An Internal Audit Opinion That Means Something

If the audit report says that there are significant weaknesses in the system of internal control, or that the level of risk is high, what does that mean?

Remember: an audit report is a communication. It conveys a message to our audience, our view of the condition of risks and the controls relied on by management to ensure they are at desired levels.

But, is the audit report written in ‘audit’ language? We, as auditors, know what it means but does the intended audience? Do they understand how it might impact their decisions in running the business?

That’s what is critical. There’s no point in a report that identifies a serious business problem if the message isn’t clear and management doesn’t ‘get it’. Where is the value of an audit if management doesn’t understand what you find and the necessary actions aren’t taken?

As is often the case, it doesn’t matter what we intend to communicate if the receiver of the audit report, the executive and board member, don’t receive the message you are trying to send.

So, what does it mean in terms of running the business if the controls are ‘not adequate’ or the risk is ‘high’? Should we leave that open to interpretation, or make it clear?

I suggest that context may be required. When you say ‘high risk’, explain what the risk is to. When you say controls are not adequate, explain what the potential adverse outcome could be — in business terms.

A story might help. About ten years ago, I started a new job as Vice President of Internal Audit for a global manufacturing company. The previous CAE was in the process of moving into corporate finance, so we had a couple of weeks of transition.

My first task was to help close an audit report on a factory in China. I reviewed the draft and liked the summary page. It had a table that took each of the major areas of the factory’s business and gave them a risk rating, linking to the number and severity of the related findings. But I didn’t like the results: everything was colored red, meaning that every area was rated as high risk with multiple significant control deficiencies.

I called the audit director in Singapore and we had a short conversation, somewhat along these lines:

Norman: “Audrey, what does this audit report mean? What should the leadership in Asia and at corporate understand from this report?”

Audrey: “Norman, the controls are poor, management is not well-trained, and the risks are high. A lot of work is needed to correct the issues we found.”

Norman: “Yes, but what does that mean in terms of how the business should be run? What do you want management to do?”

Audrey: “What do you mean?”

Norman: “Imagine you get on an elevator on the 3rd floor of our HQ building in Singapore and see the Asia President. He asks about the audit of the China factory and you have until you reach the ground floor to tell him. What does he need to understand?”

Audrey: “Can I call you back tomorrow?”

The next day, she told me what she would tell the executive: “The processes at the factory are not sufficient to support the planned expansion of the business. If you went ahead, there would be high risk relative to manufacturing quality and other critical aspects of the business.”

Brilliant! This is a meaningful and actionable communication.

How does this translate to a typical audit report? I suggest the following:

  1. When you assess the condition of the internal controls, do so in terms of the risk to achieving strategies, goals, and objectives.
  2. Consider whether the risk is to local objectives, which can be handled locally, or to corporate objectives where action and attention from corporate management is required. Make sure your report is clear on who needs to be paying attention.
  3. Think about what actions you want taken — not in terms of correcting deficiencies, but whether strategies, etc. should be changed. Who needs to take action and who needs to be watching to make sure it happens? Who owns the risk, the strategy?
  4. Put yourself in management’s shoes, and consider both risk and reward. What is the cost of correcting the deficiencies and is it justified, given the cost and the potential for reward?
  5. When you write your report and present your opinion, use the language of your audience. Express the result in terms that have meaning for them and talk about risks to strategies and objectives. Explain potential losses or other negative outcomes that might result. Don’t limit yourself to talking about security vulnerabilities (audit speak) when you can talk about the loss of confidential information and how that could either lead to compliance issues or a competitor gaining advantage (business speak).

I welcome your comments.

Posted on May 24, 2011 by Norman Marks

Share This Article:    

  1. The internal audit risks need to be defined as control risks in: 1) financial controls; 2) business risks in a) products and b) processes; 3) strategic risks; and, 4) customer risk in terms of potential impact on the customer.

    I) and 2b) are primarily internal in nature and might have lesser related impact on shareholders.

    2a), 3), and 4) have potentially major risks to shareholders and customers alike and potentially have long-lasting reputational risks. These, obviously need the most immediate attention by Management and teh Board Audit Committee. 

  1. Ken, my point is that talking about control risks is audit language. We need to get on the same communication level as management. They are worried about strategies and performance. Why talk about controls when you can talk about how there is risk to the achievement of strategies? 

  1. I like your discussion, in my point is audit not goal same is no order come and my employee no have a job's.
  1. Norman, I totally agree with what you said in your article. Auditors have to use languages that management can understands. In one of my audit summary I wrote "the plan was effective". My manager asked me what do I mean by "effective" and I had to explain to him. 

    In writing your audit report do you think when you assess the condition of the internal controls to be adequate or effective, we should highlight some of the areas in the audit report? This might cause the report to be a bit long.

    What do you think?

  1. Communication is an art and the art of writing a finding so that readers understand why they should care about the finding and why it is important to correct it goes beyond diagramming five simple elements. It is amazing how auditors that are excellent verbal communicators can be so ineffective when it is time to draft the written version of the finding! It seems even more difficult to summarize findings into an executive summary format!
  1. Dear Norman

    This is a very informative article which you have written and I found it of great guidance for me. In your article you have mentioned a summary containing risk ratings, but does it not contradict with your basic concept? Reader of the report needs to be familiar with this lengthy table containing complex sets of risks copulated and presented in numbers? Further more, risks involved specially in operational aspects and there out comes are not always leading to a direct financial impact, rather a compliance issue or deviation from inter company policy matter which is hard to categorise and if inserted in table the nomenclature of the table is far from memorising.

    Would it not be better if the (indirect) financial impact is calculated and presented in descending order rather devising a risk rating table. Please inform me of your views.

    Best Wishes      

  1. Dear Taha,

    What I advocate is a concise summary, perhaps a paragraph at most, that gets the overall assessment across in business language. Some managers will want more detailed information and that can be provided later in the document and include risk ratings, etc. My expectation is that the top executives and the board members will read as far as they need and stop.

    - If things are in good shape, top executives and the board will read that, understand, and move on to another task. They will not read further unless they have a particular interest in the topic.

    - If things are not so good, top executives and the board will read that and then go further if they need - to understand the issues they need to worry about and what actions will be taken. They won't read further.

    - Operating management will read further, understanding how areas under their responsibility are doing and what actions they need to take, or need to make sure are taken.

    Does that make sense?

    Norman

  1. In fact Internal Auditor should be capable to identify the risk associated with the business for not having the control in place. Importantly when the control lapses is raised IA should think from the Auditee's point of view for remediation. I strongly belive that value addition from IA lies with the remediation not on highlighting the controp gaps. 

Leave a Reply