effective internal audit reporting - iia.org.uk reports / kpi performance annual internal audit ......
Post on 17-May-2018
224 Views
Preview:
TRANSCRIPT
Effective internal audit reporting
September 2015
RUTH IRELAND PARTNER AND NATIONAL HEAD, RISK AND ADVISORY
SERVICES
Agenda
• How good are we as a profession at reporting?
• What is encompassed in ‘reporting’? – the reporting cycle
• Constructing an effective internal audit report
• Meeting the needs of management and the Audit Committee
• Adding value
• Internal audit performance reporting
• Closing comments
2
How good are we as a profession at reporting?
My assessment - “Could do better”
• Too focused on the formal audit report – not enough consideration to other
elements of the reporting process
• Reports are often long and detailed – and don’t always cater for different
audiences
• Hide behind rating systems
• Not always getting to the root cause, therefore recommendations lack impact
• Insufficient focus on adding value
• Focus on the formal written report and give insufficient thought to how our
work is presented
• Need to be better at measuring and reporting on internal audit performance
3
How good as a profession are we at reporting?
Internal audit reporting is about more than the report itself
• It confirms credibility and trust in the audit function/service or conversely can
undermine trust and credibility
• It is an extension of your brand
• Good reporting can reinforce internal audit’s position and importance
4
What is encompassed in ‘reporting’? – the
reporting cycle
• What are the various opportunities to report on internal audit activity?
• Map the deliverables to the various recipients and consider how they should be
communicated
• Need to plan both the production of the document and how it will be presented
Each is an opportunity to promote the work of internal audit
Deliverables
Audit
Committee CEO/CFO
Audit
Sponsors
Relevant
Staff
Annual Internal Audit Plan
Individual internal audit planning documents
Wash up/closing meeting points for discussion
Draft Internal Audit Reports
Final Internal Audit Reports
Progress Reports / KPI performance
Annual Internal Audit Report
What is encompassed in ‘reporting’? – the
reporting cycle
Wash up /closing meetings (building on regular communication
throughout the audit)
• Ensures early identification of auditor mis-understandings of facts.
• Early identification of differences (auditor v management) that are
judgement based.
• Management will have had more time to consider issues, discuss with
colleagues, and come up with their own ideas for solutions.
• The relationship may have been developed to a better level by the time
the formal reporting phase starts.
6
What is encompassed in ‘reporting’? – the
reporting cycle
Include:
• Formal agenda with key points documented for discussion
• Reminder of the context of the audit for those not fully involved, and
of the approach to undertaking the work
• Good practice identified as well as areas for development
• Full exploration of the issues that will be fed into the formal report
• Confirmation of timelines for a formal report to be issued.
7
Constructing an effective internal audit report
8
• Reports have a purpose – what is the key message you are trying to convey?
• What do you want people to do in response?
• Too long / too short?
“Cut the length of audit reports wherever possible” Chair of Audit Committee - Aberdeen Asset Management
But this is our big moment!
Constructing an effective internal audit report
Question
Could the future be a one page audit report?
9
Constructing an effective internal audit report
Signpost the overall opinion (if used) early on
Use an Executive Summary!
This might include:
• A reminder of the work undertaken
• Context – include facts and figures and some history, if relevant
• Acknowledgement of good practice
• Summary of key findings, pulled together into themes
• Overall conclusions.
Avoid repeating the individual findings from the audit.
Constructing an effective internal audit report
Writing style
• Keep it short and punchy
• Use clear messaging
• Simplify your language
• Avoid jargon and unexplained acronyms
• Less is more when it comes to the number of words!
Constructing an effective internal audit report
Some thoughts on the detail
Presenting findings:
Description – what is the issue? This should be factual and free of interpretation.
• Example:
We reviewed twenty-five payments and found ten of the payments were not
approved in accordance with the organisation’s policy.
Cause – what is the root cause of the problem – the why question
• Example:
This has been caused by a lack of training for new accounts payable personnel.
The cause should be discussed with client prior to writing the report.
Constructing an effective internal audit report
Impact
What is the impact on the organisation? You may consider:
• What is the risk?
• Why should management be concerned?
• Does this issue have the potential to impact the organisation’s strategic
objectives?
• Could this lead to a material misstatement in the organisation’s financial
statements?
• Could this lead to a loss of reputation?
Constructing an effective internal audit report
Prioritising findings
Findings should be rated and prioritised in order of importance
• To assist the reader to understand the relative importance of the issues
• To also allow management and the Audit Committee to compare the criticality
of issues across internal audit reports.
Meeting the needs of management and the Audit Committee
Tailoring reports to the audience
Have you asked the Audit Committee and management what they want?
Audit Committee Management
Need to know the headlines in terms
of how risks are being managed. May
need educating on the implications,
should the risk materialise.
Will be interested in core themes
and should understand the
consequences, should risks not be
mitigated. Will also need to know
who, what, when and why.
Should be able to understand the
issues from reading a few pages of
the report.
Should be able to understand the
issues from reading a few pages of
the report.
Shouldn’t be pulled into the detail
of individual findings.
Need the detail.
Meeting the needs of management and the Audit Committee
Question
• Do you use the same audit report format for Audit Committee and
management?
• What are the benefits/drawbacks of using one report for different audiences?
Audit Committee reporting
What reporting might the Audit Committee typically expect?
• Summary of individual audit reports
• Management action in implementing recommendations
• Internal audit performance – KPIs (qualitative and quantitative)
• Audit coverage and progress:
Audits completed against the Annual Audit Plan
Actual days input compared with Annual Audit Plan
• Audit planning and reporting
• Good practice ideas and benchmarking information
Audit Committee reporting
Not just the report itself but how we present it:
• Should be able to assume the report has been read
• In presenting individual assignment outcomes, tell a story to the committee:
The context of the audit and why was it done
Any relevant history of the area under review
What did internal audit do to come to its opinion
The main themes and risks emerging and management’s response.
(And ensure individual presenting has good presentation skills)
18
Adding value – considerations
• Varying Internal Audit roles which starts with planning our work, and flows
through into reporting:
Assurance provider
Consultant
Critical friend.
Are we good at reporting on all these elements of our role?
Adding value - roles of Internal Audit
COMPLIANCE
EFFECTIVENESS
EFFICIENCY
ADEQUACY PERFORMANCE Maturity of
controls
environment
and risk
management
processes
Level of
experience
and skills in
the IA
function
VALUE
PRESERVATION
VALUE
CREATION
OPERATIONAL (policies, procedures, controls) (emerging risks, priorities) STRATEGIC
Adding value – foundations
Adding value is underpinned by good foundations:
• A deep knowledge of the organization, including culture, key stakeholders,
context and strategic aims
• Innovative internal audit practices
• Staying abreast of value added practices
Need to communicate our achievements
(not just report on activity)
EXCEED STAKEHOLDER EXPECTATIONS!
Adding value
Myriad ways to enhance audit reports
Consider:
• Benchmarking
• Use of surveys
• Comparing policies/procedures with good practice
• Showing the effectiveness of processes graphically
Internal audit performance reporting
Typical KPIs:
• Elapsed time for issue of reports – completion of
audit work to draft report
• Elapsed time for issue of reports – draft to final
report
• Number of unsatisfactory audit opinions (as % of
total)
• Number of audit assignments completed (versus
number planned)
• % of recommendations accepted
• % of actions fully implemented.
4
6
4
1
1
36
31
5
6
1
Summary of
conclusions on the
design of internal
controls
Substantial
Moderate
Limited
No
Summary of number of
recommendations
raised
Summary of
conclusions on
operational
effectiveness of
internal controls
High
Medium
Low
Substantial
Moderate
Limited
Internal audit performance reporting • Qualitative measured using satisfaction questionnaires and end of
assignment reviews, such as:
• Internal Audit understand the business and processes of the company
• Risks identified for the assignment were appropriate for the organisation
and the area under review
• The people carrying out the assignment asked informed, relevant
questions to identify the controls against the risks already identified
within the audit area
• Progress was clearly communicated during the course of the audit and a
debrief meeting was held at the end of the fieldwork
• The findings and recommendations in the draft report agreed with those
discussed during the debrief
• Findings within audit reports are accurate, clear and unambiguous
• Recommendations in the audit report are practical and relevant to the
needs of the area reviewed
• Customer satisfaction survey issued after every audit assignment.
1
3 1
1
2
2
1
Feb-14 May-14 Jul-14 Jan-15
1. Internal audit understand the business and processes
of the Organisation
Internal audit performance reporting – examples
30
Key
The bar graphs show the responses to each question with the colour of the bar
reflecting the response received and the numbers representing the quantity of
responses. The colours of the bars reflect the responses received as follows:
Very satisfied
Dissatisfied
2 2
1
2
1
2
1
Feb-14 May-14 Jul-14 Jan-15
2. Risks identified for each assignment were appropriate for the
Organisation and the area under review.
1
2
3 1
1
2
1
Feb-14 May-14 Jul-14 Jan-15
3. The staff undertaking the internal audit assignment asked informed, relevant questions to identify the controls against the risks already identified above within the audit area
Denotes where a question has not
been answered.
Internal audit performance reporting
31
1
2
3 1
1
2
1
Feb-14 May-14 Jul-14 Jan-15
4. Progress was clearly communicated during the course of the internal
audit and a debrief meeting was held at the end of the fieldwork.
2 2
1 1
1
1
2
1
Feb-14 May-14 Jul-14 Jan-15
5. The findings and recommendations in the draft audit report agreed with
those discussed during the debrief meeting.
1 1
2
1 1
1
1
2
1
Feb-14 May-14 Jul-14 Jan-15
6. Findings within internal audit reports are accurate, clear and unambiguous.
1
3
1
1 1
1
2
1
Feb-14 May-14 Jul-14 Jan-15
7. Recommendations in the internal audit report are practical and relevant
to the needs of the area reviewed.
Product Quality
11%Financial Reporting and
Disclosure
4%
Continuity of Supply
7%
Tax and Treasury
2%
Environment Health & Safety
and Sustainability
8%
Protection of Electronic
Information and Assets
11%
Patient Safety
17%
Intellectual Property
12%
Research Practices
16%
Business Continuity
4%
Commercial Practices
8%
32
Internal audit performance reporting – examples
Deviations from annual audit plan
• Variations
• Reasons
• Impact risk context
Expected Actual
Average time to issue reports after field work
Actual vs. planned audits
IA budget to actual
Training hours per Internal Auditor
Audits Complet
ed, Complet
e, 58, 58% Audits
Completed, WIP, 12, 12%
Audits Completed, Not started, 30, 30%
Complete WIP Not started
76%
24%
On time Overrun
58%
12%
30%
Implemented WIP Not started
Audits
Completed
Audits
Overruns
Audits Recommendations
implemented
Audit Completed, by Inherent Risk
Audit Group Headcount Budget Actual
Group
Manufacturing
Environmental Health, Safety &
Sustainability
Research & Development
Total Number Of Audits
Total Number Of Audits With An
“Unsatisfactory” Rating
Audits withwith an “unsatisfactory” or “critical” rating
Title of audit report Star Rating
*
*
**
Closing comments
• Plan as diligently for the reporting as the audit itself
• Always consider the audience and what they need
• Presentation – verbal and written is crucial!
BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a
member of BDO International Limited, a UK company limited by guarantee, and forms part of the
international BDO network of independent member firms. A list of members' names is open to inspection at
our registered office, 55 Baker Street, London W1U 7EU. BDO LLP is authorised and regulated by the
Financial Conduct Authority to conduct investment business.
BDO is the brand name of the BDO network and for each of the BDO Member Firms.
BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate
within the international BDO network of independent member firms.
Copyright ©2015 BDO LLP. All rights reserved.
www.bdo.co.uk
top related