Reporting Audit Findings: The Cornerstone of Impactful Internal Audit

As Internal Audit consultants, we often find ourselves immersed in the intricacies of processes, risks, and controls. But the true value of our work lies not just in identifying areas for improvement, but in effectively communicating those findings and ensuring they lead to meaningful change. The Global Internal Audit Standards, as set out by the IIA, provide a clear framework for this crucial aspect of our profession. Let's delve into the key features of reporting audit findings as defined by these Standards.

The Standards emphasise a two-pronged approach to reporting: the Final Engagement Communication and the ongoing process of Confirming the Implementation of Recommendations or Action Plans. Both are vital for ensuring that our insights translate into tangible improvements within the organisation.

The Power of the Final Engagement Communication

The culmination of any audit engagement is the final communication. According to the Standards, this document is not just a formality; it's a critical tool for conveying the results of our work to the appropriate stakeholders. The Standards mandate that this communication must include several key elements:

• Engagement Objectives: Clearly stating what the audit aimed to achieve sets the context for the findings.

• Scope: Defining the boundaries of the audit ensures that the reader understands what was and was not covered.

• Recommendations and/or Action Plans (if applicable): This is where we propose concrete steps to address identified weaknesses or enhance existing processes. While the Standards acknowledge that management ultimately owns the implementation, our recommendations provide valuable input based on our expertise.

• Conclusions: This section summarises the overall outcome of the audit, providing a high-level assessment of the area under review.

• Details about Non-Conformance: If the audit engagement deviated from the Standards, these deviations must be clearly disclosed, ensuring transparency and maintaining the integrity of our work.

Before this crucial document is issued, the Standards rightly emphasise the importance of review and approval by the Head of Audit (HoA). This ensures quality, consistency, and alignment with the overall audit plan. Furthermore, the HOA is responsible for disseminating the final communication to parties who have the authority and responsibility to act upon the findings. This targeted distribution is essential for ensuring that the results receive the due consideration they deserve.

It's also worth noting that the Standards recognise the need for flexibility. The HOA may provide templates and procedures to guide the reporting process, and multiple versions of the final communication can be issued, tailored to the specific needs and level of detail required by different audiences. This allows us to communicate effectively with everyone from operational management to the board of directors.

Beyond the Report: Confirming Implementation

Our responsibility doesn't end with the issuance of the final report. The Standards explicitly state that internal auditors must "confirm that management has implemented internal auditors' recommendations or management's action plans following an established methodology." This follow-up is crucial for ensuring that the agreed-upon actions are being put into practice and are having the intended impact.

The Standards outline a methodology for this confirmation process, which includes:

• Inquiring about progress on the implementation: This involves engaging with management to understand the steps they have taken and the progress they have made.

• Performing follow-up assessments using a risk-based approach: This allows us to focus our efforts on the most significant findings and areas where implementation is critical.

• Updating the status of management’s actions in a tracking system: Maintaining a clear record of the status of recommendations and action plans provides transparency and accountability.

What happens when progress isn't as expected? The Standards are clear: if management hasn't met the established completion dates, internal auditors must obtain and document an explanation. This explanation, along with the auditor's assessment, should then be discussed with the HOA. The HOA plays a vital role in determining whether the delay or inaction indicates an acceptance of risk that exceeds the organisation's risk tolerance. This escalation mechanism ensures that significant issues are brought to the attention of senior management.

My Experience: Bringing the Standards to Life

In my experience as an Internal Audit consultant, the principles outlined in these Standards are fundamental to delivering value. A well-written and timely audit report, adhering to the elements defined, provides management with a clear understanding of the issues and the necessary steps to address them. However, the follow-up process is equally, if not more, important. It's where we see the impact of our work materialise.

Effective follow-up requires more than just ticking boxes. It involves building a collaborative relationship with management, understanding their challenges, and working together to ensure that the agreed-upon actions are implemented effectively and sustainably. Sometimes, this might involve revisiting the original recommendations if circumstances have changed or if the initial approach isn't yielding the desired results.

Furthermore, the way we communicate our findings significantly impacts their reception. While the Standards emphasise the content, the tone and clarity of the communication are equally important. A constructive and solution-oriented approach, focusing on improvement rather than blame, fosters a more positive and productive dialogue with management.

Key Takeaways: The IIA's Standards provide a robust framework for reporting audit findings. Remember these key takeaways:

• Final Engagement Communication: Must be comprehensive, including objectives, scope, recommendations, conclusions, and any instances of non-conformance with the Standards.

• HOA Oversight: The HOA plays a crucial role in reviewing, approving, and disseminating the final communication to ensure it reaches the right stakeholders.

• Follow-up is Essential: Confirming the implementation of recommendations or action plans is a mandatory part of our role.

• Established Methodology: A defined methodology, including inquiry, follow-up assessments, and tracking, should be used for the follow-up process.

• Addressing Delays: Unexplained delays in implementation must be documented and discussed with the HOA, who will assess the potential risk implications.

• Management Ownership: While we collaborate, it's crucial to remember that management is ultimately responsible for implementing actions to address audit findings.

By adhering to these Standards and leveraging our experience, we as Internal Audit professionals can ensure that our reporting is not just a procedural requirement, but a powerful catalyst for positive change within the organisations we serve. Effective reporting is the cornerstone of impactful internal audit, driving continuous improvement and contributing to the overall success of the business.