A brief guide to assignment reporting
You’ll report to stakeholders with your opinion on the effectiveness of the controls in place to manage risk, a balanced overview of key effective controls and to agree on actions that will address the key issues.
A ‘no surprises’ approach to continuous communication should be adopted throughout assignments. This open communication will build professional relationships and assist the internal auditor in assuring themselves as to the validity of their findings.
At the end of the audit a formal feedback meeting should also be held with the agreed stakeholders from the assignment planning stage. At this time, a balanced overview should be communicated to provide a complete picture of the audit work undertaken, results of the audit and discuss any issues openly to ensure:
- there are no surprises
- clarify the facts
- avoid misunderstandings
- influence management in respect of what action is required to address risk exposure
- discuss and possibly agree corrective actions at this time
Internal audit report to a range of stakeholders with their opinion on the effectiveness of the controls in place to manage risk, a balanced overview of key effective controls and the agreed upon actions to address any areas of improvement identified from the audit.
The reporting format should balance the differing needs of stakeholders. A departmental template for written reports, guidance and training should be in place.
In-house guidance and training should cover both verbal and written reporting, influencing skills, dealing with conflict and how to write effective audit reports. The department should continually improve reporting and seek to meet the needs of all stakeholders, from local to senior management and the audit committee.
Reports generally include an executive summary (to meet the needs of audit committee and senior management) and a detailed findings section (to meet the needs of local management) including the issue detail, evidence, the associated risk and agreed actions with dates and responsibility.
The executive summary should provide a balanced overview enabling senior management and the audit committee to quickly understand why you’ve reached your opinion. It should be in context and include the key risks, key effective controls and key weaknesses identified.
Internal audit needs to provide sufficient context within written reports and importantly remember to write to its audience. The audit committee members may not be fully aware of technical jargon or sector specific terms. Where it is not possible to avoid such language then a glossary may prove beneficial.
It is important to make clear any limitations to the scope of the work as agreed during the assignment planning stage and which may have subsequently arisen during performance of the assignment.
Issues aren’t always black and white and additional information will provide the reader with a full picture as to why controls / processes require strengthening. Aspects to consider include:
- the economic, regulatory and political environment
- competitor behaviour and risk issues
- the market environment
- material organisational changes
- trends highlighted by audit intelligence, eg improving or deteriorating controls or clearance of issues
- all reports should be based on fact and evidence
However, you must balance the above with brevity and focus as otherwise important messages can be lost. The auditor should also balance narrative and statistical / graphical reporting to communicate their message in the most effective manner.
Within the detailed findings section the most material issues should be reported first.
It may be appropriate to group findings together to reduce the overall number of actions for reporting purposes. If doing so, you should consider if findings have the same root cause, the same impact or the same source. For example, do they relate to not evidencing control, imply that data is insecure or all relate to the same team or manager?
There are a variety of views on arriving at the agreed actions presented within reports. In general these are:
- The internal auditor makes recommendations, based upon their understanding, which management then consider and respond to, either accepting or proposing an alternative.
- The internal auditor does not make any recommendation, instead they just present the finding and risk, which management then state how they will address it.
- The two parties discuss the findings and risks identified, exchanging professional views and documenting this within the report, which management then confirm acceptance of.
The key is to agree a protocol that works for your organisation. Whatever approach is adopted, it is important that everyone understands that the agreed actions must be owned by management. It is not internal audit’s responsibility to implement the identified improvements.
Internal audit should agree with the organisation what level of management can agree actions. Relevant factors will include the seriousness of the issue and the length of time the action will remain open, and also who can approve the acceptance of risk and how this should be documented for clear communication to audit committee.
The focus for audit committee should be upon acceptance of issues within the report and what management are going to do to put it right. Avoid excuses.
Audit opinions and issue ratings (if used) should be defined and communicated as an appendix to the audit report. Changes to the grading methodology should be discussed with audit committee and senior management to ensure that they reflect the views of the business and align with wider risk management processes wherever possible.
Audit progress reports should also include quantitative and qualitative information surrounding the performance of the audit function, particular reporting against any protocol, and key performance indicators within the approved IA charter.
Frequency of reporting
Frequency of reporting at an individual assignment level will be driven by the completion of audits. It is important to issue reports in a timely manner to ensure the results of the audit are communicated whilst the feedback meeting is still fresh in participants' minds and to ensure timely resolution of issues identified.
The CAE should agree the frequency of other reporting and the format of that reporting with audit committee and senior management.
Audit committee should receive a CAE annual internal audit report and opinion. However, most as a minimum will also desire regular progress reporting against the annual plan and sight of any reports which have resulted in a negative opinion and therefore have early sight of issues that impact upon the annual assurance provided.
Depending upon the size of the audit plan, the audit committee may receive copies of all reports in the same manner as management, or a summarised progress report from which they can then choose to dive into the detail of individual reports should they so wish.
Frequency of reporting is likely to reflect the number of audit committees per annum. Typically these occur quarterly.
Some organisations will report upon critical issues every month.
Annual internal audit report and opinion
The annual report should reflect upon the work performed over the year and provide overall opinion in respect of risk management, corporate governance and internal control.
This should be based upon the internal audit work performed during the year, knowledge and consideration of other assurance work, and management’s progress, commitment and ability to implement recommendations and complete required actions on a timely basis.
This report should also highlight significant risk exposures and control issues, including fraud risks, governance issues, and other matters requested by senior management and audit committee.
IIA IPPF Standard 2060 – reporting to senior management and the board
IIA IPPF Standard 2400 – communicating results
IIA IPPF Standard 2600 – acceptance of risk