Let’s Review the IIA’s Guidance on Communicating Audit Results

The IIA published a Global Practice Guide [1] [Communicating Results of Internal Audit Services] in December. (I was on the team that developed the 2009 Practice Guide that it replaces, “Formulating and Expressing Internal Audit Opinions”.)

It has some excellent content, as well as some guidance that I think is in error.

---

Why am I reviewing the Guide?

This is perhaps the most important activity of the internal audit function. If its communications are not effective, how is it adding any value?

This review and my comments are intended not only to share what the Guide does and does not do well, but also to suggest what I believe internal audit practitioners should be doing. As usual, I have highlighted key points.

---

My review

The Guide starts with this:

“Understanding the needs of stakeholders is key; the chief audit executive should clarify with the board and senior management what they expect in terms of communicating the results of internal audit services and the level of assurance required.”

This really is excellent. It aligns with my catchphrase of:

“Tell them what they need to know, when they need to know.”

My phrase is shorter and more comprehensive. It stresses (a) only telling them what they need to know to do their job, and (b) timely communications. If there’s a serious problem, any delay extends the risk.

But their sentence stresses the need to agree upfront with the customer what it is they need to know, how they need to hear it, and when they need to be informed.

I always had an agreement with my audit committee, as well as with the CEO, about which issues might merit their attention and when they should be notified. I preferred to highlight for them only those issues that represented a significant risk to the achievement of enterprise objectives, or where there was a concern relating to a senior member of the management team. Other issues would be available for them to read if they chose.

---

A problem with this section

“The final communication for assurance engagements must include a conclusion regarding the effectiveness of governance, risk management, and control processes of the activity reviewed (Standard 15.1 Final Engagement Communication).”

Let me explain:

1. I much prefer an opinion on whether the controls provide reasonable assurance that the in‑scope risks are at desired levels.

2. With risk‑based auditing you may or may not assess all related governance and risk‑management processes. For example, if you audit the procurement of consulting services (a typical risk‑focused audit), you probably wouldn’t be looking at any governance or even risk‑management practices.

3. When you perform risk‑based audits, you audit and provide an opinion on how the specified in‑scope risks are being managed. You are not auditing and providing an opinion on the activity [2] – and we need to stop pushing that fallacy. Even leadership of the IIA [3] says we should be risk‑based. Let me say it again: with risk‑based auditing, you are auditing and providing an opinion on the management of specific risks, not on the management of the activity.

Later in the Guide, it talks about expressing an opinion that controls are “satisfactory”. I think that’s wholly unsatisfactory. It’s a meaningless expression.

If your child came home with a report card that said they were “satisfactory”, what would that mean to you?

We need to COMMUNICATE, and “satisfactory” is not telling our customers everything they need to know.

• Are the controls adequate?

• Should they be improved?

• Is there anything I need to do?

Those are questions that need to be answered.

But the Guide is repeating what GIAS mandates, so I must be wrong. 😊

The Guide says:

“Expressing internal audit engagement conclusions involves synthesizing all the evidence and findings from an engagement and articulating what they mean in relation to the engagement objectives and the organization’s goals.”

That’s reasonably good, but IMHO it should say:

“Expressing internal audit engagement conclusions involves synthesizing all the evidence and findings from an engagement and articulating whether the system of internal controls provides reasonable assurance that the risks in scope are maintained at desired levels.”

Management and the board are working to achieve enterprise objectives, and we need to provide them with the information they need about whether risks to those objectives are being effectively addressed. That’s what they need to know. That is actionable information.

---

Prioritizing findings

I don’t have a problem with this section:

“The chief audit executive should establish a methodology (often documented in the internal audit manual) for prioritizing findings (Standard 9.3 Methodologies). Such a methodology might define a high‑priority finding as one that exposes the organization to an unacceptable risk, meaning risk that could significantly impact the achievement of organizational objectives. Examples include a high likelihood of a material financial misstatement, a violation of law or regulation, or a serious operational breakdown. Medium‑priority findings could indicate moderate risk exposures or control gaps that could become high risk if they are not addressed. Findings rated low could represent minor issues or isolated inefficiencies with minimal impact. Establishing the criteria framework in advance establishes a basis for objectivity and consistency, so that two different auditors within the internal audit function would categorize similar findings in the same way.”

My only comment is that this assessment should, if at all possible, be discussed openly and agreed upon with management before the report is issued.

---

Overall audit opinion

Beyond individual findings, internal auditors must form a conclusion at the engagement level for assurance engagements (Standard 14.5 Engagement Conclusions). This engagement conclusion is essentially the auditors’ professional judgment about the activity reviewed based on an aggregated view of the findings (and any positive observations) relative to the engagement’s objectives. According to Standard 15.1, the final communication for an assurance engagement must include a conclusion on the effectiveness of governance, risk management, and control processes for the activity under review. It gives readers a concise view of whether the audited activity is in a healthy state or needs significant improvement.

This comes back to a criticism that I and others have made of GIAS: it simply is not risk‑based.

Some of the examples are poor, such as this suggested audit opinion:

“Engagement Conclusion: Needs Improvement. The controls over the procurement process are partially effective. We noted significant control weaknesses in vendor due diligence and contract approvals that could allow fraudulent or unauthorized contracts, undermining the organization’s objective of cost‑efficient and compliant procurement.”

This begs the question of whether there is an unacceptable likelihood of fraud or unnecessary expense that would be material. How would this risk affect the achievement of the organization’s net‑income goals?

---

Communicating with management

One tremendously important part of the process for communicating the results of our work is talking to management.

• If possible, we should never surprise management with our report.

• We must talk to them before any report is issued in final form to make sure it is fair and to listen to and perhaps resolve any disagreement.

• Management may also have information that puts the issue in a better context for top management and the board. It is quite possible that such information should be included in our report.

• If there is a need for corrective action, we need to give management an opportunity to take it promptly. When we delay talking to them about a potential issue, we are inadvertently extending the risk.

• We should have an open dialogue with management about the risk that any deficiency represents. They may well have information or perspective that might change our thinking.

• We need to confirm the facts before we reach any conclusion at all.

• We should be communicating with management throughout the audit. That communication needs to be two‑way.

I don’t know whether the authors of the Guide considered this out of scope, but it is not covered at all.

---

Observing patterns and themes

“The internal audit function is in a unique position to observe patterns and themes that emerge across multiple engagements. Often, the findings of individual engagements, when viewed collectively, point to patterns, trends, a broader issue, or systemic root causes in the organization. Developing themes across multiple engagements means stepping back and looking at the audit results holistically, beyond a single project.”

These higher‑level conclusions also may provide insights at the business‑unit or organizational level and can inform the board and senior management about overarching strengths or weaknesses in governance, risk management, and control processes.

While the Guide talks about communicating themes, it has dropped an important part of the prior guidance. It doesn’t talk about the need for an overall assessment by the CAE of the organization’s systems of internal control and risk management. (I don’t believe the CAE can provide an opinion on the effectiveness of governance without assessing the performance of the board and the executive management team.)

I did that every year as CAE and my audit committee found it valuable. Here’s an example:

“Over the last period, and as discussed in audit committee meetings, we have completed a number of audit engagements (see attached) designed to address the more significant risks to the organization’s ability to achieve its objectives and create and protect value.

In our opinion, based on the work performed, the systems of governance, risk management, and internal controls provide reasonable assurance that the more significant risks to those objectives are managed within organizational tolerances.”

Overall, my assessment of this Guide is that it needs significant improvement if it is to provide practitioners with the guidance they need. But it is consistent with GIAS and probably therefore achieves the objectives of the IIA. 😊

My objectives are different: help internal audit practitioners provide their organization with the proactive and forward‑looking assurance they need, when and how they need it, on the effectiveness of the system of internal controls over the more significant risks to enterprise objectives, together with advice and insight they value.

---

The IIA’s companion audit tool

The IIA has shared a companion IIA Audit Tool Determining Results of Internal Audit Services (available to members only). Here are some examples they include of “high risk” or equivalent audit findings:

• The customer data privacy process is inadequately controlled. Several systems containing customer data lack enforced role‑based access, and user‑access reviews are not performed regularly. In addition, customer data is retained indefinitely in multiple systems without documented justification or secure disposal processes.

• The controls over the IT change‑management process are unsatisfactory. Several high‑risk findings, including an outdated change‑management policy, absence of change‑approval controls, and insufficient testing and validation of changes.

• The controls over the procurement process are inadequate. Two key vendors had going‑concern issues that were not discovered during the vendor‑due‑diligence and approval processes.

• The organization’s financial‑reporting system lacks adequate access controls. Several terminated employees retained access to the system, and user‑activity logs and system changes were not reviewed. These control gaps could lead to a material financial misstatement, due to either error or fraud.

None of these tell management and the board how significant the issues are to the achievement of enterprise objectives.

• Is the likelihood of delivering on their strategies and achieving their goals affected?

• Why should the CEO or board member be concerned?

For example, what is the likelihood of terminated employees being able to do something that would result in a material misstatement of the financials? Why should the CEO worry about vendors having going‑concern issues?

“High” should indicate that the issue should get continuing attention by management and the board until it is corrected. Otherwise there’s an unacceptable risk that they will fall short of achieving enterprise objectives.

This “audit tool” needs significant improvement!

---

Example of an effective audit opinion

“The system of internal controls at the Shenzhen facility will not be able to support the strategy of the region’s management to move operations from Singapore to Shenzhen this year.”

The report then explained why that was our opinion, describing the many weaknesses in accounting, inventory management, information security, and more. We discussed the need to change the strategy with regional and corporate management, and what the outcomes would likely be if they went ahead.

---

My recommendations

1. Check whether your communications are effective for your customers, and change if needed.

2. Be flexible. It is not true that every report should look the same, with the same sections, etc. Adapt to your customers and what they need.

3. Communicate in person rather than in writing when that makes good business sense.

4. Don’t waste your or their time with unnecessary content or verbiage. Why do people need to know what you have put in the Background section? Even the audit scope should be in the report title and opinion; you don’t need a separate section.

5. Don’t tell them what they don’t need to know.

6. Tell them whether the systems of internal control provide reasonable assurance that the more significant risks to the enterprise objectives are effectively managed.

7. Assess individual “findings” as well as the overall condition based on whether risks to enterprise objectives are being effectively … (the article ends here).