1. Communicating Internal Audit Results
Standards with Practical Cases
Facilitated By: Kokeb Ashame (MSc, CIA)
February 13, 2016

2. Learning Objectives
Familiarize with the Standards of Communicating Audit Results
Understand the purpose of engagement communication
Learn the features of best practice in audit communication
Be aware of the issues and risks in report writing
Familiarize with effective strategy in developing audit reports
Familiarize with the ideal structures of Internal Audit Report

3. Definition of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

4. 2400 – Communicating Results
I. INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING(STANDARDS)
2400 – Communicating Results
Internal auditors must communicate the results of engagement
2410 – Criteria for Communicating
Communications must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans

5. Standards
2410.A1 - Final communication of engagement results must, where appropriate, contain the internal auditors’ opinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.

6. Standards (Cntd) 2420 – Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
Accurate communications are free from errors and distortions and are faithful to the underlying facts.
Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances.

7. Standards (Cntd)
Clear communications are easily understood and logical, avoiding unnecessary technical language and providing all significant and relevant information.
Concise communications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness.

8. Standards (Cntd)
Constructive communications are helpful to the engagement client and the organization and lead to improvements where needed.
Complete communications lack nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions.
Timely communications are opportune and expedient, depending on the significance of the issue, allowing management to take appropriate corrective action.

9. Standards (Cntd) 2421 – Errors and Omissions
If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.

10. Standards (Cntd)
2430 – Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”
Internal auditors may report that their engagements are “conducted in conformance with the International Standards for the Professional Practice of Internal Auditing”, only if the results of the quality assurance and improvement program support the statement.

11. Standards (Cntd) 2431 – Engagement Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the:
Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved;
Reason(s) for nonconformance; and
Impact of nonconformance on the engagement and the communicated engagement results.

12. Standards (Cntd) 2440 – Disseminating Results
The chief audit executive must communicate results to the appropriate parties.
The chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility.

13. Standards (Cntd) The communication will identify:
The scope, including the time period to which the opinion pertains;
Scope limitations;
Consideration of all related projects including the reliance on other assurance providers;
The risk or control framework or other criteria used as a basis for the overall opinion; and
The overall opinion, judgment, or conclusion reached.
The reasons for an unfavorable overall opinion must be stated.

14. Standards (Cntd) 2600 – Communicating the Acceptance of Risks
When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.

15. Standards (Cntd)
The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.

16. II. What it is and what it does ?
Reports are Internal Auditor’s opportunity to get management’s complete attention.
A perfect occasion to show how Auditors can help Mgt by informing important events they would otherwise not know about.
However, most of the time auditors do not take this golden opportunity. Rather they feel satisfied just for finishing the report writing.
Unfortunately, auditors do not sell their Audit reports as a vendor sells his goods.

17. What it is and what it does ? (Cont’d)
Alert management to matters needing correction or improvement by:
Communicating – create awareness
Explaining – obtain acceptance
Persuading – implementation
If the report fails to deliver this purposes, whatever skillful, constructive and value adding our report is, fails to get the attention and buy-in of the management. Hence, can not be implemented.

18. What it is and what it does ? (Cont’d)
Whom it serves?
The auditors themselves
Operating management / higher management / board
External Auditors
Government regulators and courts.

19. What it is and what it does ? (Cont’d)
For the Internal Auditors
Facilitates audit follow-up.
Evidence for auditor performance evaluation.
Means to teach and train audit staff.
Summarizes results of the audit work.

20. What it is and what it does ? (Cont’d)
For the Operating/ Higher Management & Board
Facilitates corrective action / improvement.
Means to gain support of higher management for issues that require their attention.
Serves as window in to operation for busy managers.
Means to evaluate operating performance.
Source of objective information about controls and operations.
Promotes disciplined operations.

21. Report Writing Frictions
Which one do we auditors really like?
Auditing or Reporting?
Most of the time brilliant analysis and findings seem to be forgotten during the trauma of report writing. The reasons are:

22. Report Writing Frictions (Cont’d)
Supervisory rewriting - leaves the auditor unpleased. How does it feel ?
Reporting under pressure – the pressure to rush the draft is constant source of irritation. Auditors give more emphasis to answer previous criticism. Hence, auditors always write reports with the anticipation of their supervisor’s correction. And even sometimes issues are left unreported.

23. Report Writing Frictions (Cont’d)
Too much time spent on reports: CAE’s usually set a high standard of reporting and review procedures which take considerable time
Poor Drafts – Auditors most of the time are concerned with auditing than writing.
Poor writing skills – many Auditors are not skillful writers.
Disagreement between Auditors and Supervisors – the disagreement ranges from grammar and spelling to logic, interpretation of observed conditions and rework.

24. Report Writing Frictions (Cont’d
Writing report far from the site of the audit- Many reports are written in the office. As a result, some important information might be missing or issue is totally disregarded. Besides, time tends to dull memories of the Auditor.
Lack of Auditee Interest – When reports are difficult to understand, worst of all, where clients have no obligation to respond to them, hard working Auditors find noting but frustration.

25. Report Writing Frictions (Cont’d)
As a result, most of the time auditors do not enjoy Report Writing Audit clients do not enjoy our reports either

26. Report evaluation
Do your reports clearly explain the areas and risks that each individual review has covered?
Do your reports include a clear executive summary including scope of work, risks covered and key issues arising?
Are your reports on average five pages or less?
Are your reports finalized within two weeks of completion of the fieldwork?
Do your reports contain a clear action plan including action, planned date of completion and who is responsible for implementing the action?

27. Report evaluation-Cont’d
Do your reports focus on the future rather than the past?
Do your reports contain only the ‘vital few’ recommendations with the minor issues being dealt with elsewhere?
Do you adopt a consistent report format across the whole department?
Is the report balanced and does commend significant accomplishments?

28. Report evaluation-Cont’d
Do management really buy-in to the actions contained in the audit report?
Are at least 90% of the agreed actions actually implemented by management by the agreed deadline?
‘Any No answer is not acceptable for the above questions’

29. III. What is the remedy?
Unfortunately there are no easy solutions. Courses in report writing concentrate in word choice, sentence length, paragraph structure etc. they do not teach us judgment, empathy, analytical ability .
So Where is the problem?
The source of audit report problems can often be found in the audit process itself. The process can be improved by taking the following steps.

30. What is the remedy? -Cont’d
Develop a report style manual for the audit activity. This avoids disagreements regarding grammar, spelling capitalization, and the like
For larger internal audit activities an editor to review reports before submitting to the Supervisor should be considered.

31. What is the remedy? (cont’d)
Conduct training in attributes of good report writing and processing of audit reports. Including the standards for reporting, if possible, by auditors themselves.

32. What is the remedy? (cont’d)
The use of formats to ensure the presence of all elements of a finding (Condition, Criteria, Cause, Impact and Recommendation).
This format should be completed in the field and makes report writing a process than a task.
Use of finding write-up sheet. Many auditors wait until after field work to write the findings due to time constraint. This is a big mistake. Proper development of findings starts in the field.

33. Practical Cases
Case- The following sample finding is taken from an internal audit report on a given unit of an organization
Condition – The following long outstanding receivables are observed in the unit
1. ETB25,000.00
2. ETB125,360.00
Criteria-The operation manual of the unit
Impact- Violation of Internal Control
Recommendation- As per the operation manual of the unit the o/s receivables shall be collected
Audittee’s response- Follow-up of the case is ongoing
Auditee’s action plan- The o/s receivables will be settled in a week

34. Practical Cases (Cont’d) Case- 1
Major shortcomings of the above finding report
Condition:- The word outstanding shall be specific. At least how long was it o/s?
Criteria:- The Criteria element shall also be specific. It shall provide the requirement of the operation manual on that specific finding or the Auditor’s expectation.

35. Practical Cases (Cont’d) Case- 1
3. Cause:-The standard requires all elements of findings however, the findings reported above is missing the element of Cause.
The internal audit recommendations basically depend on the Cause element of audit finding.
Therefore, the auditor shall carefully analyze the cause element of a finding and shall state it on the findings write-up sheet.
The cause element of a finding requires the auditor’s careful judgment

36. Practical Cases (Cont’d) Case- 1
4. Impact:- The Impact element shall also state the effect of a finding if not rectified as per the recommendation 5. Recommendation:- This element shall provide an auditor’s opinion to be implemented by the auditee. The auditor’s opinion given here depends on the cause element.

37. Practical Cases (Cont’d) Case- 1
6. Auditee’s response:- This part shall clearly indicate the Auditee’s acceptance or non- acceptance of the finding. If it is accepted by the auditee, justifiable reason for non- performance shall be given and the corresponding action plan shall also be provided. If not accepted :- here also justifiable reason with supporting document/evidence shall be provided for the higher management consumption.
7. The auditee’s action plan shall state the completion time frame as well as the responsible body for all accepted findings and shall be reported as annex to internal audit report instead of as element of findings.

38. Practical Cases (Cont’d) Case- 1
The standard requires all elements of findings. Accordingly, my suggestion would be:-
Condition – The following outstanding receivables are kept in the books of the unit for more than a year
Date Amount Description
Criteria- The operation manual of the unit requires to collect such type of receivables in a maximum period of one year otherwise shall be forwarded to the write-off committee

39. Practical Cases (Cont’d) Case- 1
Cause:- Oversight/ workload/ lack of professional staff/ unawareness of the criteria/instructed by supervisors, etc…. as the case may be
Impact- The organization may incur loss if proper follow-up not conducted and collected on time/The possibility of collecting these long outstanding receivables is very low, therefore the b/s of the unit is showing inflated amount of assets.

40. Practical Cases (Cont’d) Case- 1
Recommendation- As per the operation manual of the unit o/s receivables shall timely be collected by the unit or shall be written-off. Therefore, timely follow-up shall be conducted by supervisors/ adequate number of manpower shall be assigned to the job/qualified staff shall be assigned to the job/procedures shall be made known to performers of the job/ supervisors shall comply with the units procedures, etc….. As the case maybe

41. Practical Cases (Cont’d) Case- 1
Audittee’s response- Accepted/Agreed- Even though several reminders were sent to the client , the receivables are still outstanding and it seems un- collectible. Therefore, the o/s receivables will be forwarded to the write-off committee and will be taken action accordingly. The unit will assign professional staff to the job. The action plan is attached.
Auditee’s action plan- Shall be attached as Annex to the report.

42. IV. Important issues to be considered in good report writing
1. Discussion with auditee
2. Factual Reports
3. Precision
4. Clarity
5. Proper Background, scope and objective.
6. Conciseness

43. Important issues ….Cont’d
7. Constructive tone
8. Perspective
9. Audit Conclusion / Opinion
10. Audit recommendation
11. Auditee Accomplishment
12. Interim reports / Preliminary report
13. Summary reports

44. Important issues …. Cont’d
14. Auditee Position
15. Timeliness
16. Report Distribution
17. Legal considerations
18. Proper editorials
19 Restricted Information

45. 1. Discussion with Auditee
Confirm facts as you go through / communicate.
It is also important to discuss cause, effect and recommendation before the report is released. Since clients know better about the operation than the auditors.
Differences with client other than the fact could be stated in the final engagement communication.
Early rectification is facilitated.
Avoids surprises.
Improved comm. b/n auditor & Auditee improves report quality.

46. 2. Factual Reports Audit reports must always be completely factual.
Report items should be based on a well documented facts and inescapable logic.
Everything should be what we have observed or validated to be factual. Otherwise source should be disclosed.

47. 3. Precision
Reports seek to communicate. If it fails to so, it is worthless.
Use precise words. Imprecise words leave a reader confused (e.g.. Words like sometimes, many, a few, several etc..).
Imprecise reports hardly get comprehended and hence, not implemented.

48. 4. Clarity
Transferring to the mind of the readers what was in the mind of the auditor.
It is a precondition to be persuasive.
Avoid jargons, use simple words.
Have a clear understanding of the issue before writing it. Mental creation precedes physical creation.
Good writing comes from good thinking & good thinking requires including all elements of a finding.
Use active sentences than passive sentences.
Properly structuring of reports and coherence of the flow from beginning to end. Avoid report drift.

49. 4. Clarity –Cont’d
The main rule in writing is to know the reader & their needs.
Avoid emotions and feelings.
Do not obscure the major finding amidst trivial issues.
Use powerful descriptions, e.g., instead of reporting “Goods Receiving Notes are not reconciled with invoices,” use “there is no assurance that the company receives what it is paying for.”
Use charts, graphs, tabulations and pictures, if found necessary.
For emphasis, use bullets, boldface, italics, etc.
Use titles / headings that easily lead the reader to the subject matter.

50. 5. Proper Background, scope and objective.
Sets the stage for the reporting
Makes the reader more receptive and understanding
How audit was initiated
What it strives to achieve
Coverage / non-coverage

51. 6. Conciseness Means cutting out what is unworthy.
Cutting out what is irrelevant & immaterial.
Brevity that does not inform, however, is not a virtue.
The report should have integrated flow of ideas.
As much as possible avoid long sentences.

52. What is the ideal size of an audit report?
In as much as possible the main audit report should not be more than five pages.

53. 7. Constructive tone Do not emphasize the mistake of individuals.
Proper criticism may be necessary but emphasize on needed improvements.
Audit reports with a constructive tone are more likely to get the buy-in of clients.

54. 8. Perspective It relates to objectivity
Requires refraining from puffing up that which is not material or relevant

55. 9. Audit Conclusion / Opinion
Auditor’s overall opinion in relation to the audit objective is very important. (e.g. there is adequate control over…., such and such task is being performed efficiently and effectively, or vise versa)
Auditor’s opinion is a must in many progressive audit shops.
The main thing is keeping the main thing the main thing.
If the Auditee deserves to be complemented for its exceptional accomplishment, the auditor should do so. This results in a significant reward.

56. 10. Audit recommendation
Auditor’s recommendation should only be considered as options to operating management.
Should not come out as a surprise at last. Should be well discussed with in due course of the audit.
Always operating staff /mgt. are more knowledgeable about operations than the auditor.
Let’s not take the credit for the recommendation.
Have regard for the cost of implementing a recommendation except for compliance and regulatory issues.

57. 11. Auditee Accomplishment
Most audit reports are negative in tone.
Objectivity will be in question if everything in the report is negative (unbalanced).
If reports are not balanced, auditee’s perception towards the audit report will also be negative and defensive.
We should admit that complementing exceptional accomplishment, if any, is value adding.

58. 12. Interim Reports / Preliminary Report
Useful when early information to management and timely corrective action is necessary.
Should not be considered as a substitute for a final report.
If the issue raised is adequately addressed, it may be excluded from the final report or may be disclosed accordingly.

59. 13. Summary Reports
The objective of Internal Auditing is to get sr. Mgt. Interested and read the audit report and take corrective action.
However, executives do not have time to go through the detailed audit reports.
Hence, auditor’s significant findings could be summarized in one page or a maximum of two.
Internal Auditors should be careful enough to put themselves in the shoe of busy managers and raise issues which are of concern to management.

60. 13. Summary Reports- Cont’d
The major content of summary report should be
What was audited
Conclusion
Capsule statement of truly significant findings
Action taken by operating management.
Overall evaluation statement. (Refer sample)

61. 14. Auditee Position
As the standard dictates, no disagreement should arise between auditor and auditee regarding facts. (Condition and Criteria).
However, disagreement in relation to Conclusion and Interpretation, auditee’s view should be given adequate coverage in the report. This will help management take a balanced and informed decision.
Once agreement is reached, auditee’s action plan could even be attached as an appendix.

62. 15. Timeliness Reports are useless if they are not timely.
If not timely, minimizes the impact of the reported finding.
There should be balance between thoughtfulness and promptness. One way to address this is by issuing preliminary reports.

63. 16. Report Distribution
To operating management taking corrective action.
Sr. management who can enforce corrective action.
In case there is important information to be disclosed or error is found out, the CAE should ensure that a new report is issued clearly highlighting the amendments.

64. 17. Legal considerations
For matters involving legal issues auditors should always seek for a legal advice.

65. 18. Proper editorials Review each report at least 3 times.
Get clear understanding of what is being said.
Ensure each sentence is needed and says what it intends to say.
Judge the style, syntax, and capitalization.
Avoid shaky grammar and faulty punctuation (use grammar and spellchecker).

66. 18. Proper editorials – Cont’d
Poorly proofread reports can cruelly blemish and downgrade a well written, soundly documented audit reports.
Simple mistake diverts attention and the reader starts to think about the writer than what is written.
Compare the final with the draft report preferably by another auditor
Check references (references, indexes, figures, etc) might have been wrongly changed in due course of review.

67. 19 Restricted Information
Certain information may be appropriate to be issued separately to a concerned party only in a confidential communication. This facilitates smooth rectification and course of action to be taken.

68. V. Effective strategies for report writing
Full wording of acronyms when first used.
Recommendations should be precise and resolve the problems.
Recommendations should cure the cause not the symptom.
Recommend to those who have the authority to implement them.
Include client responses in the report.

69. Effective strategies –cont’d
Make report outline before starting to write
Keep your writing short.
Group similar findings together.
Place the most important findings at the beginning of the report.
Use an executive summary of the findings and recommendations.

70. Effective strategies –cont’d
Good audit report is like a bridge between the auditor and audit client. Any gap / defect in the report will not let your findings to cross over to the audit clients for their implementation & hence, no value.

71. VI. Internal Audit Report
Main Parts of the Ideal Internal Audit Report are:-
A. Executive Summary
B. Complete Audit Report

72. A. Executive Summary
Provides a high level overview of the audit and provides a summary of the audit activity
Included are the Introduction, the Objective and Scope, Observations and Recommendations, Summary, and Conclusion
The Executive Summary is submitted to the Audit Committee and the Senior Management.
The entire report (which includes the executive summary) is provided to the individual auditees.

73. Executive Summary (Cont’d)
Introduction
The Introduction of the Executive Summary will provide
a brief description of how the audit relates to the annual audit plan
inherent risks identified
other pertinent information to ensure the purpose of the audit
any other background information

74. Executive Summary (Cont’d)
Objective and Scope of the Audit
The objective of the audit for the Executive Summary will provide an overview with respect to why the audit was conducted
The scope involves what information was examined for the audit

75. Executive Summary (Cont’d)
Observations and Recommendations
This section provides an explanation as to how the audit report is to assist rather than find fault with areas reviewed

76. Executive Summary (Cont’d)
This section provides a summary of the observations and recommendations made
The goal of this section is to provide an overview of the audit work
If specifics are required then the full audit report can be referenced

77. Executive Summary (Cont’d)
Conclusion
This section provides the conclusion reached by the auditors
A opinion will be expressed with respect to the observations.

78. B. The Complete Internal Audit Report
Background
Inherent Risks
Objective of Audit
Nature and Scope of the Audit
Methodology
Attributes Tested
Conclusion
Appendixes

79. The Complete Internal Audit Report (Cont’d)
Background
A very brief explanation as to the rationale for the audit is provided in this section
Inherent Risks
This section addresses the inherent risks involved in the area being audited
Objective of Audit
The objective of the audit should answer the question “Why was this department/area audited?

80. The Complete Internal Audit Report (Cont’d)
Nature and Scope of the Audit
This section should answer the question “What was audited?
Methodology
This section describes the audit program that was developed to conduct the fieldwork

81. The Complete Internal Audit Report (Cont’d)
Attributes Tested
This section of the audit report will discuss the individual issues or areas that we decided to test.
A particular issue is analyzed and captured the information in a set format which includes observations and recommendations as required

82. The Complete Internal Audit Report (Cont’d)
Name of the Attribute Tested
For each attribute tested an analysis that covers the objective, criteria, risks, observations, conclusion, causes, recommendations, and management’s response shall be provided
Objective
Criteria
Risks
Observations
Conclusion
Causes
Recommendations
Management response

83. The Complete Internal Audit Report (Cont’d)
Conclusion
The final section of the audit report is the conclusion where the audit opinion is expressed.

84. The Complete Internal Audit Report (Cont’d)
Appendixes
Planned Management Actions
This section is a compilation of all the recommendations made in the audit report, and includes all of the management responses, who the responsible person is for implementing each recommendation and the time frame

85. The End!
Thank you very much!

86. Sources of the Materials Used/References
IPPF-IIA
Sawyer’s - The Practice of Modern Internal Auditing by L. Sawyer
Internal Auditing: Assurance and Consulting Services By F. Kurt (IIA Research Foundation)
Others