Standard 2400 Communicating results
The Standard states:
Internal auditors must communicate the results of engagements.
This is probably the most obvious and intuitive of all the standards where the title almost says it all. If internal audit does not communicate the results of its work effectively then it will find it incredibly difficult to demonstrate how it achieves its purpose for being to add value and contributes to the improvement of the organisation’s operations.
The standards do not specify the content, distribution, format, presentation, terminology of conclusions, or overall opinions; these remain within the gift of the Chief Internal Auditor (CIA) who is ultimately responsible for all internal audit work undertaken and conclusions reached. With this in mind the CIA should establish their own operating policies and procedures which are documented within the Internal Audit Manual (IAM).
The Manual should provide guidance for the internal audit team in the form of reporting format templates to support consistency, accepted writing styles (including terminology), establishing communication plans, handling sensitive information, distribution, escalation, handling of errors and external communications with bodies such as regulators (if applicable).
As with any aspect of internal audit practice needs may evolve and change over time.
When communicating engagements:
- The CIA should determine and agree a Communication Plan with the Board and Executive team; this should be reflected within the IAM and in less detail within the Internal Audit Charter. The Plan should consider the who, what and why of communications.
- Any grading systems relating to findings, recommendations or conclusions of individual assignments is within the gift of the CIA to agree with the Board and Executive as part of the Communication Plan; these should ideally be clearly defined to support understanding and consistency of application.
- Working papers should provide for the documentation and communication of results; including those which may be handled verbally and those which should be reported formally in writing. For clarity these can be collated into a single record of audit findings.
- Formal communication will occur at multiple stages of an engagement; including when agreeing the scope and objectives of the review, providing interim feedback on long reviews, providing preliminary findings at the end of a review and reporting of outcomes. Meetings at key stages of the audit process, will usually be considered ‘formal’ and as such minutes of these will provide evidence to support compliance with standards.
- Informal communications should be routine and frequent throughout the performance of an assignment; ensuring that auditees are kept informed of progress. By their nature these will not necessarily be evidenced but satisfaction with frequency and clarity of communication is often a key element of assignment feedback processes which will provide anecdotal evidence.
- Formal reporting should suitably reflect an assignment’s objectives and scope (including limitations to), stakeholder expectations, clear communication of results and any limitations relating to a report’s distribution and reliance upon it by other parties.
- Communications must be accurate, objective, clear, concise, constructive, complete and timely (see Standard 2420). This is consistent with the requirement for internal audit to perform its work with suitable independence and objectivity (see Standard 1100), and the need to document our work in a manner that would enable a prudent, informed person to reach the same conclusions. Therefore, evidenced by a clear Golden Thread between the working papers and reported outcomes with any amendments clearly documented.
- Responsibility for final communications rests with the CIA; the CIA should determine and oversee the quality assurance processes which they require to assure themselves that the communications fulfil the expectations of Standard 2420 above. It is good practice for the CIA to review all draft reports prior to their circulation. The CIA may delegate authority, however, they retain responsibility and therefore established internal delegation and approval processes should provide sufficient evidence.
- Issuing of draft reports facilitates an additional check of factual accuracy by those responsible for the audit area; before wider and final distribution. Draft distribution is also typically used as the opportunity to gain management responses to any findings and proposed recommendations; where these have not been agreed in advance.
- The CIA should ensure that any significant errors or omissions subsequently identified in communications are suitably communicated and corrected; the standards only talk of corrections in final communications, however, it would be good practice to correct any erroneous communication throughout the audit process. The reason for such corrections should be identified, lessons learnt, processes updated where relevant and disseminated across the audit team to reduce the likelihood of reoccurrence in future. When considering significance of an error, the CIA should consider issues such as whether it would change the results, expressed opinions or actions arising.
- There is no requirement to state whether audit work complies with the standards; however, if such a statement of conformity is made, this should be supported by the results of the function’s Quality Assurance and Improvement Program drawing on both internal and external assessment. Any restrictions placed upon the ability of the internal audit team to comply with professional standards, either within its own operations or encountered through restrictions upon its ability to perform its role should be communicated. Such issues will typically be handled through discussion with the Chief Executive as administrative reporting line and with Board as functional reporting line; such discussion should be timely and if necessary, handled as a one to one discussion rather than waiting for a scheduled meeting or ‘in camera’ session. Limitations upon the engagement should be reported within the respective audit report.
- The standards do not require that an overall annual opinion is provided; this is again within the gift of the CIA to agree with Board and Executive. The overall opinion is the professional judgement of the CIA and should be arrived at through consideration of all evidence available to them; including the conclusions of individual assignments and intelligence drawn from other sources. The CIA retains responsibility for the overall opinion, therefore it is important that they consider the level of reliance which can be placed on assurance beyond their own assignments (See Standard 2050).
- The annual report should summarise the CIA’s reasoning for the overall opinion reached; this opinion is usually framed in terms of an opinion over governance, risk management and internal control processes of the organisation, reflecting the definition of internal audit “…..It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
Core Evidence Demonstrating Compliance
- Internal Audit Manual – Communications Plan and Scheme of Delegation & Approval
- Record of Audit Findings
- Consistency between audit work & evidence as demonstrated by supervisory review
- Structured clearance of review points
- Limitations should be suitably escalated & reported for transparency
- CIA maintains responsibility for conclusions & opinions reached
- Audit Reports (Version Controlled)
- Audit Satisfaction Surveys
Reporting is very personal to the organisation and the CIA should work with Executive and Board to arrive at agreed formats, grading systems and protocol; these should be documented within the IAM or a separate Communications Plan. As with any aspect of internal audit practice needs may evolve and change over time.
The CIA retains responsibility for all reports issued; therefore, suitable supervision and quality control mechanisms should be in place to ensure that the Golden Thread exists between the underlying audit work and the end-product reports seen by the client. Version control and approval should be clearly evidenced.