Internal audit reports are equally reinforced by the important findings and weakened by minor findings.
Weak findings, while perfectly accurate, are unattractive or even mislead the reader. They have a strong negative impact on internal audit report quality and should be eliminated. Indeed, internal audit methods requires that audits reports should rely only on hard facts that that can be proved. However a major subjective factor remains : the auditor choice of which hard facts to present in the audit report ! Somehow the strength of a report depends on its weakest finding.
Including weak finding is unfortunately common in audit reports, for several reasons:
- Too few findings: Auditors job is the ongoing search for facts. They may feel uncomfortable if they have found only a small amount. In this case they will be tempted to write all they found,
- Organization: It can also happen when auditors lack the time to sort the findings. This point is the focus in a following post of this blog.
- Lack of experience: believe, consciously or not, that “it is better to give a little too many informations than not enough”.They may assume that “The management will sort it out. They probably find something there that interests him”. This assumption is critically false and counter-productive. The management has no time to do this. It is the job of auditors to always remove weak findings from the audit report.
The “paper” is often a weak finding.
Stating in an audit report the existence of a particular document is usually not relevant by itself. An entity (a division of the company or a subsidiary), who wants to master a risk must indeed write how it proceeds. Nevertheless this paper is not enough.
During an audit it will be necessary for auditors to examine the real implementations of decisions and documents, the underlying documentation is not sufficient.
For example, the mere fact of writing a business decision on the implementation of an internal control systems is a good start but is not enough to control this risks.
As another example, an audit reports which simply describes the management documentation system does not provide relevant information on control activities: such a report can even wrongly suggest that the situation is under control, without actually checking if this is the case. It is fine to mention documentations as a contextual information, but not as a fact by itself.
Business meetings are often weak findings
Holding meetings or committees to address subjects are also not important facts. Only the results of those meetings are really interesting facts. Like documentation, mentioning meetings can be misleading as it can further suggest that the situation is under control, without actually checking if this is the case.
For example, mentioning in an audit report about a project followed through control meetings every month with detailed documentation on costs time and quality. Meetings are probably necessary but they are not sufficient. The auditors should not confuse the means deployed and the results achieved. Therefore the facts of holding meetings dealing with risk control issues have almost no interest in an audit report.
Procedural gap are often weak findings
Usually the management of an entity does not control large risks through procedures. The failure to comply with a written procedure is certainly a compliance gap. This may reveal a lack of control of activity, however without prejudice to the severity in terms of consequences.
Internal audits are not compliance audits. A procedural gap is probably a finding of a lack of control of a small or medium size risk. Nevertheless, auditors job is to focus only on the significant risks. Before mentioning a procedural gap, it is necessary to understand the impact (see Best practice 1 for auditors : getting clear facts).
– – –
This post is the third best practice proposed for auditors: like the previous posts, it is dedicated to gain in internal audit report clarity. Those 3 first Posts were mainly on the external practices about writing an internal audit report in order to make it clear. Now let’s see the next best practice for auditors: it is very interesting as it gives ways to get audit facts that have a high value for auditees and management.