Internal auditing (IA) is an objective assurance and consulting activity designed to add value and improve an organisation’s operations by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
The Institute of Internal Auditors (IIA) (https://www.iia.org.uk) is the recognised international standard setting body for the internal audit profession, including in the UK. The IIA is responsible for the INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (IPPF) (“Standards”).
JCBFL has produced a gap analysis Template which can be used as tool for an internal audit function, or the organisation’s Audit Committee, to assess its compliance with the Standards.
With regards to IA reporting, the following Standards are relevant:
- 2400 – Communicating Results. Internal auditors must communicate the results of engagements;
- 2410 – Criteria for Communicating. Communications must include the engagement’s objectives, scope, and results;
- 2410.A1 – Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.
Who is your audience?
- if your business has an Internal Audit function then it will have an Audit Committee (AC) so in all cases the Final Report will go to the Auditee and the AC.
- in many audits, interfaces are in scope (e.g., IT/IS, Accounting) so the report distribution list becomes wider.
- an audited organisation may form part of a national or international group such that tiered group management may have a stake in the audit, as well as Group Internal Audit;
- certain external parties, such as regulators, may be stakeholders where, for example, they commission a thematic review and are comfortable with having the internal audit function perform the audit.
In meeting the differing requirements of the various stakeholders, a one size fits all Report should reflect many considerations:
Report structure & Executive Summary
Whether or not an IA function uses audit software, reporting should be via a standard template, linked to the original Audit Scope (Terms of Reference) and the completed Risk and Control Matrix (RCM) and Audit Program.
An example document suite is for a theoretical internal audit: ‘Board & Committee Governance’:
Exception or Full Scope reporting?
The above example adopts a holistic approach to reporting on the basis that a large array of controls were audited in the theoretical audit, the majority of which were found to be Effective. For ‘Board & Committee Governance’, there were four sub-topics and three of the four sub-topics are rated as Effective as there were no exception findings for these sub-topics.
However, many organisations adopt an ‘exceptions reporting’ approach to IA reports in that the Executive Summary is limited to reporting on exceptions; controls deemed to be Effective for control design and performance are omitted from the IA report.
There is obviously no ‘right way’ although there are undoubted positives from a more complete audit report in that Effective opinions for sub-topics are validated, and the more intangible benefits of positive reporting on morale, and professional relations between IA and the first and second lines, are realised.
An IA function’s Audit (and Rating) Methodology will include the definition of Ratings for individual audit findings and some will accommodate an overall Rating plus a sub-topic Rating guide. The theoretical ‘Board & Committee Governance’ IA assumes an Overall Rating, a Sub-Topic Rating and an Individual Finding Rating, all depicted by a colour and summarised in a table in the Executive Summary. Definitions are provided in the back pages of the report.
Again, there is no ‘right way’ and an element of auditor judgment will always be required. It is, however, good practice to ensure that IA ratings reflect the risk associated with the control that has been audited (Impact and Probability) such that there should be some linkage to the organisation’s Risk Management Framework. JCBFL has produced a Template which does just this – you can find it here