Chief audit executives may be comfortable that their approach to audit committee reporting has followed the same unwavering path for the past decade. But are they shortchanging themselves by not communicating results as clearly and engagingly as possible?
TYPICAL QUARTERLY CONTENT
A dashboard report on current activities needs to tell the committee what internal audit (IA) is doing and why, changes to the annual plan (if any), the current status of the audit plan, and critical findings or emerging trends.
Other content typically includes staffing, resource limitations and costs-versus-budget year to date, results of special investigations, department performance metrics and scorecards, and any impairments on independence or objectivity.
Moreover, boards are also tasking IA to evaluate information and bring to their attention what they should be reviewing versus providing everything in a package for the board to sift through.
TYPICAL ANNUAL CONTENT
The checklist is familiar: report on the year in review, including identified themes; update the risk assessment and audit plan; report on results of the internal quality assurance and improvement program (remember: the quality program is supposed to be periodic, ongoing and external – not just every five years); discuss the results of the external QA review; review and approve updates to the IA department charter; confirm the independence of the IA audit activity; and disclose any nonconformance with IIA Standards. Offering an overall opinion on the company’s control environment is not an IIA requirement, but there are standards on how to proceed if you do.
The dashboard also includes a summary of completed activities during the latest quarter and what’s next on the agenda. An Audit Finding Remediation Status section briefly covers follow-up on all identified issues. Another dashboard example includes direct support to the control environment.
THE AUDIT CALENDAR
One highly informative way to present the IA calendar and plan to the audit committee is dividing it into assurance projects (business process audit and information technology audit) and consulting projects. It includes a risk-level legend, a handy way to ground the reader into where the audit fell in the risk map from the overall risk assessment process. Another calendar takes a more holistic view of the audit and breaks it down activity by period, showing starting and completion points.
Meanwhile, a third example revolves around a quarterly update. It briefs the audit committee on what audits were completed during a quarter and highlights a concept around the watch list, showing what risks are top-of-mind in the organization. Another approach to the calendar takes IA activities and divides internal audit and Sarbanes-Oxley compliance activities by quarter.
What is the best way to apprise the audit committee of the scope of projects recently completed? Recommendations include highlighting evaluated processes and specific procedures that were completed in scope. An important piece to focus on here is the “out-of-scope” area. It helps develop an audit committee perspective by informing what was in scope and what was not accepted.
AUDIT REPORT SUMMARY
More informative than the typical audit report summary provides not only a background of the audit and summary but also captures the observations. If you have a handful of observations and want to roll them up to one of the root causes, this is an excellent way to put everything around the audit on a single slide.
Another concept introduces the “overall rating” of the audit itself. It gives some background information and includes individual ratings by findings. Also, it consists of a “management response” that holistically provides a risk rating on the audit itself.
If you are in a large shop doing a lot of audits each year and start to bucket the audits by type – whether by function, department or division – this is a useful way to represent a scorecard perspective to understand how many audits are being completed by a given area and the overall rating and detail of the individual audit that comprises that rating.
RISK ASSESSMENT PROCESS
Audit’s main goal is to ensure that it has consistently identified and measured risk to demonstrate that everything gets back on track.
SHOWING RISK ASSESSMENT RESULTS
Auditors have many options at their disposal to depict this type of information. IA is familiar with conventional risk maps, which focus on the significance or impact on one axis and the likelihood of occurrence on the other. One company decided to show its entire audit universe with an overlay of the actual risk rating so that a viewer can see more detail. That is a good way of supplementing the risk map, though it might be the combination of these two elements that paints the full picture for the audit committee.
Organizations constantly ask themselves: “How do I know if I have the right-sized department, especially in light of the multiple changes my company has experienced in recent years?” Benchmarking activity, unique from one organization to the next, is the easiest way to determine. What does the company want from IA? What’s in the charter? What’s in the audit committee charter? What are the expectations of management? What role does IA play within the organization? How advanced, developed and functioning are the Level 1 and 2 controls? Do you have robust compliance? All these questions factor into the conversation. Thinking them through to decide if the organization is right-sized is a valuable exercise.
SARBANES-OXLEY PROGRAM OVERVIEW
For companies going through the first year or two of SOX compliance, the most common way to report results to the audit committee is via a calendar of activities and milestones. This shows IA obligations as well as those of management; it also is smart to include an overlay with the audit meeting schedule.
AUDIT ORGANIZATION AND QUALIFICATIONS
There’s a growing trend to include this information in audit committee reporting. Presenters in the webcast concurred that it was a good way to highlight the audit department’s capabilities and celebrate the group’s achievements on a more personal level.
One example identifies key members of the department, including information on their certification and experience. Some companies even dress up the report by adding photos of key executives. Others add total years of experience within the company (though not necessarily in audit) and years of experience outside the company.
A leading practice for a company with a substantial IA staff (i.e., 200 employees) is to show how many resources are budgeted, the number of filled or open positions, rotational positions, and co-sourced jobs. Requirements for certification and training also are outlined in this example.
Part of the measure of an IA department is the qualification level of its personnel. Global companies now tend to highlight certifications and language spoken – skills that will continue to grow in importance as organizations expand into new markets internationally.
REPORTS ON QUALITY
It is important to remember that standards require IA to report on a company’s quality program. One approach is to use an internal audit balanced scorecard that shows the criteria the audit department decided to evaluate (e.g., open positions, professional certifications, minimum CPE credit all auditors should obtain per year, etc.). The scorecard shows the targeted execution and outcome.
An even better example was the same criteria but in a format that tracked the status of external, periodic and ongoing audits in color-coded boxes. Similarly, color coding allowed viewers to better visualize results in IA’s “report on coverage.” Although it seems that no one disputes the importance of lively, efficient audit committee reporting, feedback from board members commonly reflects that such reporting comes across as somewhat stale.
Learn more about this topic by exploring these related resources on KnowledgeLeader: