Writing quality audit reports
Auditors are judged on the reports they write. All too often, however, audit reports focus on minor operational compliance issues that do not necessarily help their executive audience to be effective leaders. To quote internal audit expert Norman Marks: “Today’s audit reports need to boil away the unessential to quickly get to what’s important to stakeholders”.
Internal auditors should communicate audit findings that matter and present results in a clear, concise and actionable manner.
The preparation may be extremely thorough, auditees might have received meaningful insights, the documentation can be very detailed, in the end your audit's success is judged on the quality of the final report. In this blog, Florimond Vermeulen shares a few practical insights that can help you improve the quality of your audit report.
Article by Florimond Vermeulen, project consultant at CFO Services
Make it relevant
Implementing a risk framework improves the accuracy of risk classification. This risk classification indicates whether an identified risk should be communicated to the executive leadership. Communicating immaterial risks to senior management undermines the relevance of the report and might make them question the audit report’s value or even that of the audit as a whole.
Below is an example of a risk matrix illustrating where risks are categorized into low, medium, high and extreme. Risks are classified depending on the impact of the risk and its likelihood to happen. Ideally, the rating is aligned with the Enterprise Risk Management (ERM) framework.
Classifying the audit observations in accordance with the above matrix forces the auditor to evaluate risks on both axes. This risk rating approach is more objective and less likely to be questioned by auditees. Without an operating risk framework there is a tendency to misclassify risks. For example, policy deviations are often classified by auditors as high risks, as the targeted corporate governance is not in compliance. Plotting risks on a risk matrix allows the analyst to distinguish lower or immaterial risk, such as low-impact deviations to internal corporate guidelines, from significant risks which have a direct and fundamental effect on the ability of the enterprise to reach its strategic objectives.
When relevant risks are identified and communicated to executives, sufficient pertinent detail ought to be provided. The reader must be able to gather all facts, process the information easily and be able to take concrete actions. Audit reports are often superficial and lack the supporting detail which allows management to get the full picture. The key is to include the optimal quantity of clear and relevant detail, lending credibility to the audit findings and highlighting their importance. Facts should be presented in a clear and unbiased manner. In addition, the factual information should clearly support the agreed upon action plan to tackle the observed risk as well as the deadline date for their implementation. Linking the detailed findings to the action plan will assure executives that the identified risks will effectively be mitigated.
A high quality audit report should be constructive to provide assurance. Every observation should be accompanied with guidance and advice from the auditor on how to mitigate the identified risks. This will both enhance the relevance of the audit report and demonstrate how the audit function adds value to the organization.
Still, a relevant audit report that provides assurance to the reader might not necessarily be perceived as a high quality audit report. A high quality audit report is a mixture of various elements in which the writing style has a significant impact.
The report should be written in an objective and neutral way, no opinions or personal ideas of the auditor should be included. To be objective it is important not to omit facts. The auditor should present all pertinent facts and let the reader form his own opinion based on this factual information.
The information should be provided in a form that it is easy to receive, absorb and act upon. This can be obtainedby adding a cover note. This cover note allows the reader to visualize in the blink of an eye whether there is any issue of significance to executive management or whether an item requires their attention.
The auditor should be attentive to both the content of the audit report and to the style in which it is written. A relevant report that provides assurance and is appropriately written for executive management are my three key ingredients to write more qualitative audit reports. What are your most important ingredients?