Wasting money with audit reports
This week, I had the privilege and pleasure of spending time with a number of smart and curious professionals who are dedicated to adding value to their organization.
I am talking about internal auditors, of course.
I was a speaker at a multi-national company’s annual internal audit conference (something I enjoy doing). I touched on a number of themes from my book, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.
The attendees not only asked me about some of those themes, but we discussed other topics, some of which I will cover here today and in later posts.
X
My topic today is the significant time and money wasted by internal audit functions when it comes to audit reports.
As we know, the IIA’s Standards do not require a formal, written audit report – even though almost every function prepares them.
Writing, reviewing, rewriting, debating with management, amending, re-reviewing, and then publishing an audit report can take a lot of time. My teams might spend anywhere from 10 to 50 hours on the task. I have heard of others spending as much as 600 hours on their average internal audit report.
If you say that the average internal auditor’s salary is about $90,000 (based on Accounting.com figures) and you add about 30% for benefits and other costs, the average internal audit hour (based on 2,080 productive hours per year) costs roughly $60.
That puts the cost of an audit report, in addition to the cost of planning and performing an audit, at between $600 (my minimum) and $36,000.
What is the cost of a typical audit report in your organization?
Now let’s consider whether the value exceeds the cost.
The value should be expressed from the perspective of the organization, in this case that means our customers and stakeholders.
There are essentially three groups:
- Operating management, including process and control owners, and their direct management
- Senior and executive management
- The board of directors, especially the audit committee
When it comes to the first group:
- The audit team should have discussed any potential audit ‘findings’ with them as they arise, certainly by the end of that week.
- Any issues are again discussed, this time with a broader group including some levels of management, at the Closing Meeting.
- They should already be working on corrective actions as needed.
- They will derive little value from seeing the same information in the formal audit report.
- Their interest in the report will be focused on whether they are being treated fairly, and whether the report is inconsistent with what has previously been discussed.
- If useful, send the group a memo confirming the issues and actions agreed upon at the Closing Meeting. Then you don’t have to worry about using the formal audit report for that purpose.
There really is little value in the final audit report for that group.
X
The second group will not have been at the Closing Meeting, so they will neither know what the audit assessment is nor whether there are issues of significance.
The value to them is in the communication of information they need to know to perform their jobs.
The value is in what they need to know, rather than what internal audit wants to say.
What do they need to know?
- Are there any issues that represent an unacceptable level of risk to the business and the achievement of its objectives?
- Is there anything they have to do?
- Are their teams taking appropriate corrective actions?
- Can they rely on their organization, people, processes, and systems to perform as needed for success?
There is value in providing that information.
But they don’t need to read, in the audit report, about issues that don’t represent a risk of significance.
In fact, cluttering up the audit report with stuff they don’t need to know reduces the value of the report. It makes it harder to consume.
If you only tell them what they need to know, when they need to know, they will listen.
But if you are constantly telling them stuff that is not relevant to their success, they won’t necessarily listen when there is something important they should know.
Tips:
- Tell them what they need to know when they need to know. If its important, it can’t wait until the report is perfect.
- Eliminate the stuff they don’t need to know. It is wasted, even negative value space.
- Make it easy for them to read and understand what they need to know. Don’t hide it among a pile of trivia they don’t need to read, such as who did the audit, whether it was performed in compliance with IIA standards, what the objectives were, whether there were other issues, whether prior minor findings have been corrected, etc., etc., etc.
- Recognize that the best communications (and the report is a communication device, not documentation of the work that was done) take very little time.
- The best reports are less than one page, with attachments that are optional reading.
- Don’t spend $36,000 to issue an audit report.
X
Then there’s the audit committee of the board (and perhaps any compliance committee).
They need even less than top management, although their needs are very similar.
- Are there any issues that represent an unacceptable level of risk to the business and the achievement of its objectives?
- Is there anything they have to monitor themselves?
- Can they rely on the executive team?
- Can they rely on their organization, people, processes, and systems to perform as needed for success?
The same tips apply.
X
Now that we have an idea of the value, we can decide whether internal audit reports cost more than they are worth.
Can and should they be streamlined, so that the cost is lower and (especially) the time to deliver the information people need is fast?
You can’t consider your internal audit function as agile if important information is delayed.
Information loses value as it ages.
So re-examine your audit reporting process. Eliminate non-value work.
Consider doing more communication to leaders face-to-face, as that stimulates constructive discussions about the issues, their implications, and any necessary actions. It also speeds up the communication process.
X
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
This makes a lot of sense and I totally agree with streamlining the report. But what about heavily regulated industries with regulators that have specific expectations on what an audit report “should” look like? Those expectations may not completely align with internal management.
Billy, even highly regulated industries have an opportunity to do this. The issues of significance are still being communicated. My team at the oil company performed mandated compliance audits that were subject to regulatory review every year. The regulators had no problems at all.
It’s good that Internal Audit organizations think about the value they provide in their work and also in the products they provide. Many times it’s not always clear that an audit accomplished much in terms of value for cost or in identifying very tangible recommendations that provoked the needed changes to the areas of focus. I’m always interested in the inherent limitations of internal controls and the connection with a formal monitoring process such as the audit provides to management and directors. One thing auditors might consider is whether or not the cost of the audit delivered value beyond just a report other than exposing opaque areas of an organization to greater scrutiny. These discussions you are having are only going to help the profession to grow in importance and stature.
From my, non-North American, perspective this is a fantastic post. I should really leave it here, to not dilute the sentiment, but will just add that I ventured to read despite being buried in some super urgent/important work, and so glad I did. Transformative impact on my perception of Reports. I sure will borrow heavily when I deliver in May a free seminar to IIA Cyprus on Reporting. I can only thank you. Super-clear, super-plain, super-practical. From a man who knows what he is talking about. And how to put it across to people like me who need it served that clear, that applied, that practical.
Thank you!
The thanks to you Norman. The more of your material I had been reading over the years, the more I was being won over, but for some reason this one (NOT only or mainly because it came just as I was getting very anxious about managing to prepare for that seminar due to a cripplingly full calendar) was a big leap, not a matter of degree in that process. Completely convinced me, and completely rid of my clinging to the old anachronistic wasteful Reporting model still reigning supreme, completely un-challenged, in these parts. You shall be quoted in my seminar, and I will be fully prepared – armed from the simple yet so disarmingly powerful arguments in the post – to handle the traditionalists’ shocked reactions …
Thanks and good luck!
Hi Norman,
Great post, as usual. I am already producing very short and succinct audit reports and have been talking to my team about moving to a one-pager. You just outlined my reasons for moving in this direction and I realize I need to get there now.
Thanks for read.
Fully agree, is need to look carefully at the value of reports. Having heard this topic a number of times over a few years now I still wonder why many internal audit teams still push the burdensome large reports? Seems very self serving and not meeting needs of stakeholders.
In my current audit environment our audit reports are subject to being shared publicly so it is a bit different and we have to apply a closer lens in preparing them. That being said keeping them short and clear is a focus point for us.
Think of all the technology changes in the last 30 years and yet … what innovation have we seen in audit reports? Or any other kind of finance reports, for that matter. I’m sure there must be ways of reporting that is not a mass of words. What about a video report?
I find it much easier to inform operational management along the way as we do our audit. They can start working on making changes and they already KNOW what we are going to note in our report so there will be no surprises and even better we do not have to go into too much detail because they already know about the issue. If they need information to further support the finding, then we can provide documentation. But, nobody wants to read a 5 page audit report, even auditors!
Great article Norman! I enjoyed reading it. You bring up a lot of good points.
Thanks, Melissa
A good article with some good points, but I disagree with some of the conclusions – it seems to imply that a light tough single pager report is enough to satisfy all intended audiences, but I respectfully don’t believe this to be the case.
I’ve arrived at a place where I give a single page Exec Summary, a slightly more detailed 5-6 page audit committee report as an annex, and a much fuller, detailed piece of work (circa 30 odd pages) for the business.
The 30 pager challenges your suggestions here, but it always feels like a necessary evil – it’s not loaded with superfluous nonsense, rather it contextualises the findings and recommendations. My most recent work has covered compliance with a broad number of principles in a single report – the detail showed I had considered the principles and their requirements, then considered the evidence of how the successfully auditees were meeting these requirements. This kind of detail was derived from the RCE (so was essentially copy and paste), but it was tailored to suit a wider specialist audience. Feedback was extremely complimentary. The approach is highly valued. The three different papers were tailored to their different audiences, but as an end-to-end package the report and its annexes did what it needed to.
Whilst I understand the value of the single pager I don’t agree that it can stand alone. If audit work is to provide real value to the organisation it needs the necessary detail behind it.
Thank you for your comment, but you are misreading the post. It does not say that “a light tough [sic] single pager report is enough to satisfy all intended audiences”.
No, it says that you should provide each audience with what they need to know rather than what you would like to say.
They rarely need to see the detail nor evidence that you have done a thorough job. That detail is for your internal use and satisfaction, rather than to help them in their decision-making and general running of the business.
The detail is always available should they ask for it. If they consistently ask for it, then it can be attached to the one page (or less) executive summary.
In other words, if they believe they need the detail you give it to them. If not, don’t.
To repeat: the report is a communication vehicle that is not required by the IIA Standards. It should communicate what your customers need to know, and not make it hard for them to consume by adding stuff they really don’t need to read.