefit is we have a report with a series of agreed actions that’s issued and being worked on. If we do feel that there’s an area where additional work would be useful we can always do that later.”

It is worth saying that driving an efficient, lean, approach does not mean only exception based reporting. This is something we considered at AstraZeneca but we agreed that a brief amount of context and balance was needed to add value to senior stakeholders. Phil Gerrard (CAE, Rolls-Royce) endorses this approach:

“Reports should have context, so if I just listed out the 10 things that I thought were wrong, that wouldn’t be fair. You have to take the responsibility for setting hares running quite seriously. You’ve got to put yourself in the reader’s shoes.”

The key message is to write a report that is meaningful and clear to key stakeholders, with minimum waste and being mindful of the time this is taking.

Actions for Internal Audit to consider:

• As a general rule assignment reports should be as short as they can be, without losing key value adding information;
• Structure the report in a way that will grab the reader’s attention: key points first with the relevant context;
• Timeliness is important, see this as a counterbalance to the desire to write longer reports or to polish reports to perfection;
• If some stakeholders want longer reports, don’t hide from them how much resource and time this would take.

Address Any “To and Fro” of Audit Recommendations and Management Comments

I have emphasized that good practice in auditing is to engage management on an ongoing basis throughout an assignment. However, even if an auditor does this, progress on an assignment can slow when final actions have to be agreed. A particular source for delay can be a “to and fro” of comments as audit makes recommendations, management provides comments, and then getting agreement to write up the final actions, allocate ownership and determine suitable timescales.

I contrast the written “to and fro” of audit recommendations and management responses to what it is like when I go to see my doctor. If I see the doctor, I just want to discuss key points face-to-face and agree what I should do there and then! The traditional audit approach of lengthy written reports seems to be a throwback to the times of Charles Dickens, when gentlefolk would correspond with one another, in eloquent prose.

To address the problem of audit recommendations and management responses being exchanged, an increasing number of audit functions are streamlining their audit reports to highlight just agreed actions. The key point is that, from the perspective of key stakeholders (and the external customer for that matter), what matters the most is that appropriate actions have been agreed, within a suitable timescale.

Of course, auditors can and should make verbal recommendations to management about what might be done, but the lean progressive approach is to encourage direct engagement and dialogue to finalize what should be done, rather than correspondence. Furthermore, a number of CAEs have remarked to me that the inclusion of management comments about audit points in addition to the proposed actions can actually dilute what audit has found and what should now be done.

If, for cultural or practical reasons there is a need to exchange draft reports, a practical way to make this flow better is to schedule meetings or telephone discussions to address comments and also to agree timescales for responses (I recommend no more than a week, and preferably the next day). In addition, if management responses remain in the audit report, they should be requested to be as brief as possible.

If audit and management cannot agree certain actions, then this should be noted so that more senior management, and the board if necessary, can determine what should be done. However, the progressive, lean approach is that recording recommendations and management responses would be the exception rather than the rule.

Actions for Internal Audit to consider:

• Move towards “Agreed management actions” in the audit report and seek to secure this through discussion, rather than correspondence;
• Only record audit recommendations and management comments where audit and management do not agree, or there is an explicit regulatory need to do this;
• Schedule meetings or telephone conversations to progress the document, wherever possible;
• If management comments continue to be included in the audit report, work to limit the length of what can be said, and be mindful of management comments that dilute the actions that are being agreed.

A Few Words Concerning Timelines for Remediation

One source of tension between audit and management, as reports are finalized, can be the timescales within which audit findings should be addressed. Some audit functions adopt the approach that they should be realistic, recognizing business pressures and resource constraints and therefore adjust milestones for delivering actions accordingly. This pragmatism on the side of audit may be appreciated and valued by management (e.g. “They understand the real world we live in”). However, the downsides can be:

• An implicit sense that audit accepts that its findings cannot and should not be fixed more quickly; and
• A risk that an issue may emerge whilst an issue is still to be remediated.

As a consequence, I would encourage auditors to consider compromises and constraints to remediation from the perspective of whether this meets the needs of the most senior managers and the board and/or key external customers.

As I see it, there is a balance to strike between being pragmatic, maintaining relationships and being independent. My advice is that it can be a useful discipline within the audit function to expect remediation to be completed within (say) one, two, four or eight months. Then, if management request longer than this in relation to a key risk area a discussion can progress along the lines of:

“I understand why you want to wait and address this risk area when the new system comes along in 12 months, but I want to be sure that senior management and the board accept that this is an area that can wait, because if something were to go wrong in the meantime we could have a big reputational issue, or difficulty with a customer.”

Actions for Internal Audit to consider:

• Agree typical timescales within which issues should normally be remediated (e.g. one, two, four or eight months) and what would influence the need to complete remediation more or less quickly (e.g. the importance of the issue and risk appetite in relation to the area);
• Agree a process for escalating timescales outside of the agreed parameters to senior management and the board, so that resource and other constraints are clear and that risk appetite sign-offs are clear.

Effective Reporting Often Involves a Degree of Branding

Whilst lean encourages auditors to create “short and sweet” reports it is important to recognize that the way reports are written and the way they look is also important. Stephen Foster (CAE, Cargotec) explains:

“It seems a contradiction to efficiency and lean processes, but actually if you say that our role is to communicate issues, and to gain agreement to improvement actions then we need to be able to communicate well. People are far more receptive to ideas and suggestions when it’s done in a very professional and consistent manner.

Subconsciously you recognize that if someone has taken the care to write a professional report, they are likely to have taken the care to make sure the contents of the report are right. The form is important, because people are human and the form is a way of making a good first impression. But, if you don’t have the substance behind it then ultimately good form will fail. If you’re going to be successful you have to have the full suite, form and substance.”

I see an increasing number of audit functions writing reports in landscape format, and giving them a “newspaper feel”. This sort of format can encourage shorter reports and will often follow good branding practices that can be seen in external auditor or consultant’s reports.

Actions for Internal Audit to consider:

• Compare audit reports to reports from other respected sources and look for ways to improve the internal audit brand through improved reporting formats.

Communicate with a Focus on Adding Value and Minimizing Waste

Earlier I discussed the way in which management appreciates not being surprised. Thus, if an audit report has been agreed and is about to be issued, it is worthwhile thinking about the best way of communicating this to the organization. Just sending an e-mail with a long list of addressees is not always valued, especially by those who are copied in. Phil Gerrard (CAE, Rolls-Royce) provides some advice:

“Think about the distribution of audit reports. It’s so easy to waste people’s time by copying them in on a report that is only marginally relevant. My advice is don’t c.c. the world. Don’t fall into that trap.”

Norman Marks (GRC thought leader) adds:

“If we are going to be successful, just putting something in somebody’s inbox is not going to get them to listen, to think about what audit has said, to understand it and move forward. Not nearly as well or sympathetically as if you sit down with them and talk about what you have found, why any change is necessary, what’s in it for them and how it will help them and the organization to succeed.

It comes down to what is the product. The product is not the memo. The product is to generate change, or to provide assurance.”

Thus, staggering the communication of audit reports, including personalizing communications (e.g. a personal note or e-mail: “No action for you on this report, but we should pick up point 5 when we next meet”), or organizing a meeting to talk stakeholders through what audit has found, can be much more valued by management, and helpful for audit, than just sending e-mails. Some audit functions organize monthly or quarterly meetings with key senior stakeholders and use this as the opportunity to talk through what they have done, and what they have found, in order to have a deeper dialogue with the managers concerned.

Actions for Internal Audit to consider:

• Think about the circulation lists for audit reports – keep them relevant and personalized;
• Do those who receive a copy of the report find this helpful? Explore other ways of communicating with them more effectively.

Evolve any Reports as Needed

From the foregoing discussion it should be clear that I do not believe there is one “correct” way to report the outcome of an audit assignment. After all there can be some stakeholders and some situations where a more detailed report is clearly going to be of value, and other situations and stakeholders where just the headlines will suffice.

In all circumstances, the hallmark of good practice is to engage management and the board about the different options and what would be most valuable to them. In my experience, a useful additional angle to take is to explain how much time a longer report takes to write:

“You want a 20-page report as a rule, rather than 10 pages? We can do that, but you will lose on average two days of fieldwork if we do that. Are you sure that is that what you want?”

Shagen Ganason (former Chief Assurance Officer at the Department of Conservation, New Zealand) sums up his perspective on the value of an audit report:

“A report is only valuable when management and the board use it and see that it helps them.

If they briefly look at it and then put it aside, then it is basically useless in my view. On the other hand, if they look at the report and say ‘yes, this is something I think will help me manage my business’ or if they discuss the contents of the report with other parts of the business, then it is a good sign.

My measurement of the value of an audit report is not about the contents or the number of issues raised but by how management and the board use it to manage their business.”

Jonathan Kidd (CAE, UK Met Office) goes on to explain how the feedback process can support the ongoing improvement of audit reports:

“I would expect to see a regular feedback process from stakeholders, and this should cover assignment reporting. As a result of this I would expect to see things gradually change. Six months ago we were doing this report, we don’t do that any more because that’s no longer necessary.”

As a concluding comment it is worth noting that I have even heard some CAEs (in larger audit functions) speak about recruiting professional report writers into their audit functions. The idea is to use this specialism to drive improvements and innovations in the way internal audit communicates with the organization.

Actions for Internal Audit to consider:

• Ensure that senior stakeholders understand the trade-off between the length of an audit report and the impact on time available for fieldwork;
• Be prepared to try different approaches to reporting, if only on a pilot basis, to see what reaction that gets;
• Consider engaging professional report writers for a period to drive a step up in the audit reporting process;
• Regularly engage stakeholders in relation to how useful they find audit reports.