This is so stakeholders can gain assurance over the effective management of risk and are aware of any relevant material concerns we may have.

Principles and approach

Identify your key stakeholders and their assurance requirements

The audit committee may require the following information:

  • internal audit's opinion;
  • assurance statements by risk, department, or process as required;
  • issue clearance information;
  • issue acceptance information;
  • evidence as to the efficiency and effectiveness of internal audit;
  • other information required by the International Standards for the Professional Practice of Internal Auditing; and
  • information to support them in achieving their objectives or in complying with guidance on corporate governance.

Other stakeholders could include:

  • divisional senior management;
  • senior management in risk, compliance and the other second line of defence areas;
  • regulators;
  • external audit; and
  • pension fund trustees if applicable.

Frequency of reporting

Agree the frequency of reporting and the format. Most organisations produce an annual report from internal audit to the audit committee. In large organisations, there are likely to be quarterly updates and a larger half year report. Some organisations report on critical issues every month. Bear in mind the need to balance narrative and statistical/graphical reporting.

Provide context within written reports. Things aren’t always black and white and additional information will provide the reader with a full picture as to why controls/processes require strengthening. Aspects to consider include:

  • the economic, regulatory and political environment;
  • competitor behaviour and risk issues;
  • the market environment;
  • material organisational changes, including over governance, funding, structure, risk appetite and exposure, products and services, customer base, processes and IT, resources, etc;
  • trends within your audit information ie control is improving or deteriorating, issue clearance is getting better or worse; and
  • that assurance reports should be based on fact and evidence to support your opinion.

Ensure you have adequate control over the quality of your written reports and the management information (MI) that supports them.

Hints and tips

Multiple-choice questions