VIEWpoint Issue 1 | 2022
Brief Insights | Meeting Provider Relief Fund Reporting Requireme...
VIEWpoint Issue 2 | 2021
2022 Q4 Tax Calendar: Key Deadlines for Businesses and Other Empl...
Ask the Advisor: Key Tax Incentive Changes
Weathering the Storm of Rising Inflation
A significant amount of time is committed to any internal audit. Scheduling, planning, information requests, questionnaires, walk-throughs, interviewing, testing and documenting are all part of the audit process. Yet, even though 90 percent of the hours are allocated to these aspects of the audit, the main thing, and sometimes the only thing, the stakeholders will remember is the communication of the results. The way findings and observations are communicated written and verbally by the auditor will impact the perceived quality and value of the audit.
Effective communication of audit results helps foster a constructive relationship between management and internal audit, increases the rate of resolution of observations and recommendations, and improves efficiency of the internal audit department. For management, reports serve as a window into daily operations, a means to evaluate operating performance, a source of objective information about controls and operations, and as a facilitator for gaining support of upper management for issues requiring attention. For internal auditors, reports enable audit follow-up, provide a means to teach and train audit staff, summarize results of audit work and support the auditor’s performance evaluation.
The goal of effective reporting is to help ensure stakeholders’ understanding of the issues, the risk and impact to operations and to share practical solutions. This can be achieved by implementing simple best practices.
1. Have discussions with the auditee – The auditee can provide insight on matters auditors would not have otherwise known about, helping to improve report quality. Remember, the auditee works in that area every day and are the experts. Leverage the auditee’s knowledge to enhance your audits. In these situations, patience and the use of critical listening skills are beneficial. Because listening skills are so critical to an auditor, consider your own effectiveness, which may include asking for input from others who will be honest. Only upon acknowledging reality can you devise a plan to improve this or any skill. When it comes to reporting audit results, surprises are rarely welcomed. It is critical to discuss the cause, impact and recommendations with the auditee before the report is released.
2. Report on facts – Facts should be confirmed throughout the audit and reported matters should be based on well-documented facts and certain logic. Only what was observed and validated to be factual based on specific audit evidence should be reported. Avoid the use of phrases that don’t indicate that, such as “it seems that”, “our impression is” or “there appears to be.”
3. Provide precision – Words like “sometimes”, “many”, “a few” and “several” leave report readers with more questions than answers. Instead, provide specific data which allows them to have a better understanding of the issues to determine how to best resolve them. However, aggressive words like “everything”, “nothing”, “never” or “always” should also be avoided.
4. Write with clarity – Have a clear understanding of the issue before writing the audit report. Be cognizant of the reader’s point of view and understanding of the subject matter. Use simple words when possible. Yes, some technical jargon may be needed, however excessive use of complex terminology may lead to confusion, causing the reader to check out mid-way through the report. This can be a challenge when writing to different levels of readers, such as senior management and Supervisory Committee members. The use of a glossary to define more technical terms can be very helpful, especially in the credit union world which loves acronyms. When using these terms assume the reader does not know what they mean. Spell it out when first introducing it in a report. If further explanation is necessary, expand the description to help ensure understanding.
5. Share background insight on the scope and objectives – Set the stage for how the audit was initiated, what it strives to achieve and the scope of procedures. Without providing adequate information regarding the scope, one may conclude the scope was not significant and discount the efforts of internal audit.
6. Use a constructive tone – Avoid the “F” word – “failed.” Do not put emphasis on mistakes, instead focus on improvements. When communicating, filter findings based on risks, and current or potential impact to the organization. If your findings are a big deal, then communicate them as such, but if they are insignificant be careful not to make them bigger than they are. If everything is important, then nothing is. Audit reports with a constructive tone are more likely to get the buy-in from management. Most audit reports are by nature focused on the negative. Although 97 percent of the audit procedures and testing may be found to be accurate, the report will address the findings from 3 percent of the procedures. If the auditee deserves to be complimented for positive performance, be sure to do so.
However, when communicating the positive in an audit report, be cautious not to issue an opinion. Be careful to only communicate the positive based on what procedures you completed at that time. While detail testing 50 loans may identify a systemic underwriting issue, it does not mean fraudulent or loans outside of the policy have not have been granted. Most audits are designed to test the effectiveness of internal controls, not identify fraud.
7. Review your report – It may seem silly, but simple mistakes can divert the attention of the reader from the content to questioning the content of the report or competency of you as an auditor. After staring at a computer screen for most of the day, it may be difficult to spot errors in your own writing. Try printing the report on paper to review it. This can help identify errors that may not be caught on screen. Always use grammar and spell check, and review numbers and math. The auditor should re-read the report from management’s perspective and make sure the report takes into consideration the suggestions noted previously.
A common hurdle in the review process is disagreements between the auditor and their supervisor. These can range from grammar and spelling, to logic or formatting. Supervisors should develop templates and consistent report-style formats to ensure consistency and help improve efficiency. Eliminating time spent on formatting and style allows auditors to focus on the content of their reports. Most young auditors are not effective writers, so development of writing skills through training should be part of their development and performance plan.
8. Be timely – Timely communication allows management to take appropriate corrective action. Evaluate the significance of the issue when determining the timeliness of the communication. Critical systemic issues require immediate communication to management, allowing real-time process and procedural changes to be made, and halt destructive activities. For instance, if a systemic underwriting issue is identified with a specific dealer while conducting a loan audit, the severity of the underwriting and fraudulent activity may require immediate communication to allow management to shut down the dealer and start investigating. On the opposite side, there may be isolated items uncovered during the audit not requiring systemic documentation exceptions. In this situation, communication of results could wait until completion of the loan review.
While verbal communication, and even written bullet-point finding documents, may be prompt, completion and delivery of the final written report in a timely fashion is a common hurdle of internal audit departments. Auditors often wait until after fieldwork to begin the formation and documentation of formal written comments. Starting the findings development process and documentation during fieldwork results in faster turn-around times on deliverables. In addition, writing audit report comments during fieldwork is easier because the information is fresh and if further information is needed it can be more easily obtained. Contacting an auditee for additional information a month or more after completing the audit fieldwork not only irritates the auditee, but it can also negatively impact the perception of internal audit. Other common reasons for untimely report delivery can include not setting clear timing expectations for the audit team in advance, disagreements with management on findings and lack of timeliness by management in providing written responses, if required.
Setting and communicating written targets for each phase of the reporting process will vastly improve achievement of desired timelines. For example, a reasonable timeline is providing a draft to management within two weeks, management responses within one to two weeks after receiving the draft and then issuing the final report within a week from receiving management responses. The overall goal should be to issue the final report with management responses within 30 days from the last day of fieldwork. Although most internal audit departments do not set and track timelines for report completion and delivery, they should as it can help drive accountability. Consider Peter Drucker’s quote, “if you can’t measure it, you can’t improve it.”
9. Provide reasonable audit recommendations – Auditor recommendations should only be considered as an option to management, as they may be willing to accept the risk of the deficiency or have a different solution. It is important to establish and utilize business acumen in developing recommendations. Adding four people to a process to create perfect internal controls is not reasonable, nor valuable to the organization. While this may be an extreme example, it is critical auditors take into consideration the organization’s available resources, business environment and organizational goals when suggesting practical recommendations to address the deficiency identified.
10. Sum it up in an executive summary – Internal audit reports must contain adequate detail to explain the issue, risk and recommendations to the reader. However, with this requirement there can be considerable volume to the report content. To highlight the results of the audit and allow the reader to “cut to the chase,” use an executive summary. This opening section of the report should highlight the scope and objectives of the audit, provide a summarization of critical findings, key management actions and overall evaluation statement.
As an auditor, you already know the critical nature of effective communication. Over the years, many internal auditors have been discounted or not given the respect they deserve in an organization. While this type of treatment can be caused by the organizational tone at the top, or the lack of support and respect for internal audit by the senior management team, quite frequently it is self-inflicted. Poor communication skills can destroy credibility and create animosity between auditor and auditee. Take some time to self-evaluate your communication against the concepts in this article. If you find this self-evaluation difficult, summon the courage to ask for honest feedback from those you trust and respect, or contact Doeren Mayhew’s Financial Institutions Group for assistance. The encouraging aspect of communication skills in each of us can improve, if we can understand and acknowledge where we currently are, and like any skill, be willing to put in the effort to change our behaviors.
This publication is distributed for informational purposes only, with the understanding that Doeren Mayhew is not rendering legal, accounting, or other professional opinions on specific facts for matters, and, accordingly, assumes no liability whatsoever in connection with its use. Should the reader have any questions regarding any of the news articles, it is recommended that a Doeren Mayhew representative be contacted.
A quick registration is required to view our resources.
You will only be asked to do this one time (unless you don't save your browser cookies).