Five Proven Strategies for More Timely Audit Reports

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 

 

In his iconic book Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing, author Lawrence Sawyer observes that, “Few sources of friction within the auditing department exceed that caused by the process of report writing. The most brilliant of analyses and the most productive of audit findings seem to be forgotten during the trauma of report writing.” I have often thought that truer words have never been written.

As a young internal auditor, I learned early on how time-consuming and frustrating it could be to write an effective audit report. No matter how well I thought I had captured the results of the audit, the audit team leader would inevitably rewrite much of what I had written. To make matters worse, the chief audit executive (CAE) then would rewrite substantial portions yet again. As my career progressed, I later found myself fulfilling the roles of team leader and CAE that I had so vilified earlier in my career as the culprits who rewrote my reports and undermined their timeliness. I must confess that I found myself rewriting reports and perpetuating the age-old tradition of changing “happy to glad.”

The impediments to timeliness of audit reports are not limited to the players in the internal audit function. As most internal auditors have experienced, the release of an initial draft often is only the beginning of the timeliness challenge. The draft report frequently is received with a resounding thud by those whose areas of responsibility were the subject of the audit. Thus begins the negotiation process and give-and-take over the draft report that may add weeks to publishing a final report. The end result is that writing an audit report often can take as long as it did to conduct the actual audit itself.

Over the past decade, I have worked with numerous audit departments that have tackled the audit report timeliness challenge. Many of them have achieved enviable results in reducing the audit report “cycle time.” From my experience, there are at least five strategies that (if deployed effectively) can substantially reduce the amount of time it takes to report audit results:

  • Share internal audit results with client “as you go” — Much of the “push back” from audited activity management in response to draft reports often comes from the “shock effect” of seeing all of the audit results at once. Regular communications with clients during the audit — including sharing draft findings and recommendations in writing — can go a long way toward fostering a positive reaction when the full draft report is presented for comment.
  • Eliminate or reduce levels of review — Multiple levels of review within the internal audit department are often a major contributor to delays in audit reporting. Streamlining the review process and reducing the number of reviewers can be very effective in speeding up the reporting process.
  • Use team writing or report conferencing — Bringing the audit team together with those who will edit or review the draft report for a single editing session can reduce report cycle time dramatically. It affords the audit team and upper levels of supervision the opportunity to discuss the draft report and proposed changes without the endless back-and-forth that often takes place during the editing process. Report conferencing takes team editing one step further, and includes the client or audited activity management.
  • Use automated working papers’ report-writing features — Commercially available audit management systems often include features in which extracts from the electronic working papers are automatically imported into a draft report template. In such cases, the draft audit report virtually writes itself. This can generate major efficiencies in the report-writing process.
  • Streamline the report format — The shorter an audit report is, the less time it typically takes to edit. Internal audit departments that have been successful in reducing report cycle time generally produce lean audit reports that are not only easy to edit, but in turn easy to read. Long and laborious background sections or extensive discussion of audit scope and methodology are the first place to look when streamlining internal audit reports.

There are no quick solutions or easy answers to the age-old challenge of audit report timeliness. However, from my experience, internal audit departments that recognize they have a timeliness challenge and seek to reduce cycle time can make an impact. The strategies outlined above have worked in numerous organizations around the world. I would be interested in hearing from you about any additional strategies for success.

 

Posted on Feb 6, 2012 by Richard Chambers

Share This Article:    

  1. thanksssssssssssssss
  1. Nice piece,  My CAE lengthen our turn around cycle by wasting time on changing "is" and "was" to the extend of changing the actual content of the report.

    His obsession with perfecting the language other than the susstance often led to sending a belated report to the management.

  1. I agree with much in this post. It is, of course, a good thing for audit reports to be published on a timely basis. The strategies above are in my view not proven and not always helpful.  

    First audit reports and internal auditing needs, in my view, to be more 'meaningful'. By this I mean that the analysis and commentary of risks contained in an audit report need to be more nuanced and 'real' to those managing those risks. If an internal audit function is focusing its resource on strategic and more significant risks, it is more likely that this will involve considering complex, cross cutting, and difficult to assess, risks. An internal report commenting on strategic risks needs to be therefore less 'digital', binary and simplistic and more nuanced, with contextual commentary and analysis, and more analogue. Internal audit at a strategic level is more of an art rather than a science, just as management at this level is. 

    On report review point, I believe reviews can only enhance an audit report. I have never felt another point of view and challenge to my thoughts has reduced the final quality of the output, even where I have not agreed and retained my analysis. 

    I agree that Dickensian prose and nitpicking reviews add little (who wouldn't). But this modern obsession with making the complex so simple that it is reduced to 'one liners' and traffic light symbols  belies reality and does not really reduce risk and enhance risk handling. 

    An audit report is in my view an argument (in the academic sense) and should present a coherent narrative and analysis. There is also an arguement, for the most strategic reviews, for the audit report to be 'digested' over time. Change done once, and fully, can enhance risk handling and outcomes for both the auditor and the client. 

  1. Hi, Thank you four your nice writting on Five Proven Strategies for More Timely Audit Reports Thanks.
  1. Richard, I agree 100%. I've been fortunate in that I've successfully implemented all 5 of your examples in my shop. As a result, historically over the last seven years, we' ve spent about 14% of our FTE effort on the draft report, and about 6% of our FTE effort on preparing the final report for publication. For a typical audit completed in 60 FTE days (480 hrs), that translates to an average of about 8 weekdays (64 FTE hours) to get the draft ready, and an average of about 4 weekdays (32 FTE hours) to publish the final report to the user community. Those time frames include providing the client manager and congizent executive with a copy of the draft prior to release of the final report. Because of our approach to internal auditing, we rarely have had any disagreements on the issues, th risks, the possible solutions, or the language of the rerports.

    I won't say I've never needed to line edit, but it's rare for me to do that. IMO, line editing doesn't go a long way toward improving an author's writing skills. If I think an issue hasn't been presented well enough, I will either make a comment to that effect with some general suggestions and let the author run with it, or if the matter is particularly complex, the author and I talk it through until clarity emerges. All of that takes place during the drafting phase.

  1. This is helpful information.  More often than not, report timeliness is delayed by the auditee, let alone by the internal review process.  I'd like to add the following:

    - Share audit results as you go is correct - there should be no surprises.  Gain agreement on the facts right away.  Present your materials and agree what the finding IS.  Propose your recommendation and request a response.  Outline this procedure at the kick-off; set the expectation  up front.

    - Set departmental standards and expectations - for example: should the report to be written is current tense or past tense? Are you writing the report for the auditee or the audit committee? Deadlines to develop, review and distribute reports is mandatory.  Train your auditors as to what is expected by the CAE.

    - Audit findings should address the following points: what is the current state; what should be in place; state the risk of non-compliance (so what?).  Keep the wording succinct and factual.  Having the auditee help with the recommendation can reduce the churn if the finding is controversial. 

    - Deadlines should be set: for example, draft report issued X week(s) after fieldwork is complete; X week(s) for management response; final report date.  The audit committee can help this by instituting these standards in policy.

    - Follow up with auditee.  Stay on top of progress and request responses; provide assistance in obtaining their response.

    - Final point: there should be nothing in the report that management cannot disagree with - did I mention no surprises?

    Cheers!

     

  1. I have to wonder aloud about audit report writing standards and the need for "all" audit reports to be letter perfect as if for formal publishing. Does the effort expended to get it there (those final two reviews, the exetra 20% of the effort) meet the needs of ALL our customers, or is this article broad-brushing a bit?

    I have worked at federal, city and county level, and think that there are times when a report needs to be "that perfect" (state level external report, federal external agency, etc) but for many customers (most cities and counties) the most important thing to them is "what do I need to do?" Simplified bullet lists and color coded indicators may be exactly what they need - and what they are willing to pay for. In a world of rapid prototyping and successive approximation I wonder if we should consider adapting in this area....

     

  1. Addressing Tom's comment - yes, audit reports do have to be letter perfect when (as is the case for our audit shop) you are writing reports that will be released into the public domain.  The media will very quickly identify any poor grammar, typos etc ina  report, and comment on them.  The general public reader will also need an introduction to the topic being audited, and some context setting, as well as findings - a list of bullets and colour coding will be incomprehensible.

  1. Liz,

    Most rewrites I see in agencies are not to correct basic spelling and grammar (Word does that well) but wordsmithing and restating.  I agree with basic spelling and grammar needing to be correct. Its the other 85% of the rewrites I am addressing. 

    I have worked with many folks doing management analysis that they present to governments at every level,  and the customer nearly always overlooks minor misspellings and errors to stay on point with the focus of the report. We can't seem to see that in the audit world yet.

    Is there any research at all that backs up the notion that reports need to be "perfect" or it will be rejected or lose value materially?  Just sayin'...

  1. Our current timliness challenge is that we are servicing interstate offices.  It is easier for the recipient managers to temporarily ignore the report and delay its finalisation by not answering the phone and not responding to email.  Rather than if they are in the same location and you physically see them in the hall.  I'd be interested if anyone has any strategies to address this challenge?

    Thanks

  1. I could not agree more with these comments.  I believe “share as you go” is the one of the best.  Creating and keeping an open line of communication early definitely helps in the long run.  Thank you for providing this content. 

  1. As the CAE, I personally write the audit reports and let the individuals who perform the audit review it.  This helps me understand the nature of the issues in order to summarize them for senior leadership and the Audit Committee.

    Also, nothing goes into the report until it is validated by the process owner, which we do as the audit progresses.  Fieldwork is not considered complete until each audit step is validated.

  1.  All good stuff 

    Taking a lean auditing perspective (see the linked in lean auditing sub-group):

    Ensure that your audit report only contains commentary that is really valued by key stakeholders ~ this will tell you what you can be cut out that your key stakeholders wont worry about.. 

    Concentrate on findings around key risks and key controls, not everything ~ truly minor points should be separately logged and not require a formal response .. And ask yourself ~ if lots of minor points are regularly being found whether i) root causes are being properly drawn out and ii) whether the audit is focusing enough on the big issues (its probably not a sign of adding value and being focussed on resourse utilisation to be raising lots of minor points)

    Avoid repeating "the same old" ~ if the scope has already been issued and agreed ask yourself why it is being included again? Sometimes it reopens questions about whether findings are in scope when that should not be under debate! If you are including standard terms and definitions, consider posting these on a company inttranet and referring to that, rather than repeating them in every report

    Take care about i) who is writing the recommendations and ii) management responses ~ of course IA needs to document findings, but be careful about the added value of IA carefully crafting recommendations and inviting management comments ..

    Instead aim for: Agreed management actions and try to do most of what is needed by discussion/TCs/meetings..

    In my opinion: Trading documents with marked up amendments and corrections is NOT a sign of adding value (on either side) and DOES NOT reflect a good relationship between IA and the organisation.. If your IA team is doing this ask yourself whether this is really helping to build a good controls culture and respect for IA in your organisation? 

  1. Would I be too bold to suggest to CAEs not to make recommendations and to focus on factual findings and appropriate action plans developed and adopted by management while having IA to make sure these plans would truly remedy/address the issues and risks at stake... And if not, CAEs would state in their report that these action plans are unacceptable....

    Most of the time, internal auditors and management agree on factual findings and where a lot of time is lost is during the discussing process preceding the issuance of the audit reports. Who is the best placed to address an issue: management or the internal auditors...

    For sure, I must be too bold...

     

    Denis

     

Leave a Reply