A radically different approach to audit reports
I have been somewhat retired for a few years now. I have my speaking and training engagements, the occasional consulting project, some mentoring of individuals and organizations, and my writing. They keep me reasonably busy along with bridge and yoga.
But the church that I and my wife attend (she’s the member since I am not a Christian) has asked us to perform an internal audit. We are happy to do that for them (donating our time).
The audit will take some extended period of time. The financial and administrative staff are all part-time; some of the committee members I need to talk to are still working; I have only so much of my time to give to the work; my wife is very busy; and we will be leaving on a trip part-way through. In addition, the scope I have defined is not small: financial accounting and related internal controls; IT security and contingency planning; the adequacy of insurance; tax reporting; cash management; and more.
If I were to adopt an Agile (big “a”) audit approach, I might divide the audit into sprints. Perhaps each would address some part of the scope of work, and at the end of each sprint I would meet with church staff and leaders to discuss the results of that part of our work and obtain feedback on what lies ahead. There would be a report at the end of the audit that covers the totality of the scope.
However, that does not work for me.
In my writing and speaking, I have suggested that internal audit needs to be agile (small “a”). It needs to be flexible and able to respond dynamically to changes in the business, risks, and stakeholder needs.
I have suggested that long audits should be broken up into smaller ones. That enables agility. Tying up staff members for months is not agile.
A car is more agile than a bus. It can change direction, stop, and respond to changes in the traffic more easily.
I am taking an approach to reporting for the church internal audit that is more agile (small “a”) than Agile (big “a”).
Some issues need to be shared with leadership more urgently, and corrective actions taken, than others. With the end of the year approaching, for example, I am prioritizing financial accounting and reporting and the preparation of budgets for 2024.
I am meeting with leadership to discuss each set of issues as I go through the audit, but that is not sufficient.
I am actually issuing reports as and when they are needed, rather than waiting to issue one at the end.
I will be sharing a report just on the financial accounting and reporting this month, and waiting for next month to report on other issues.
It’s not that the other issues are less important. It’s that I don’t want to wait to communicate effectively.
Another influencing factor is that different church committees are responsible for different aspects of their operations. Separate internal audit reports enable each to focus on what matters to them.
Neither the existing IIA Standards, nor what we can anticipate in the new ones coming out next month, require a single audit report. (In fact, the current ones don’t require a formal, written report.)
So, I believe we should provide the reports that our stakeholders need when they need them. If that is one report, fine. If that is more than one, also fine.
What do you think?
If you have audits where a single audit report would deliver less value than multiple, what are you waiting for?
Why issue one report just “because that is what we have always done”? You wouldn’t accept that from your clients!
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I completely agree, communicate when it matters not until the end of a wide ranging review. Too many are still wedded to a formal narrative driven audit report, it is actually quite depressing.
Agreed! Communicate when you have results, not when dictated by a timeline. Great post!
I fully agree. As long as the reported facts are accurate and their associated risks are well assessed, it’s better for Management to receive the findings sooner rather than later, so they can begin their remediation efforts. Therefore, breaking up the report into pieces makes sense and will likely be appreciated by Management. We should also ensure that we don’t mistake “agility” for rushing to conclusions when reporting our findings.
I do not know the full context of the assignment but my thoughts are.
Your reporting strategy could represent best possible practice in risk management, as any control weaknesses are reported within the shortest possible with a correspondingly quicker corrective action implementation.
Entirely agree that this is the best approach, especially where several ‘interest groups’ are involved.
You mention the briefings you will be doing during the audit but how are you briefing the groups before the audit work starts?
The answer to that question, as it is with all questions, is “it depends”. I may or may not need separate “opening” meetings, as I don’t always know in advance how issues will arise.
But how have you asked them what they perceive are their greatest risks and about the auditing process?
That’s during the planning process, and I focus on enterprise rather than local risks.
I don’t quite understand your comment Norman. I can understand why you focus on ‘enterprise risks’ but aren’t they highlighted in planning meetings with the ‘clients’?
David, I identify them during the preparation and updating of the audit plan – before the audit starts. I and my team are talking to management, senior and operating, continuously. We may do some minor refinement when we start the audit, mostly to confirm which controls and processes are involved, but the scope (enterprise risks to be addressed) is usually already defined.
Agreed
I’ve found that discussing potential issues with management as soon as they are noted is most effective. That helps the reviewing auditor maintain communications and prevents a misunderstood attribute from becoming an issue when it’s not. It makes the auditor better and enhances the audit group’s reputation. And if that communication helps management correct a problem, possibly before the end of the audit, which makes them look better too. Win-Win-Win.
Your agile approach will lead to enhanced timeliness of reported information which is always a good thing.