How internal auditors manage audit ratings and opinions is key to clear communication with the audit committee and management.
There is no one way to present an update to the audit committee (AC) of a board of directors. But there is a general consensus that internal auditors must be succinct and not drag AC members into the weeds with too many details.
- That takeaway emerged at a recent monthly meeting of NeuGroup for Internal Audit Executives designed to help one group member create an internal audit (IA) rating and opinion program for her company.
- Members offered differing approaches to building an audit structure and communicating findings to management and the AC. This variance produced an illuminating discussion about the granularity and parameters of reporting structures.
- A NeuGroup Peer Research survey conducted before the session revealed that 60% of respondents use a three- or four-level system for overall audit opinions and 91% of the companies used a three- or four-level system in providing risk ratings.
- Some members offer overall audit opinions along with risk ratings, while others have abandoned providing opinions. One member said at previous companies he’d worked for, “CEOs and CFOs preferred not to have opinions for the report because they didn’t like the way it looked.”
Striking a balance. A balance must be struck to build a common understanding between internal audit, the AC and management. At several companies this has been achieved, in part, by simplifying the ratings scale used by IA to bring more efficiency to the IA function.
- One member said, “We were spending a lot of calories over ‘which side of the line does it fall,’ rather than, ‘does everyone agree on the facts,’ and can we just get on with fixing the issue.”
- Another member mentioned that it often comes down to leadership’s preferences, and that their audit committee wanted to keep the detailed ratings system because it helped them see which direction the process or control was trending.
What to include in a report. Internal auditors must also come to an agreement, sometimes with the input from the AC chair, about the level of detail in audit reports. Several members agreed that too much detail in the report might “excite the audit committee, perhaps unnecessarily,” opening up a can of worms about a finding that they didn’t need to worry about.
- One member said a previous employer changed its color scheme for ratings from red, yellow and green to dark blue, medium blue and light blue so nobody was unnecessarily alarmed.
- Some member companies provide their full audit report, including low-risk issues, to management but give a trimmed down executive summary to the audit committee. Other members provide all findings in an appendix to their executive summary that the AC can access.
Tracking issues. Beyond performing the initial audit, internal auditors must decide which issues should be tracked and which left to management to correct based on a management action plan (MAP). Some members track all of their findings, even low-risk issues, while others rely on attestations from management that they will follow IA recommendations.
- One member transitioned from tracking all issues to using management attestations, he said, “because I was spending an inordinate amount of time validating MAPs, [even] low-risk ones. If they’re risk-rated why are we spending the same amount of time on a high one as a low one?
- “My assessment was: ‘Does your dentist go and check that you’re brushing your teeth all the time?’ At some point you have to rely on people doing what they said they would do. Now if we find in a subsequent audit that they have misrepresented something, then we almost always mark that as a [high-risk issue]. I have to rely on management to understand the importance of the control.”
Bottom line: There are many ways to go about running an internal audit team, but the one commonality is finding the solution that leads to the most trust and understanding between IA, executives, and the AC.