INTERNAL AUDIT COMMUNICATIONS AND REPORTING (10 - 18%) MODULE 6 INTERNAL AUDIT COMMUNICATIONS AND REPORTING (10 - 18%) Lecturer: Dale Neuls, BA, CGA DN 14/15

questioning and listening comprise audit interview AUDIT INTERVIEWS questioning and listening comprise audit interview strong interpersonal and communication skills testimonial evidence interview questions developed during planning (role play) client answers - concern with bias and/or partial knowledge should be supported by documentary evidence

7 step approach to interviews focus on win/win both auditor and client achieve satisfaction rather than win/lose philosophy where one side gains at expense of other side 7 step approach to interviews planning scheduling opening conducting closing documenting evaluating

four types of audit interviews preliminary interview (planning) evidence gathering (examination) follow-up interview (examination) exit interview (examination) discuss preliminary findings discuss contents of draft and final reports and timing/distribution

inform/persuade/get results INTERNAL AUDIT REPORT final product of audit quality of audit process dependent on quality of audit report developing, obtaining client approval and issuing audit report is most important phase of IA process inform/persuade/get results

objectives of audit reports Document results of audit work (OSFCR) Provide framework for management action (evaluation of current operational practices) Present client views (fair and unbiased - management comments) Provide basis for audit follow-up Express an opinion on adequacy of risk management, control and governance within organization

EA REPORTS vs IA REPORTS both reports result from independent/objective evaluations of actual conditions compared to standards/criteria acceptable to auditor and client both reports contain description of objectives, scope of work and conclusion

both reports for credibility and value depend on absolute factual accuracy prepared without influence or bias EA has standardized report format while IA report format varies depending on type of engagement

REPORT QUESTIONS FOR SENIOR MANAGEMENT Are the audit matters related to risk management, control or governance? What is the overall condition of the area? Should we be worried or reassured? How significant are these matters within the whole organization (integrity and ethical values)?

What is the value of acting/risk of not acting on audit recommendations (management philosophy and operating style)? What is being done to prepare an action plan to address audit recommendations (assignment of authority and responsibility)?

IIA AUDIT REPORTING STANDARDS Communicating Results Internal auditors must communicate engagement results   Standard 2500 Monitoring Progress CAE must establish and maintain system to monitor disposition of results communicated to management 

COMMUNICATING RESULTS STANDARD 2400 signed written report should be issued when audit completed IA should discuss conclusions and recommendations with management before issuing final report (management comments) reports should meet characteristics of good audit report

reports should present objective, scope and results of audit reports should include conclusions and recommendations for improvements and acknowledge satisfactory performance CAE should review/approve final report and decide distribution (client)

management discussion DRAFT AUDIT REPORT audit observations criteria vs condition = finding stress positives recommendations feasibility cost/benefit adequacy of standard as criteria management discussion clarify inaccurate facts, findings and conclusions promote client relations obtain management comments for inclusion in final report

distribution determined by IA/client (planning memo) FINAL AUDIT REPORT dated at final version distribution determined by IA/client (planning memo) head of audited unit heads of other units referenced in report e.g. IT, HR president/CEO audit committee EA (discretionary)

CHARACTERISTICS GOOD AUDIT REPORT Objective unbiased Accurate/Clear factual easily understood Concise executive summary Constructive report focus on systems and practices (help client) tactful tone which emphasizes solutions rather than problems Complete/Timely IA credibility and effectiveness

CONTENTS OF AUDIT REPORT Audit entity Background information Audit objectives (purpose) Audit scope (extent of review) Acknowledgement Executive summary (summary major findings)

Detailed findings and recommendations audit objective audit criteria nature of finding cause/effect conclusion (audit objective) recommendations management comments

MONITORING PROGRESS STANDARD 2500 CAE establish and maintain system to monitor disposition of results communicated to management management assume risk of not taking appropriate action on audit findings (standard 2600) risks should be contained within the risk tolerances established by corporate risk management process

MONITORING PROGRESS 6 step process for follow-up program Determining Scope of Follow-up Assessing Relevance of Previous Observations and Recommendations Determining Status of Corrective Action Taken/Planned by Management Preparing Follow-up Program Carrying Out Follow-up Program Assessing Extent of Corrective Action Taken and Progress Made Reviewing Follow-up Audit Files Reporting Results of Follow-up (OSFCR)