Auditors always produce a report after they complete their work. It is a universal standard activity. It is expected by management and other stakeholders alike. The reports record the results of the audit work and should be the foundation for driving sustainable improvement in the management of the company.
Hours spent in the reporting phase of an audit have increased over time, yet this extra time has not translated into increased report quality or effectiveness. On average 95 hours are now spent producing an audit report – up from 55 hours in 2008 and 84 hours in 2010. This now represents 18% of the total time spent on an audit in planning, fieldwork, reporting and follow up activities (up from 14% in 2008).
CEB research reports management concern about the quality of audit reports and urgency of audit findings, raising questions about the impact of assurance work on helping the business address deficiencies. Only 50% of those in the business rate audit reports as effective and clear.
Reasons to Improve Audit Reports
- Increased visibility: Audit results are distributed to a wider range of both internal and external stakeholders, each with varying needs. Auditors need to ensure the audit report does not overstate or understate risk and that it provides an accurate picture of the risk and control environment.
- Demonstrate credibility: Internal Audit continues to review more complex, strategic risks. This means auditor understanding of the business and associated risks has to be properly demonstrated within the audit report.
- Avoid ratings clustering: The tendency to cluster results at the mid-point of audit ratings leads to an inadequate reflection of actual risk exposure.
- Articulate business value: Stakeholders often feel audit results are not directly linked to their business priorities or urgent enough to address in a timely manner.
Many audit departments make basic mistakes that detract from the usefulness of their reports. Most of these mistakes are easy to fix. Defining a report template, using clear examples of good writing and streamlining the editing process are examples of quick improvements you can make.
Yes or No to Audit Ratings
Over three-quarters of respondents issue individual ratings and almost 80% issue overall report ratings. The three-point scale is still the most common rating method for audit teams. However, the use of four and five-point scales is increasing. Our research shows 23% do not rate individual issues and 22% do not rate reports with 9% not rating either.
There are benefits to using audit ratings yet they can also add delays and friction to the audit process. Example positives and negatives are summarised below.
|Quick to understand severity of audit issues or overall report conclusion.
Easier to track trends in reported issues.
|Primary focus is upon issue resolution.
Reduced defensiveness of audit client management.
|Stakeholders spend more time debating rating than the underlying issues.
Inconsistency of ratings across audits / auditors.
|Difficult to distinguish between issues.
Harder to track trends.
The challenge is represented by this quote from the chief auditor at a CEB Audit member firm:
“We spent about as much time discussing the grade as we spent discussing how to remediate the finding, so we wanted to find a way to communicate critical issues to senior management and the Audit Committee without the use of grades.”
Innovative Audit Reports
Most audit departments rely on electronic distribution of audit results and provide digital periodic summaries of audits to the audit committee.
Today more stakeholders are reviewing reports and other information via smart phones or tablets. Internal Audit should keep stakeholder preferences in mind when designing a report to ensure it can be easily read on devices used by their key stakeholders.
As an illustration, among the audit report innovations we found during recent research were the following:
- A company that leads its audit report with the most important information but embeds links in the text to allow stakeholders to easily navigate to more detailed information as needed.
- A company that divides the executive summary into parts that effectively demonstrate the results of the audit engagement, including separating the risk impact to Company and BU, using a risk management maturity model (with target and actual) as well as providing summary company / process information.