Add to collection(s) Add to saved
  1. Business
  2. Management

Effective internal audit reporting

Effective internal audit reporting
September 2015
RUTH IRELAND
PARTNER AND NATIONAL HEAD, RISK AND ADVISORY
SERVICES
Agenda
•
How good are we as a profession at reporting?
•
What is encompassed in ‘reporting’? – the reporting cycle
•
Constructing an effective internal audit report
•
Meeting the needs of management and the Audit Committee
•
Adding value
•
Internal audit performance reporting
•
Closing comments
2
How good are we as a profession at reporting?
My assessment - “Could do better”
• Too focused on the formal audit report – not enough consideration to other
elements of the reporting process
• Reports are often long and detailed – and don’t always cater for different
audiences
• Hide behind rating systems
• Not always getting to the root cause, therefore recommendations lack impact
• Insufficient focus on adding value
• Focus on the formal written report and give insufficient thought to how our
work is presented
• Need to be better at measuring and reporting on internal audit performance
3
How good as a profession are we at reporting?
Internal audit reporting is about more than the report itself
•
It confirms credibility and trust in the audit function/service or conversely can
undermine trust and credibility
•
It is an extension of your brand
•
Good reporting can reinforce internal audit’s position and importance
4
What is encompassed in ‘reporting’? – the
reporting cycle
• What are the various opportunities to report on internal audit activity?
• Map the deliverables to the various recipients and consider how they should be
communicated
• Need to plan both the production of the document and how it will be presented
Deliverables
Annual Internal Audit Plan
Audit
Committee
CEO/CFO
Audit
Sponsors













Individual internal audit planning documents
Wash up/closing meeting points for discussion
Draft Internal Audit Reports
Final Internal Audit Reports


Progress Reports / KPI performance


Annual Internal Audit Report


Each is an opportunity to promote the work of internal audit
Relevant
Staff
What is encompassed in ‘reporting’? – the
reporting cycle
Wash up /closing meetings (building on regular communication
throughout the audit)
• Ensures early identification of auditor mis-understandings of facts.
• Early identification of differences (auditor v management) that are
judgement based.
• Management will have had more time to consider issues, discuss with
colleagues, and come up with their own ideas for solutions.
• The relationship may have been developed to a better level by the time
the formal reporting phase starts.
6
What is encompassed in ‘reporting’? – the
reporting cycle
Include:
• Formal agenda with key points documented for discussion
• Reminder of the context of the audit for those not fully involved, and
of the approach to undertaking the work
• Good practice identified as well as areas for development
• Full exploration of the issues that will be fed into the formal report
• Confirmation of timelines for a formal report to be issued.
7
Constructing an effective internal audit report
•
Reports have a purpose – what is the key message you are trying to convey?
•
What do you want people to do in response?
•
Too long / too short?
“Cut the length of audit reports wherever possible”
Chair of Audit Committee - Aberdeen Asset Management
But this is our big moment!
8
Constructing an effective internal audit report
Question
Could the future be a one page audit report?
9
Constructing an effective internal audit report
Signpost the overall opinion (if used) early on
Use an Executive Summary!
This might include:
•
A reminder of the work undertaken
•
Context – include facts and figures and some history, if relevant
•
Acknowledgement of good practice
•
Summary of key findings, pulled together into themes
•
Overall conclusions.
Avoid repeating the individual findings from the audit.
Constructing an effective internal audit report
Writing style
•
Keep it short and punchy
•
Use clear messaging
•
Simplify your language
•
Avoid jargon and unexplained acronyms
•
Less is more when it comes to the number of words!
Constructing an effective internal audit report
Some thoughts on the detail
Presenting findings:
Description – what is the issue? This should be factual and free of interpretation.
• Example:
We reviewed twenty-five payments and found ten of the payments were not
approved in accordance with the organisation’s policy.
Cause – what is the root cause of the problem – the why question
• Example:
This has been caused by a lack of training for new accounts payable personnel.
The cause should be discussed with client prior to writing the report.
Constructing an effective internal audit report
Impact
What is the impact on the organisation? You may consider:
• What is the risk?
• Why should management be concerned?
• Does this issue have the potential to impact the organisation’s strategic
objectives?
• Could this lead to a material misstatement in the organisation’s financial
statements?
• Could this lead to a loss of reputation?
Constructing an effective internal audit report
Prioritising findings
Findings should be rated and prioritised in order of importance
• To assist the reader to understand the relative importance of the issues
• To also allow management and the Audit Committee to compare the criticality
of issues across internal audit reports.
Meeting the needs of management and the Audit
Committee
Tailoring reports to the audience
Have you asked the Audit Committee and management what they want?
Audit Committee
Management
Need to know the headlines in terms
of how risks are being managed. May
need educating on the implications,
should the risk materialise.
Will be interested in core themes
and should understand the
consequences, should risks not be
mitigated. Will also need to know
who, what, when and why.
Should be able to understand the
issues from reading a few pages of
the report.
Should be able to understand the
issues from reading a few pages of
the report.
Shouldn’t be pulled into the detail
of individual findings.
Need the detail.
Meeting the needs of management and the Audit
Committee
Question
• Do you use the same audit report format for Audit Committee and
management?
• What are the benefits/drawbacks of using one report for different audiences?
Audit Committee reporting
What reporting might the Audit Committee typically expect?
• Summary of individual audit reports
• Management action in implementing recommendations
• Internal audit performance – KPIs (qualitative and quantitative)
• Audit coverage and progress:
 Audits completed against the Annual Audit Plan
 Actual days input compared with Annual Audit Plan
• Audit planning and reporting
• Good practice ideas and benchmarking information
Audit Committee reporting
Not just the report itself but how we present it:
•
Should be able to assume the report has been read
•
In presenting individual assignment outcomes, tell a story to the committee:
 The context of the audit and why was it done
 Any relevant history of the area under review
 What did internal audit do to come to its opinion
 The main themes and risks emerging and management’s response.
(And ensure individual presenting has good presentation skills)
18
Adding value – considerations
• Varying Internal Audit roles which starts with planning our work, and flows
through into reporting:
 Assurance provider
 Consultant
 Critical friend.
Are we good at reporting on all these elements of our role?
Adding value - roles of Internal Audit
ADEQUACY
Maturity of
controls
environment
and risk
management
processes
EFFICIENCY
EFFECTIVENESS
PERFORMANCE
Level of
experience
and skills in
the IA
function
COMPLIANCE
OPERATIONAL (policies, procedures, controls)
VALUE
PRESERVATION
(emerging risks, priorities) STRATEGIC
VALUE
CREATION
Adding value – foundations
Adding value is underpinned by good foundations:
• A deep knowledge of the organization, including culture, key stakeholders,
context and strategic aims
• Innovative internal audit practices
• Staying abreast of value added practices
Need to communicate our achievements
(not just report on activity)
EXCEED STAKEHOLDER EXPECTATIONS!
Adding value
Myriad ways to enhance audit reports
Consider:
• Benchmarking
• Use of surveys
• Comparing policies/procedures with good practice
• Showing the effectiveness of processes graphically
Adding value – examples
Real examples of added value from internal audit reports.
Adding value – examples
Real examples of added value from internal audit reports.
Adding value – examples
Real examples of added value from internal audit reports.
Adding value – examples
Real examples of added value from internal audit reports.
Adding value
Question
• Do you have any other ideas to share?
Internal audit performance
reporting
Summary of
conclusions on
operational
effectiveness of
internal controls
1
Substantial
5
Moderate
Limited
6
Typical KPIs:
• Elapsed time for issue of reports – completion of
audit work to draft report
• Elapsed time for issue of reports – draft to final
report
Summary of
conclusions on the
design of internal
controls
1
1
6
Substantial
Moderate
Limited
• Number of unsatisfactory audit opinions (as % of
total)
• Number of audit assignments completed (versus
number planned)
• % of recommendations accepted
No
4
Summary of number of
recommendations
raised
4
• % of actions fully implemented.
High
Medium
36
Low
31
Internal audit performance reporting
• Qualitative measured using satisfaction questionnaires and end of
assignment reviews, such as:
• Internal Audit understand the business and processes of the company
• Risks identified for the assignment were appropriate for the organisation
and the area under review
• The people carrying out the assignment asked informed, relevant
questions to identify the controls against the risks already identified
within the audit area
• Progress was clearly communicated during the course of the audit and a
debrief meeting was held at the end of the fieldwork
• The findings and recommendations in the draft report agreed with those
discussed during the debrief
• Findings within audit reports are accurate, clear and unambiguous
• Recommendations in the audit report are practical and relevant to the
needs of the area reviewed
• Customer satisfaction survey issued after every audit assignment.
Internal audit performance reporting – examples
2. Risks identified for each assignment were appropriate for the
Organisation and the area under review.
1. Internal audit understand the business and processes
of the Organisation
2
2
1
1
1
1
3
2
2
1
1
Feb-14
May-14
Jul-14
Jan-15
Feb-14
May-14
Very satisfied
1
3
2
1
Feb-14
May-14
Jul-14
Jan-15
Key
The bar graphs show the responses to each question with the colour of the bar
reflecting the response received and the numbers representing the quantity of
responses. The colours of the bars reflect the responses received as follows:
2
1
2
1
3. The staff undertaking the internal audit assignment
asked informed, relevant questions to identify the controls
against the risks already identified above within the audit
area
1
2
Dissatisfied
Jul-14
Jan-15
30
Denotes where a question has not
been answered.
Internal audit performance reporting
4. Progress was clearly communicated during the course of the internal
audit and a debrief meeting was held at the end of the fieldwork.
5. The findings and recommendations in the draft audit report agreed with
those discussed during the debrief meeting.
2
2
1
1
1
1
3
1
2
1
1
Feb-14
May-14
Jul-14
Jan-15
1
1
Feb-14
May-14
2
2
Jul-14
Jan-15
7. Recommendations in the internal audit report are practical and relevant
6. Findings within internal audit reports are accurate, clear and unambiguous.
to the needs of the area reviewed.
2
2
1
1
1
1
1
1
1
1
1
1
Feb-14
May-14
Jul-14
3
2
1
1
1
Feb-14
May-14
Jul-14
Jan-15
31
Jan-15
Internal audit performance reporting – examples
Audit Completed, by Inherent Risk
Audits
Completed
Total Number Of Audits
Commercial Practices
8%
Audits
Complet
ed, Not
started,
30, 30%
Audits
Complet
ed,
Complet
e, 58,
58%
Audits
Complet
ed, WIP,
12, 12%
Complete
Business Continuity
4%
Product Quality
11%
Financial Reporting and
Disclosure
4%
Audits withwith an “unsatisfactory” or “critical” rating
Title of audit report
Star Rating
*
Continuity of Supply
7%
Research Practices
16%
WIP
Total Number Of Audits With An
“Unsatisfactory” Rating
*
**
Tax and Treasury
2%
Not started
Environment Health & Safety
and Sustainability
8%
Audits
Overruns
Intellectual Property
12%
Protection of Electronic
Information and Assets
11%
24%
Patient Safety
17%
76%
Audit Group Headcount
On time
Overrun
Audits Recommendations
implemented
Budget
Actual
Group
Deviations from annual audit plan
• Variations
• Reasons
Manufacturing
• Impact risk context
Environmental Health, Safety &
Sustainability
Research & Development
30%
Expected
58%
12%
Actual
Average time to issue reports after field work
Actual vs. planned audits
IA budget to actual
Implemented
WIP
Not started
Training hours per Internal Auditor
32
Closing comments
• Plan as diligently for the reporting as the audit itself
• Always consider the audience and what they need
• Presentation – verbal and written is crucial!
34
BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a
member of BDO International Limited, a UK company limited by guarantee, and forms part of the
international BDO network of independent member firms. A list of members' names is open to inspection at
our registered office, 55 Baker Street, London W1U 7EU. BDO LLP is authorised and regulated by the
Financial Conduct Authority to conduct investment business.
BDO is the brand name of the BDO network and for each of the BDO Member Firms.
BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate
within the international BDO network of independent member firms.
Copyright ©2015 BDO LLP. All rights reserved.
www.bdo.co.uk
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Fetal Medicine Foundation - FMF
Fetal Medicine Foundation - FMF
Job Title: IT Audit Senior
Job Title: IT Audit Senior
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
QUALITY ASSURANCE: Obstetrics Auditing, Records & Reports
Download