Wasting time with audit reports
Richard Chambers has returned to the topic of audit reports in 5 Strategies For More Timely Internal Audit Reports.
I agree with much of what he has to say, especially this:
…it can sometimes take as long to issue a report as it took to perform the audit!
This is a major problem, a total waste of scarce and valuable time.
There is never enough time to complete audits of all the issues and areas where there is a risk to the enterprise. The idea that we are wasting time writing and re-writing audit reports should turn everybody’s stomach.
Richard has some good ideas. His five strategies are:
- Share internal audit results with client “as you go”.
- Eliminate or reduce levels of review.
- Use team editing or report conferencing.
- Use automated working papers’ report-writing features.
- Streamline the report format.
That last strategy is, in many ways, the most telling. To quote Richard again:
Internal audit departments that have successfully reduced their reports’ cycle time generally produce leaner audit reports, which makes them not only easy to edit but easy to read. The shorter a report is, the less time it typically takes to write and edit. Complexity can also slow the review process, so generally speaking, simpler is better, too. And reaching consensus with clients can become onerous with longer reports, so streamlining formats pay dividends throughout the process. I have on occasion seen internal audit reports that exceeded 100 pages. I am convinced reports that long are not read in their entirety by all of those who were likely to benefit from the information. It’s always tempting to include more detail in an internal audit report than the minimum needed to make your point, but my advice to new auditors is to tell your story clearly and succinctly. There’s nothing worse than working hard and coming up with a good report that people then ignore. Think of it this way—the longer your report, the less likely it will be read by those in a position to take action on your recommendations.
I have also seen audit reports that are so long that they needed a table of contents to tell readers that the executive summary is on page 8.
Craziness.
How can you expect anybody to take time from running the business to read anything more than a page or two?
Yes, you can say that it is their job, and they need to. But do they really need to read an audit report?
That is the real question.
Why should anybody read an audit report?
Put a more meaningful way:
What will a leader learn from an audit report that will help them run the business?
Too often, auditors write for themselves, for history, rather than for their customers in top management and on the board.
As a reminder, I have written about audit reports twice recently:
The inherent problem with (some) audit reports
We need to put ourselves in the shoes of our customers and consider the issue from their point of view.
1, Members of the audit committee of the board (or owners)
Our primary customers, the people to whom we report, need answers to these questions:
- Is there a problem I need to know about, because it might affect the performance of the organization as a whole?
- If so, what is it, how would affect the organization, what is being done, do I need to worry?
- Can I rely on management to make informed and intelligent decisions, including taking the right risks and seizing the right opportunities?
If there is nothing for them to be concerned with, why aren’t we telling them that in half a page or less?
2. Members of top management
Their needs are very similar to those of the audit committee members. The only difference is that they may (emphasis on ‘may’) be concerned with matters of less significance.
The questions they need answers to would be:
- Is there a problem I need to know about, because it might affect the performance of my team or the organization as a whole?
- If so, what is it, how would affect my area or the organization, what is being done, do I need to worry?
- Can I rely on my team or other members of management to make informed and intelligent decisions, including taking the right risks and seizing the right opportunities?
3. Members of operating management
The first inclination might be to assume they need to know everything. But do they?
The audit team should have been not only sharing their observations as they go (as Richard points out in his first strategy) but discussing them with management and agreeing on the facts, whether they represent a risk to the organization, whether the risk should be taken, and what action (if any) should be taken.
If that is the case, then where is the value in documenting what has already been agreed?
The problem may lie in the fact that many auditors will tell management what they have found, but don’t stay longer and engage in sharing with them to agree on actions.
I recommend communicating (and that is two-way) as you go and confirming the results in an email each time.
Now ask where the value is in a long report.
It may lie in confirming all the details discussed earlier (one line per issue) and then talking about what it all means when taken together.
What is the overall opinion, and what does it mean in terms of the ability of the area to achieve its objectives?
It may well be that even operating management only needs a page or two in a formal report at the end of the audit.
Conclusion
Let’s not do anything, especially anything that consumes a lot of our scarce and valuable resources, on work that has little or no value to our customers.
Speed is not the issue that it may seem: why tell them what they don’t need to know faster?
The IIA’s Standards do not require a formal audit report. Instead, they require that the auditor communicate the results of the engagement.
I would change the Standards to instruct the auditors to:
Communicate to those who need to know, what they need to know, when they need to know about the results of the engagement and what they mean to them, to the organization, and to its success.
Why do we do more?
I welcome your comments.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I agree. I often reminded my staff that they were reporting on an audit, not an autopsy.
Writing short audit reports on the most important issues for the organisation is very difficult; those who claim otherwise either don’t focus on what matters or poorly communicate their findings. When you are onto very strategic findings, timing is important but doesn’t mean as soon as possible; you have to communicate at the right moment to the right people.
Yes, but communication in writing is not nearly as effective as doing so in person, even on Zoom.
I always made sure I had face time when the issues were either complex, important, or both.
Great comments! I think audit reports come from good ol’ CYA and because we auditors are evidence gatherers. I think we try to set the example for creating evidence that something has been done. Prior to the acquisition of a company I worked for, the team was in the process of developing a workpaper to record all issues and results of managment discussions and whether the item would result in an audit finding. I think that would have been a great tool to allow for the aggregation of results in reports and also allow for remediation follow up. I would be curious to know if others do something like that. We all know reports need to be changed, and we keep from dictating a standard for internal auditing, but it would be interesting to see some best practice 2 page audit reports.
Judy, I have some examples and suggestions in my books.
One page with an attachment of one page.
CONFIDENTIAL
Audit of Executive Expenses – 2005
22 February 2006, by Dr. Peter W. Schlesiona, CFE
Purpose and Scope:
The purpose of this audit was to assess compliance with the Maxtor Travel Policy by the senior corporate executives. Included in this audit were all executives, Senior Vice President and above. Also included were the administrative assistants who provide direct support to these executives. Travel and expense documents reviewed included all claims processed in 2005. Since some expenses were actually incurred in 2004, the audit period was roughly 12 months, from November 2004 to October 2005.
Conclusion
With some exceptions, we found general compliance with the Company’s Travel and Expense policy. However, the following merit executive attention:
On occasion, entertainment expenses appeared excessive, with costs per person (based on the reported number attending) ranging from $70 to $282.
There was inconsistent compliance with IRS requirements for the reporting of business entertainment expense. Accounts Payable will monitor this more closely in the future. There were also five situations where the reimbursement of employee expenses should have been included in taxable income to the executive, but was not.
In a few areas, specific requirements of the Travel policy are not adhered to – and it appears this is because the policy is not correct. Examples include the use of car services for travel to/from the airport on domestic trips (not permitted under the policy but a common practice by executives ) and the consumption of alcoholic beverages (executives have charged drinks as part of a meal as well as separately: before or after the meal)
The actions of executive management are a considerable influence on the actions of other management and employees. We suggest continued attention to this issue, to ensure the Company’s management and employees remain appropriately cost-conscious.
Distribution:
Audit Committee W. Sweeney
N. Bush D. Williams
J. Klinestiver
N. Marks M. Wingert
C.S. Park PwC
Attachment
Detailed Findings:
1. The policy requires the use of the company’s American Express card. The Company receives a benefit from such use, although spending on the card has not always been sufficient to obtain available rebates.
We found executives did not consistently comply with this policy. One executive, for example, used his personal credit card (or cash for minor expenses) for all expenditures ($26,646.00) other than pre-paid airfare. For all persons included in this review, the total charged to personal credit cards was $56,189.
2. Maxtor’s policies do not provide adequate specificity with regard to a number of expense categories, notably expenses for cellular phones, business meals and entertainment, and meals/entertainment where all attendees are Maxtor employees.
3. Guidelines regarding employee-only meals/entertainment define only who should pay for and report charges when two or more employees dine together. No further guidance is provided regarding reasonable limitations on such expenses or a definition of “entertainment” as it applies to employee-only events. We noted 32 employee-only events ($16,037 total) where the cost was in excess of $70 per person.
4. During the period, there were approximately 178 employee-only events, amounting to $54,447. Most were reported as “Business Meals” or “Business Entertainment”, in apparent deviation from IRS rules: such events can only be so described when they are attended by customers and/or vendors.
5. IRS rules for business entertainment expense are inconsistently followed. In addition to the issue of reporting as business entertainment expenses involving only employees, reports do not always provide the required description of the “business discussion” held with the customer/vendor.
6. Travel rules require that the business purpose be stated on the expense claim. In general, the audit found the information in the business purpose field to be simply a destination.
7. Expenses are required to be claimed within 60 days of the travel end date. While we noted general compliance with this requirement, exceptions were frequent and often of a nature that required substantial, and otherwise unnecessary, reconciliation time on the part of Accounts Payable.
8. Coordination between Accounts Payable and Payroll was found to be inadequate with regard to proper tax treatment of reimbursable personal expenses. We noted 5 instances where an employee’s taxable gross income should have been adjusted for approved personal expenses. In all 5 instances, the information had not been passed on to Payroll by Accounts Payable until identified in this audit.
Hi Norman. I would have included in the conclusion an opinion as the whether management had taken action to address the findings.
As an executive, I would want to know: if the objectives of the business are being met and, when they are not, that action been taken to ensure they will be in the future.
I think auditors, in general, tend to justify their “value” by writing long audit reports to impress the readers. Personally, I totally agree that the value of audit should be measured by the positive change to the organization resulted from the immediate action of implementing the audit recommendations!
Agree, but there is huge value in assurance that leaders can reply on controls and security to manage risks.