Recommended
Recommended
More Related Content
Similar to Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Similar to Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013 (20)
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
- 1. IIA LOCAL GOVERNMENT INTERNAL AUDIT CONFERENCE 2013 Delivering Meaningful Audit Reports Scott Webb CPA CMIIA CIA CRMA Associate Director The Internal Audit Bureau of NSW (IAB)
- 2. HOW CAN WE DELIVER MEANING? 1. Recognise the opportunity to communicate 2. Recognise that we are communicating more than just results 3. Recognise to whom it is we are or may be communicating 4. Reduce impediments to clarity ⢠Also, we will discuss what effect does GIPA have on our communications?
- 3. 1. RECOGNISE THE OPPORTUNITY TO COMMUNICATE ⢠Internal Audit reports ⢠Are an opportunity ⢠Look forward and be positive ⢠Carpe Diem
- 4. 2. WE ARE COMMUNICATING MORE THAN JUST RESULTS ⢠Improvement opportunities / value adds ⢠Contract for action ⢠Advertisement ⢠Professionalism ⢠Grasp of the business ⢠Desire to be constructive and positive ⢠Marketing capabilities
- 5. 3. TO WHOM WE ARE COMMUNICATING? ⢠First rule of writing: write to your audience ⢠Identify your readers ⢠Internal and external â Audit Committee â Senior Management / GM â Councillors â Line Management â External Audit â Watchdogs â General Public?
- 6. 3. TO WHOM WE ARE COMMUNICATING? ⢠Analyse your readers ⢠What does each reader want to know? ⢠What is each readerâs level of understanding? ⢠What is each readersâ use of the report?
- 7. 3. TO WHOM WE ARE COMMUNICATING? ⢠Generally two main reader types: ⢠Higher levels: ⢠Want to know overall risk level and commitment to action ⢠May not have detailed knowledge of the business ⢠Will use report to improve governance ⢠Lower levels: ⢠Want to know what is wrong & how to fix it ⢠Will have detailed knowledge ⢠Will use report to change practices
- 8. 4. REDUCE IMPEDIMENTS TO CLARITY 1. Lead the reader 2. Be engaging 3. Be positive 4. Be logical, coherent and clear
- 9. Fully Effective INTERNAL CONTROL EFFECTIVENESS RATING Substantially Effective Partially Effective Largely Ineffective Totally Ineffective 4. REDUCE IMPEDIMENTS TO CLARITY 1. LEAD THE READER ⢠Short, Punchy Executive Summary ⢠Context (origin of audit, objective, scope & limits) ⢠Overall report ratings ASSIGNMENT INTERNAL CONTROL EFFECTIVENESS RATING Substantially Effective
- 10. 4. REDUCE IMPEDIMENTS TO CLARITY 1. LEAD THE READER ⢠Risk rate each finding ⢠Conclude, then explain â use topic sentences: ⢠The tender period was only two weeks, which is considered far too short, may have been unfair to some tenderers and was the subject of some complaint from unsuccessful tenderers. ⢠Employee attitudes towards fraud and corruption have not been formally assessed, which could mean that the organisationâs zero tolerance approach may not be uniformly adopted or understood throughout the agency.
- 11. 4. REDUCE IMPEDIMENTS TO CLARITY 2. BE ENGAGING ⢠Be concise ⢠Summarise and dump ⢠Use the active voice (where appropriate) ⢠Who did something to whom/what? ⢠The cat sat on the mat (active) ⢠Not the mat was sat upon by the cat (passive) ⢠The mat was sat upon (also passive)
- 12. 4. REDUCE IMPEDIMENTS TO CLARITY 3. BE POSITIVE (OR AT LEAST NEUTRAL) ⢠Acknowledge satisfactory performance & consider spelling it out ⢠Use unbiased language ⢠Let the facts speak for themselves ⢠Biased: Highly confidential employee records were carelessly filed in an unsecured cabinet to which any number of unauthorised employees had access. ⢠Unbiased: Confidential employee records were filed in an unsecured cabinet to which unauthorised employees had access. ⢠Send the message you intend
- 13. 4. REDUCE IMPEDIMENTS TO CLARITY 3. BE POSITIVE (OR AT LEAST NEUTRAL) ⢠Use Positive connotations, i.e. sell the benefits â Negative: Unrestricted access to blank cheques exposes the risk of cheque fraud through misuse or theft â Positive: Restricting access to blank cheques reduces opportunities for cheque fraud
- 14. 4. REDUCE IMPEDIMENTS TO CLARITY 4. BE LOGICAL, COHERENT AND CLEAR ⢠Make complete audit observations ⢠IPPF Practice Advisory 2410-1 Criteria for Communication, para 7 ⢠Condition ⢠Cause ⢠Criteria ⢠Effect ⢠Recommendation
- 15. 4. REDUCE IMPEDIMENTS TO CLARITY 4. BE LOGICAL, COHERENT AND CLEAR ⢠Use consistent, clear language
- 16. 4. REDUCE IMPEDIMENTS TO CLARITY 4. BE LOGICAL, COHERENT AND CLEAR ⢠Clearly link the recommendations to the finding: ⢠Cause-focussed ⢠Condition-focussed ⢠Recovery-focussed
- 17. GIPA ⢠Effects of GIPA: ⢠Presumption in favour of transparency ⢠Push for proactivity ⢠Is it really the end of the world? ⢠IIA Guidance http://www.iia.org.au/technicalResources/knowledgeit em.aspx?ID=229?
- 18. GIPA ⢠GIPA is an opportunity to further sharpen your auditing skills ⢠Assume all reports will be made public ⢠Do not sanitise ⢠Focus on adding value ⢠Use unbiased language ⢠Consider proactive release: do a communications plan
- 19. RECAP: HOW CAN WE DELIVER MEANING? 1. Recognise the opportunity to communicate 2. Recognise that we are communicating more than just results 3. Recognise to whom it is we are or may be communicating 4. Make it simple for them to follow our meaning 5. GIPA is an opportunity not a threat
- 20. Scott.Webb@iab.nsw.gov.au Phone: (02) 9261 9100 We believe in public sector excellence
Editor's Notes
- Thanks and itâs good to be here today. Today Iâm going to be looking at delivering meaningful audit reports. In looking at how best we can deliver meaning Iâll be running through the importance of: Recognising that the Internal Audit report is an opportunity to communicate and treating it as such; Recognising that with an Internal Audit report we are communicating a lot about ourselves as well as the results of the audit, so we should be really wanting the report to say nice things about our professionalism; Recognising that there are multiple audiences for the audit report and how we might tailor our communications to suit them; Trying to make our messages clear and simple to improve meaning; and Finally, we will look at what effects the Government Information (Public Access) Act might have on the way we go about reporting. So letâs get underway by first looking at the Internal Audit Report as a quite wonderful opportunity to communicate.
- The first thing we need to do is to recognise that every internal audit report is an opportunity to transact with the organisation. It is an opportunity that we should look forward to and be positive about. This is our chance to make a difference. We should want to seize this opportunity and make the transaction as worthwhile as possible.
- Next we have to recognise that when we are writing an audit report we are communicating so much more than just our audit results. We are demonstrating the value we add to the organisation through the opportunities we find for improvement. The audit report also should include an agreed action plan that documents managementâs commitment to act on these opportunities, which is effectively a contract for action with management. And we certainly canât forget that the report is an advertisement for the Internal Audit function and its professionalism whether you like it or not! It also demonstrates Auditâs ability to understand the complexities of the business, and its desire to be a constructive and positive force. Finally, it markets auditâs capabilities throughout the organisation and potentially beyond it. In fact, an internal audit report says so much about us that we need to make a real commitment to make it as good as it can possibly be.
- So having established that our reports are a great opportunity to communicate and that we are communicating perhaps so much more than we generally care to realise, now we ask the question âjust to whom are we communicating?â One of the first rules of any writing is to consider your audience. In the IIAâs Internal Audit Report Writing course that I present we spend some time identifying and analysing the audience for internal audit reports, and these readers vary from industry to industry and organisation to organisation. These audiences (plural) can be internal or external and include the obvious suspects such as the Audit Committee, Executive Management (including the GM), Councillors, and Line Management but also the external auditors as well as regulators, watchdogs and, for some, the general public.
- Once we have identified all of these readers, the next step is to analyse their needs in order to take these needs into our account in the way we structure and word the internal audit report. The key questions to ask for each reader are: what do they want to know, what is their level of understanding (could be affected by education/experience, e.g. councillors very varied) and what use they will make of the report.
- Reader analysis always pulls out at least two main reader types, however even with these two types you will have to consciously tailor your writing to most effectively communicate with them. There are the higher level readers, such as Audit Committee members, who are after the helicopter view. These readers tend to focus on the overall risk level and how that fits within the organisationâs risk profile and appetite. They also focus on whether management have committed to rectifying any issues. These people may not have detailed knowledge of the business or an interest in that level of detail (although some will inevitably want to drill down into their pet issues in some detail). They generally use the report to improve overall organisational governance. The lower level readers want to know the nuts and bolts of what is wrong and how to fix it. They have detailed knowledge of the subject area and will use the report to drive change at the local level. Generally speaking, the needs of these two groups are served by the Executive Summary (for the higher level group) and the Detailed Findings section of the report (for the lower level group). However, also note that higher level readers will want to drill down into the detail for some issues and that lower level readers will also want to see how the overall results are being reported upwards, so they need to be arranged logically and in such a way that facilitates going from one to the other.
- So, having established that audit communication is an opportunity, that we are communicating much more than just audit results and that we need to understand our readers and adapt our writing to suit, we now head onto our fourth topic: making it simple so that the audience knows exactly what it is we are trying to communicate. We can do this using these four simple strategies: Lead the reader; donât be boring or pompous; donât be alarmist or emotional; and be logical, coherent and clear. Letâs examine these now.
- The first strategy is to lead the reader. Iâm not talking about trying to manipulate your audiences or to patronise them. What Iâm talking about is helping them not have to work too hard. Remember earlier when we said consider your audience? Well, it only seems like common courtesy, does it not, to try to make your audit reports accessible and easy to read and follow. These tips will help you achieve this. While it is always a good idea to sit down with the chair of your audit committee and ask him or her the hard questions about your audit reports and what they would like to see, here are a few better practice ideas that are in common usage. The first tip is to have a short, punchy executive summary. Audit Committee members are generally experienced and often time poor. They appreciate clear and concise communication that doesnât cost them unnecessary time. Remembering that we are trying to deliver meaning, we need first to provide context so that the audit report can be interpreted correctly. In order to provide context to your report you should always mention whether the report was planned in the normal audit program or is a special project. If the audit is a special project, has been brought forward for whatever reason or is a follow-up audit the circumstances of how the audit came about should be set out in full. Without this information, the relevance of the audit and the report are lost. Performance Standard 2410 states that communications must include the engagement objectives and scope for the same reason. Limitations of scope and the reasons why are particularly important. The standard also states that communications should include the auditorâs conclusions. To further aid understanding, these are often supported by an overall report rating, such as the examples shown. Using a traffic light system is good shorthand, so long as the tone of your language matches the rating chosen.
- Another tip for leading the reader is to risk rate each finding using the organisationâs own risk rating methodology. This instantly tells the reader how important you think the finding is and such practice is pretty much universal nowadays. A great tip for clear writing is to start each finding with a topic sentence. This summarises the finding by providing the key issue and its potential effects up front. In my career I have witnessed far, far too many reports where the auditor starts the audit finding by stating details of the system, then what they checked, who they spoke with, their initial thoughts, any further enquiries they might have made and finally what their finding is. While this is very logical and structured to the auditor, such an approach is counter-intuitive to the reader. Believe me, some people can write for a page and a half before coming to a conclusion and this is usually about a minor finding. Sometimes the conclusion is so lame you need to go back and read the finding again before you realise that, yes he/she really did just waste that much of my time for something that really is trivial. A topic sentence inverts this by telling the reader about the issue and why they should care up front. The reader can then go on and fill in the blanks if he or she wants. This approach is similar to the headline or first sentence of a news story and helps people to skim the report if they need to and to still gain a reasonable understanding of it. The subsequent narrative will also make more sense because it colours in the detail of the issue that has already been outlined clearly for the reader.
- The next simplification tip is to not be boring or pompous, but to be engaging. I know that you think Internal Audit is very important, but if you make the mistake of trying to convince your audience of that fact by using very formal language or going on and on and on without end, you are likely to achieve the exact opposite, i.e. annoy people. These three tips are common sense approaches to help increase reader engagement. Firstly, be concise. Try to convey your thoughts in as few words as possible without losing meaning. Work at it â itâs important. Developing effective topic sentences is a good start down this path. Secondly, summarise and dump. If your audit finding generated a lot of data and this data is in danger of destroying the flow of the report, summarise it and dump the detail into an appendix. You might even consider losing the appendix and sending the detail as a separate file altogether, if required. Thirdly, use the active voice. This is one of the singular most effective ways of better engaging your reader. The active and passive voices are both correct constructions in English grammar. However, people naturally think along the lines of who did that to whom/what? They donât naturally think of something was done, who did it? Without turning this into a grammar lesson, the active voice is demonstrated by the phrase âthe cat sat on the matâ, while the passive is demonstrated by âthe mat was sat upon by the catâ. Note that the active phrase is shorter and makes the cat the subject of the sentence, whereas the passive makes the mat the subject. Writing in the active voice makes your writing come alive. Try it! All you have to do is begin the sentence with the âdoerâ and the rest should flow. Note that there are times when you will need to use the passive voice. If you arenât trying to attribute blame for a finding, then you will probably want to use the passive voice, because it can allow you to delete the doer, completely. E.g. The mat was sat upon. An audit finding example might be âThe Accountant did not perform the January bank reconciliationâ is attributing fault to the Accountant, whereas âThe January bank reconciliation was not performedâ leaves the question of fault open. Either way could be appropriate depending on what you are trying to say, but if you donât want to attribute blame, use the passive voice. Everywhere else, use the active voice as much as you can.
- The next thing is to be positive, or at least neautral, and certainly not to be alarmist or emotional. IPPF standard 2410.A2 encourages Internal Auditors to acknowledge satisfactory performance in engagement communications. This may cut against the grain for some, especially those from an external audit background, but acknowledging satisfactory, or good, performance demonstrates that you understand the context of the negative things you do find and that you arenât out to just find fault and embarrass the auditee. In short, it builds goodwill. Consider spelling out in point form the positive things you find in relation to each audit objective. IPPF Standard 2420 states that audit reports must be, among other things, objective. This includes not just what is reported but the language used to report it. Avoid excessive editorialising and emotive language in your audit findings. If you have a real finding the facts should speak for themselves. Recognise that there are âhot buttonâ words such as âfailureâ or âneglectâ that will create a negative reaction, therefore only use those kind of words when that is the reaction you are hoping to get.
- Another tactic for developing goodwill with your auditee, especially it they are overly defensive or reactive, is to couch your risks using positive rather than negative connotations. The risk is the âso whatâ of the finding; it is why we should care. The traditional way to express the risk is to focus on the negative things that could happen, which can force defensive auditees to become even more defensive and even lash out against the auditors. However, an equally valid way to express a risk is to sell the benefits of seeing off this risk for good. Using some examples, we see the traditional negative approach used for selling a finding about access to blank cheque stock. However, if we sell the risk as a positive, the focus shifts from the failures of the auditee to the benefits we can realise if we resolve the issue.
- Now we look at being logical, coherent and clear to enhance simplicity and therefore meaning in our reporting. It always amazes me how, even today, many auditors can write audit findings that, however accurate, just donât tell the complete story. They might show what they found, but not what caused it. They may not explain what standard they are measuring against to support their conclusion that the issue is unacceptable. They might not spell out the consequences of inaction (or the benefits of action). You can usually tell an incomplete finding just by instinct: you know something just doesnât wash. However, there is a simple checklist for what constitutes a complete finding in the Practice Advisory 2410-1. Condition means the audit evidence you obtained that shows there is a problem. If you can identify a cause you should because this will help your recommendation be more effective. The criteria is what you are comparing performance to, such as a policy, procedure, law, standard or best practice. The effect is the risk: i.e. âso whatâ. The recommendation is self explanatory. Always make complete observations and set out the different elements in the same order so that each finding is coherent for the reader. You can even set each element out under a separate heading or in table format to make it even clearer.
- Use consistent language throughout the report. Use the same language each time you name an item. This approach then allows you to highlight items you want to call attention to by changing your language or presentation. The consistency and coherence you show throughout the report then allows those items you really want to highlight to stand out. Also, use the clearest language you can. Say what you mean and mean what you say. Use that thesaurus for good (not evil!) by looking for a simpler or better word, rather than a more difficult one. An audit report that is well supported by sound evidence & reasoning and by a strong audit committee should allow you to speak directly (not aggressively) without the weasel words. Also, try to avoid ambiguity wherever possible (cue picture). Please note that we deal with unclear pronouns in the course as well.
- The final coherence issue Iâll address is ensuring that your recommendation clearly links to the finding. The best way to do this is to find the root cause of the finding and make recommendations that address it. There are numerous ways of doing root cause analysis, but essentially it is a process of continuing to ask âwhyâ until you reach the root cause. Using the sinking of the Titanic as an example, why were lives lost? Because the ship hit an iceberg. Recommendation: donât hit icebergs. Not very useful, is it? But if you drill down by continually asking why and find out that the design of the ship and the materials used to build it were flawed, their iceberg detection systems were inadequate, there were insufficient lifeboats, the communications systems were inadequate and the response times for rescue crews were poor, then youâre starting to get to the stage where you can frame some more useful recommendations. In the Report Writing course, we teach that you should consider three different types of recommendations: the cause-focussed are potentially the most useful. Condition-focussed recommendations are more cosmetic in nature: they might reduce the risks short term but wonât guarantee it wonât happen again. They are a bit like giving pain killers to a flu patient: it wonât fix the flu but it will make it more bearable. Recovery focussed recommendations are important usually when a significant control breakdown has occurred. Reinstating the control is one thing, but what about all the transactions that were processed while the control was inoperative? A recovery-focussed recommendation will aim to verify the extent of any problems caused by the breakdown so that any errors can be corrected. If you have clearly defined the causes, condition and effects in your finding, then the reasons for your recommendations should be obvious to the reader.
- Now weâll move onto GIPA. The Government Information (Public Access) Act 2009 was intended to change the landscape for government accountability in NSW at state and local levels of government. The two key features of GIPA are: 1. a presumption in favour of transparency and the sharing of information and 2. a push for this information to be published proactively by agencies, rather than held back and only released as a result of access requests. The legislation specifically states that embarrassment is not a valid reason to avoid providing the information and neither is the possibility that the recipient will misinterpret or misuse the information. The Act applies to audit reports as equally as it does to other government information. While there are some instances where exceptions may be sought, these are not absolute and must be balanced against the public interest. So, what can we learn from this? Are you feeling uncomfortable? Is it really the end of the world for internal audit reports to be made public? How will we continue to have people confide in us and be open and honest? I think that these kinds of concerns are much more likely to be inflated in peopleâs anticipation of them. I canât see that it will make a major difference in the long term. The IIA has given some guidance in the form of a position paper regarding internal audit documents and GIPAA, which you can access with the link given.
- My personal take on this is that GIPA is an opportunity to further sharpen up your auditing skills, including your report writing. I think you have to make the assumption that every internal audit report you write may be made public. This raises the question of how does that affect how you write the report? My answer to that question is perhaps not as much as you think it might. The first thing I would recommend is not to sanitise the report. Your job as an Internal Auditor is to be independent and objective and you should not tailor your thought processes or ethics for the report in any way other than to double down on your professionalism in order to make sure that your audit findings are well supported and reasonable. The second thing I would recommend is that you focus on adding value. Rather than looking for âgotchaâ moments and making people look bad, look instead for opportunities for improvement and quantify these wherever possible. As mentioned before, spelling out the positive consequences of action rather than the negative consequences of inaction is much less likely to be interpreted negatively and gives management the opportunity to be part of the continual improvement process, rather than the whipping boys (or girls). The third thing I would recommend is to make sure that you are using unbiased language as much as possible. As mentioned previously, if you let the facts speak for themselves and you quantify the potential effects there should be no need to oversell a finding. Taking this approach gives potential critics much less ammunition for them to turn back onto you, the messenger. Finally, and probably most radically, perhaps you should consider proactively releasing your internal audit reports. If you do, you should develop a process of risk assessing each report for potential issues and work with council to develop a communications plan to reduce the risk of issues being misinterpreted.
- So to recap what Iâve covered with you all today, weâve been discussing how we can best deliver meaning in Internal Audit Reporting. The first thing we noted is that you have to recognise and want the opportunity to communicate your audit results. The second thing was recognising that the audit report is the most important marketing document for internal audit in relation to your skills and professionalism. The third thing was to recognise and account for the different readers of internal audit reports within the organisation, within the audit committee and also potentially to external bodies, which may include the general public. Next I gave you a selection of tips for making your reports simple in order to clearly communicate the intended meaning. These ranged from Leading the Reader through the use of ratings, concluding and then explaining, and using topic sentences. We also looked at avoiding being boring or pompous through use of the active voice, being concise and summarising and dumping. We also discussed using positive consequences rather than negative consequences to sell your findings, especially in defensive environments. We also talked about using complete audit findings, using consistent clear language throughout the report and linking recommendations to your findings better using cause-focussed recommendations, where possible. Finally, we discussed GIPA. My personal belief is that a well written and received internal audit report is a wonderful advertisement for a progressive organisation and that we should not only not be defensive with GIPA requests but we should be creating the environment where the proactive public release of these documents should be the norm. Having said all that, thank you for your attention and Iâll now take any questions you may have.