What would you do as Chief Audit Executive (CAE) if you were forbidden from writing a formal audit report?
Let’s think about this challenge, as it may help us pinpoint the value of these documents.
Speaking Up When Potential Issues Are Identified
Consider our customers in management first. What do they need to know and how can we best communicate (as the IIA Standards dictate) the results of our engagements?
The first opportunity comes during the audit when potential issues are identified. The auditor should discuss them promptly with operating and other management as appropriate. This enables the auditor to:
- Share the results of testing of controls.
- Discuss what they mean, such as whether any controls are not functioning consistently as designed.
- Obtain agreement on those facts, or hear why management believes the auditor to be mistaken and perform any additional work that may be appropriate.
- Discuss with management whether there is a risk to the business and the achievement of objectives, including which objectives may be impacted.
- Agree on the severity of the risk and whether corrective actions are required.
- Discuss the options for addressing the issue(s) and which corrective actions, if any, are justified.
- Get to where management owns the issue and commits to taking the actions.
- Agree that management will, by the closing meeting, confirm what will be done, by whom, and when.
It is easy to downplay the importance of these conversations. But there is an immense opportunity to work with management by promoting prompt corrective actions and adding value. We have to be careful not to dictate to them, but to approach these discussions with a spirit of collaborative partnership. Listen twice as much as you talk.
When a Memo Is Needed
The closing meeting is an opportunity to confirm the prior communications and management’s corrective actions.
This where more senior management is likely to be involved and they should hear from line management just as much as they do from the audit team.
By the end of the meeting, everyone should agree on the facts, assessments and corrective actions to be taken.
In some cases, senior management may want time to consider the situation and let the auditors know later what actions will be taken. The auditor should not wait for the audit report to be issued, even in draft form, before meeting again with that senior management to finalize everything.
A memo that summarizes the results and agreed actions from the closing meeting should be prepared (I did this as CAE).
A Meeting Goes Beyond an Audit Report
At this point, only senior and executive management remain of those we normally reach with an audit report. Usually, we can rely on operating management to communicate with their managers, but the auditors cannot rely on this alone.
If the audit is essentially clean, with no serious issues, nothing has been lost. The CAE can wait until the next time he or his team meet with those executives to ask if they have any questions about the audit.
If there are more serious issues that merit the attention (i.e., action) of senior or executive management, the audit team should meet with them. In some cases, a phone call may be sufficient. Otherwise, an in-person or virtual meeting is needed.
There are several advantages to a meeting rather than relying on a formal audit report. In a meeting, the executive has an opportunity to discuss not only the issues raised by the report, but to obtain the professional insights and advice of the auditor. The auditor similarly has an opportunity to understand the business consequences of any identified issues, as well as build on their relationship with management.
A Brief Gets to the Heart of the Matter
So far, I am not sure the absence of an audit report has hurt us.
What about the audit committee members?
For a start, many CAEs do not send the audit committee copies of every audit report. I did, but I can see that being a problem if the audit team is large and issues hundreds of reports every year. My team issued up to 120 in a year, but we structured the report format so that each could be consumed rapidly. I have discussed the format elsewhere in blog posts and in my books.
The audit committee needs to know:
- Is there a problem that merits board attention because of the level of risk to achieving our objectives?
- Is management addressing it satisfactorily?
- Is there something we need to do ourselves?
If an audit surfaces issues that merit board attention, my preference is to talk to the chair of the committee. We discuss the situation and agree on how best to inform the rest of the committee.
The chairman may request a written briefing document that can be shared and then discussed. That briefing document should be prepared in collaboration with management and focus only on the serious issues that merit board attention.
In other words, the brief is likely to look different from the traditional audit report.
But those situations are, hopefully, rare.
The audit committee can be informed as part of the CAE’s regular update at the next quarterly meeting of the committee.
Rather than including the traditional audit report in the board package, the CAE will have a concise summary of the audits performed that will be used as a basis for discussing them.
What Do We Lose if We Lose the Audit Report? What Do We Gain?
We have managed to navigate the communication requirement (with one potential exception, which I will come to in a moment) without a formal and traditional audit report.
Have we lost anything? Have we in fact gained because of the additional emphasis on personal interactions and open, collaborative discussions with management?
The one exception is where regulators are involved who insist on formal audit reports. In this case, I would meet with them and discuss what they need to know and how best to provide it to them. I expect I can find something different and less time-consuming than the traditional audit report. It may be a simple list of audits performed, issues identified, their significance, and the corrective actions taken.
Eliminating audit reports is probably at least one step too far for most. However, I suggest that thinking about the value they provide and whether there is a better way to deliver it will stimulate changes in your practice.
What do you think of all of this?