Helping management deal with an expanding universe of regulatory, operational, and compliance challenges is placing growing demands on internal auditors. Auditors are facing increased pressure to bring current and relevant issues to the attention of decision makers, so that timely actions can be taken to address the threats posed to the achievement of business goals. Further, the increased tempo of business is placing a greater premium on accelerating audit report issuance.
How can auditors successfully merge the need to deliver thorough, reliable audit reviews and analyses with the increasing “need for speed?” How can they accelerate the process while still providing well-documented and well-written reports? Are the goals of thoroughness and accuracy in conflict with the desire for speed? Clearly, they are not. Following some relatively simple principles can help today’s internal auditors consistently achieve these dual goals.
As an audit consultant and writer, I have found that three factors are fundamental in achieving a reliable and rapid audit product:
- Performing comprehensive and effective audit planning.
- Understanding and applying the critical linkage among business objectives, risks, controls, and tests.
- Writing all audit documentation (beginning with the planning memo and culminating in the final report) in an understandable and report-worthy manner using report-ready language.
The first two items, planning and understanding the critical linkages, are related because they both require a clear understanding of the business, entity or process under review. It is this knowledge that creates the context for identifying risks and controls, and makes it easy to determine audit concerns.
- Understand business objectives
Everyone working on the audit must have a common understanding of the business objectives for the area under review. Why? Because the audit objective is a derivative of the business objective. If auditors understand how to think about their test results in relation to these objectives, they will be better able to figure out whether the exception is an inconsequential or significant issue. They will also be able to make more timely, relevant, and actionable recommendations.
- Have an objective to accomplish within a predefined time period.
- Involve the work efforts of several (or many) individuals.
- Require data collection and analysis to reach a conclusion.
- Issue development a key to audit success
Issue development is the key building block for the audit report. When done effectively, it will increase both the speed and effectiveness of the final product. Issue development is the process of thinking about the various test results to determine their common trends and root causes, and to decide whether any of the test results can be combined to produce a more meaningful audit concern – one that is indicative of systemic breakdowns or unmitigated exposures.
An issue is a clear and concise description of a control weakness, typically a control gap, design flow, or execution error. This description includes the criteria (or standard) used to measure what should be happening and explains why a deviation is occurring and generally describes the root cause. Since the issue’s description answers the reader’s question, “What did the auditor find?” This should be expressed in the first sentence or two of the issue’s description.
The impact of the issue is a description of the effect an uncorrected issue will have, including financial, compliance or reputation damage. Essentially, the impact describes the risk that could or has happened as a result of the missing or inoperative control. It is helpful to ask “so what?” when formulating the issue. If the answer is that there is no real impact on the business or its objectives, then there is probably no audit issue.
The evidence is a brief description of the exception or deficiency identified within a process, function or transaction, including the test results supporting the issue. It is the proof to substantiate what the auditors found.
The documentation of every audit issue should contain five key elements:
- Element 1 – The condition or situation. For example, what was observed and the facts in evidence, quantified whenever possible.
- Element 2 – The situation’s cause. For example, the root cause or reason for the difference between the expected and actual conditions found within an area.
- Element 3 – The criteria or standard describing what the situation should be and used to test the relevant controls.
- Element 4 – The consequence that the exposure or risk poses concerning the achievement of the business objectives if the situation is not corrected.
- Element 5 – The recommended corrective actions that would either prevent the situation from occurring or mitigate the negative impact should it occur anyway. When addressing this element, it is critical to have already verbally discussed the exception with line management of the area being audited to get input about what corrective actions they plan to take.
- Write in a “report-worthy” style
Solid, relevant content is crucial to an audit report, but so is presentation. It is important to keep the audience in mind at all times. If the report is being directed to the managers or business heads responsible for addressing issues explored in the audit, the tenor and tone will differ from a report that is also going to be read by the Audit Committee and the CEO.
During typical, everyday written and verbal communications, we often speak and write in colloquial and informal ways. That is normal, but it is not appropriate within a formal document such as a final audit report. Consequently, the second challenge is writing the findings and recommendations in a report-worthy way.
Fortunately, or unfortunately, audit writing is formulaic. Its goal is to answer the questions: What were the audit objectives? What were the results? What does this mean to the organization? Finally, the audit report is an audit department’s product. In format and content, it should express the seriousness and focus with which the issues were identified and analyzed.
Here are some questions auditors should ask themselves when writing the report:
- Is it clear? – Are the ideas organized in a way that would persuade the reader to reach the same conclusions as the audit team and to make a sound decision regarding the issues and recommendations addressed? Does the report use language the reader can easily understand, which is free of the jargon or terminology not easily understood outside the area being reviewed?
- Is it concise? – Is the root cause clearly identified, with unnecessary details excluded and unnecessary words excluded?
- Is it correct? – Have you checked the accuracy of your information? Are spelling and grammar correct?
- Is it complete? – Are all pertinent facts included? Is the root cause identified and can the issue be quantified? Does the report contain all the information the reader needs to make informed, justifiable decisions?
- Is it appropriate in tone? – Is the content non-judgmental, balanced, and objective, and is the tone suitable for the reader’s needs?
In no way does formulaic writing translate into the long, ponderous or time-consuming variety. Clarity and brevity are required and will not only contribute to the quality of the report but also to the speed with which it can be delivered. Ironically, brevity is the product of effective editing. Mark Twain explained this paradox best when he said, “If I had more time, I would have written a shorter letter.” This means that auditors need to allocate adequate time to edit the report and find ways to express the concepts clearly and concisely.
The need for speed in the delivery of issue identification and recommendations in the form of a solid audit report is undeniable. Keep in mind that there are a number of steps you can take to speed up the delivery of your report and enhance its impact and usefulness.
For optimal results, choose a tactic and practice it during every audit. Be patient because it will take 12 – 18 months for the team to accept the tactic as normal and ordinary.
Ann M. Butera is President of The Whole Person Project, Inc., an organizational development consulting firm, which specializes in developing audit methodologies and teaching ways to audit for greater results. She serves on an audit committee for a private club. When she is not working with internal auditors, she can be found assisting managers in control self-assessments and Enterprise Risk Management initiatives. If you have specific questions or comments, please call Ann Butera at The Whole Person Project, Inc. (516) 354-3551 or e-mail her at [email protected] |