An Internal Audit Opinion That Means Something
If the audit report says that there are significant weaknesses in the system of internal control, or that the level of risk is high, what does that mean?
Remember: an audit report is a communication. It conveys a message to our audience, our view of the condition of risks and the controls relied on by management to ensure they are at desired levels.
But, is the audit report written in ‘audit’ language? We, as auditors, know what it means but does the intended audience? Do they understand how it might impact their decisions in running the business?
That’s what is critical. There’s no point in a report that identifies a serious business problem if the message isn’t clear and management doesn’t ‘get it’. Where is the value of an audit if management doesn’t understand what you find and the necessary actions aren’t taken?
As is often the case, it doesn’t matter what we intend to communicate if the receiver of the audit report, the executive and board member, don’t receive the message you are trying to send.
So, what does it mean in terms of running the business if the controls are ‘not adequate’ or the risk is ‘high’? Should we leave that open to interpretation, or make it clear?
I suggest that context may be required. When you say ‘high risk’, explain what the risk is to. When you say controls are not adequate, explain what the potential adverse outcome could be — in business terms.
A story might help. About ten years ago, I started a new job as Vice President of Internal Audit for a global manufacturing company. The previous CAE was in the process of moving into corporate finance, so we had a couple of weeks of transition.
My first task was to help close an audit report on a factory in China. I reviewed the draft and liked the summary page. It had a table that took each of the major areas of the factory’s business and gave them a risk rating, linking to the number and severity of the related findings. But I didn’t like the results: everything was colored red, meaning that every area was rated as high risk with multiple significant control deficiencies.
I called the audit director in Singapore and we had a short conversation, somewhat along these lines:
Norman: “Audrey, what does this audit report mean? What should the leadership in Asia and at corporate understand from this report?”
Audrey: “Norman, the controls are poor, management is not well-trained, and the risks are high. A lot of work is needed to correct the issues we found.”
Norman: “Yes, but what does that mean in terms of how the business should be run? What do you want management to do?”
Audrey: “What do you mean?”
Norman: “Imagine you get on an elevator on the 3rd floor of our HQ building in Singapore and see the Asia President. He asks about the audit of the China factory and you have until you reach the ground floor to tell him. What does he need to understand?”
Audrey: “Can I call you back tomorrow?”
The next day, she told me what she would tell the executive: “The processes at the factory are not sufficient to support the planned expansion of the business. If you went ahead, there would be high risk relative to manufacturing quality and other critical aspects of the business.”
Brilliant! This is a meaningful and actionable communication.
How does this translate to a typical audit report? I suggest the following:
- When you assess the condition of the internal controls, do so in terms of the risk to achieving strategies, goals, and objectives.
- Consider whether the risk is to local objectives, which can be handled locally, or to corporate objectives where action and attention from corporate management is required. Make sure your report is clear on who needs to be paying attention.
- Think about what actions you want taken — not in terms of correcting deficiencies, but whether strategies, etc. should be changed. Who needs to take action and who needs to be watching to make sure it happens? Who owns the risk, the strategy?
- Put yourself in management’s shoes, and consider both risk and reward. What is the cost of correcting the deficiencies and is it justified, given the cost and the potential for reward?
- When you write your report and present your opinion, use the language of your audience. Express the result in terms that have meaning for them and talk about risks to strategies and objectives. Explain potential losses or other negative outcomes that might result. Don’t limit yourself to talking about security vulnerabilities (audit speak) when you can talk about the loss of confidential information and how that could either lead to compliance issues or a competitor gaining advantage (business speak).
I welcome your comments.
Posted on May 24, 2011 by Norman Marks
Share This Article: