Internal Audit Reporting SP
Internal Audit Reporting SP
Internal Audit Reporting SP
04 Stakeholders Management
05 Concluding Thoughts
INTRODUCTION
Introduction
Dissemination of the results of internal audit and reporting the findings to the management, and those charged with governance, is an essential
part of any internal audit reporting.
The internal audit report is the document prepared as an outcome of the internal audit process. It contains a clear written expression of significant
findings and recommendations based on the review of the policies, processes, risks, controls and transaction processing.
Audit findings and recommendations in the audit report are designed to facilitate organization achieve financial, management and regulatory
compliance objectives.
The internal audit report is presented to the process owners, head of the departments, senior management, audit committee, statutory auditors,
and regulatory authorities (if required).
Reporting of results needs to be done with a certain level of uniformity and, both the internal auditor and the recipient of the reports should have
clarity and agreement about the nature of assurance being provided through these reports.
Key Considerations:
The internal audit report is often the main, routine vehicle through which senior management understands the value that internal audit delivers.
Audit report presents the results of an examination or review within the organization and is considered to be the core deliverable of internal
audit services.
Poorly communicated results may completely detract from what may be critical information for senior management and the board.
Well-organized and communicated results are a key indicator of competency and professionalism.
Each organization has unique reporting practices and expectations that affect the format, frequency and depth of their communications.
5
STANDARDS ON INTERNAL AUDIT
Standard On Internal Audit 370 (Earlier SIA 4) – Reporting Results
02
Allow management to understand the issues and take corrective actions in a
methodical and comprehensive manner
03
Provide a sound basis for any assurance being provided by the Internal Auditor
7
Standard On Internal Audit 370 (Earlier SIA 4) – Reporting Results
At the end of a particular assignment On a periodic basis, at the close of a plan period
(Internal Audit Report) (Audit Committee Report)
An “Internal Audit Report” covering a specific area, function A comprehensive report of all the internal audit activities
or part of the entity is prepared by the Internal Auditor covering the entity and the plan period is prepared by the
highlighting key observations arising from those Chief Internal Auditor (or the Engagement Partner, in case
assignments. of external service provider).
This report is generally issued with details of the manner in Such reporting is normally done on a quarterly basis and
which the assignment was conducted and the key findings submitted to the highest governing authority responsible for
from the audit procedures undertaken. internal audits, generally the Audit Committee.
This report is issued to the auditee, with copies shared with Some part of the aforementioned Internal Audit Reports
local and executive management, as agreed during the may form part of the periodic (e.g. Quarterly) report shared
planning phase. with the Audit Committee.
8
Standard On Internal Audit 360 (Earlier SIA 9) – Communication With Management
Objectives
01
There is a clarity and consensus between the Internal Auditor and the management
with regard to the scope, approach, objectives and timing of an internal audit
02
To help inform, persuade and act on matters important to the conduct of an internal
audit by promoting a continuous dialogue and free flow of information between the
Internal Auditor and management
03
To help resolve any conflicts in a timely manner
9
Standard On Internal Audit 360 (Earlier SIA 9) – Communication With Management
The Internal Auditor is required to have an effective two-way communication with the management, both while managing the internal
audit function, and also while conducting an internal audit assignment.
A continuous dialogue with management, at various stages of the internal audit process, is essential to the achievement of internal
audit objectives.
01 02
Discussion Draft Exit Meeting
At the conclusion of the fieldwork, the internal The internal auditor should discuss with
auditor should share the discussion draft. the management regarding the findings,
observations recommendations, and
text of the discussion draft.
Discussion Draft Exit Meeting
10
STAKEHOLDERS MANAGEMENT
Stakeholders Management
03 Identify how the message will be communicated (the stakeholder’s preferred method)
04 Identify communication necessary to satisfy stakeholders expectation and keep them informed (what)
05 Identify and finalize how the report will be communicated (this should be finalized at the design stage itself)
12
Who Are The Stakeholders Of Internal Audit
Process
HOD
Owner
Regulator/ CFO/CEO
Investor STAKEHOLDERS /MD
Statutory Audit
Auditor Committee
13
What Are The Stakeholders Expectations
Process Owner HOD / CFO / CEO / COO / MD
Management comments, agreed action plan, first-person Assurance which they can rely on
responsible for implementation and target date Comfort which would help them make a proper assessment and
Providing assurance / comment on improvement save their time
Value addition
14
Different Form Of Communication For Each Stakeholder
Stakeholders
15
What The Stakeholders Likes To See……
Value-Adding Processes Fraud Risks Compliances
16
Organizational Pressure – Pervasive Threat To The Internal Audit Objectivity/Reporting
The situation in which individuals in leadership positions exercise their authority to achieve a
personal benefit, or to protect an organization, attempt to manipulate the internal audit activity
or internal audit reports.
Such manipulation may result in actions to restrict the scope of audit activities, suppress audit
findings, or undermine the credibility of the Chief Internal Auditor or the Internal Audit
personnel's activity.
17
Organizational Pressure – Pervasive Threat To The Internal Audit Objectivity /Reporting
8% 7%
8%
10
Never Never
Number of times 55% Number of times
1 or 2 times 1 or 2 times
asked to suppress requested not to
a finding 3 to 5 times 48%
audit high-risk area 3 to 5 times
> 5 times > 5 times
37%
27%
Aggravating Factors:
Lack of strong ethical culture from top-down
Lack of strong, independent and supportive audit committee
The culture that embraces risk and not controls
Weak relationship between Chief Internal Audit and Audit Committee Chairperson or Chief Internal Auditor and Key Executives
Chief Internal Auditor who lacks objectivity, integrity, courage, or sound judgment
Internal audit function in an organization that lacks competence
18
Implications on Reporting
Should Make Foundation Strong CIA ‘s Desired Attributes CIA Should Build Relationship
Strong governance, knowledgeable board Integrity and courage Meet outside of scheduled, formal meetings
‒ Know your internal ‘Limitations’
‒ Stand firm on important issues
Strong reporting relationship and position Objective and fair Learn about Executives– objectives,
‒ Direct reporting relationship –CIA and accomplishments, interests
board/audit committee
‒ Chief Internal Audit – Recognised senior
independent position
Clear and supportive charter Relationship builder – with the board, Lead outside of Internal Audit role; be visible
‒ Documents showing with clarity-unique executives and management
role of Internal Auditor ‒ “We are all after the same objectives.”
‒ Specifies authority and unrestricted scope
Decision framework – when to take a stand Judgement to know what is an important Educate on emerging topics/Risks
‒ Identify alternatives, consequences issue and when to take a stand, How to take
a stand?
Strong business knowledge Anticipates and proactively addresses issues Find mutual areas of interest; do not take
‒ Discuss protocols in advance meetings casually but prepare in detail to be
‒ Know key parties and motivations effective
19
Reporting of CIA – Lack of Independence Could Have Impact On Internal Audit Reporting
20
CONCLUDING THOUGHTS
Concluding Thoughts
The people who receive internal audit services (audit clients) are becoming more seeking greater value-add from audits.
They are seeking insights gathered from operational audits, rather than a narrow compliance audit approach.
Internal audit is not an isolated technical exercise but it is an integral part of the corporate governance process and the
report which is the culmination of the audit process has far-reaching consequences in changing the way the business is
done and risks are managed.
A report is a reflection of the auditor’s mindset and is only as good as the approach with which the audit has been done. No
amount of add on by way of style and presentation can mask the inadequacy of the auditor’s performance.
The internal auditor has to not only possess adequate knowledge of the business he is auditing but also internalize that he is
part of the management and his audit objective is aligned to the business enterprise objective and goals.
Management is seeking internal audit reports that are easy to read, ‘tell a story’, and get to the point.
Management values internal audit reports that provide a conclusion or opinion on the activity audited.
The success of audit reporting is determined largely by the attitude and approach with which internal auditor carries out his
duties. As auditors, we should aspire to be the agents of positive change in the organization, and strive to be viewed and
accepted as valued insiders.
24
People begin
forming an opinion
within seconds
Difficult to reverse
first opinion
25
REFERENCE MATERIAL
Typical Elements In An Internal Audit Report
Title Page
Audit Issues Highlighting:
01 Addressee
Report Distribution List
Period of Audit Covered
Key Finding
Root Cause of Issue
Business Impact/Risk
Executive Summary:
Report Rating
03 Audit Issues
Status of Management Remediation Plan 05 Assurance Limitation Disclaimer
Annexures
27
Opening / Introductory Paragraph And Scope Paragraph
28
Detailed Report – Features Of The Observation
Criteria
What is the standard that was not met?
The standard may be a company policy or other regulatory guideline. expectations used in making an evaluation
Condition 1 Cause
The factual evidence as to what was found Reason for difference between criteria &
2 3 condition [lack of controls, circumvention
of controls or external influences]
29
5 Cs In Report Writing – Case Study
Criteria What is the standard? Variation in stock on physical verification with the balance as reflected in the stock
register should be NIL.
Condition What is wrong? The stock physically verified was short by 5045 units as against the balance shown
in the stock register.
Cause Why is it wrong? Issues made during the night shift were not recorded.
Consequences What is the risk / impact? The stock position in the books is overstated and the possibility of stock pilferage is
high due to lack of control.
Corrective Action What should be done? / Night shift stock keeper needs to be appointed.
How to correct? Alternatively, the requirement of stock for the night shift should be issued at day end
as per the requisition of the production in charge for the night shift.
The consumption during night shift is verified by counting in the morning the
balance stock left out of the lot issued to the floor during the previous days close.
30
Risk Rating / Risk Category / Controls Rating – Legends
RISK RATING
Represents critical control weaknesses requiring prompt action to mitigate information systems or business process
vulnerabilities. Adequate compensating controls do not exist to mitigate risk exposure, or may not be sufficient given the
High (H)
impact of a risk occurrence should it occur. Regulatory non-compliances involving penalties/prosecutions are also included
in this category and having financial impact exceeding say USD 250K.
Represents moderate control weaknesses requiring near-term management focus to strengthen existing controls. Some
Medium (M) compensating controls are present, but additional controls are necessary to further mitigate risk exposure and having
financial impact between say USD 100K to 250K.
Represents minor control weaknesses requiring management focus to enhance existing controls. Compensating controls
Low (L) are present to mitigate exposure (or if not, the impact of a risk occurrence is minor), but opportunities exist to enhance
controls or improve operating efficiency and having financial impact say below USD 100K.
RISK CATEGORY
Operational (O) Effectiveness and efficiency of operations.
Financial (F) Reliability of financial reporting / financial impact.
Compliance (C) Compliance with applicable laws and regulations.
Process Improvement (PI) Scope of improvement in the business process.
CONTROLS RATING
Controls are present to mitigate most process/business risk, but management should evaluate opportunities to enhance
Moderate (M)
existing controls.
Existing controls may not mitigate process/business risk and management should consider implementing a stronger
Limited (L)
control structure.
31
Management Response
Specific reply to the observation (to the point and not a general reply)
32
Audit Reporting Challenges
Reporting issues that don’t matter to the board and top executives
Failing to communicate what matters when it matters
Lengthy cycle times – time taken for formal report writing
Consequences of lengthy audit cycles are
‒ Audit results are not timely
‒ Stakeholders dissatisfaction
‒ Inefficient use of internal auditors time
Factually incorrect reports
Size of the report and maintaining balance
Implications or risk not being brought out clearly
Focus only on negative aspects or mistakes
Projecting process owners as villains or blowing up things out of proportion
Lack of practical recommendations
The reader cannot connect with the report
33
Common Mistakes In Internal Audit Reports
34
Essentials Of A Good Internal Audit Report
Free from Fair, impartial, Easily To the point, Helpful to the Lacking Opportune
errors and and unbiased understood avoid auditee /client nothing that is and expedient,
distortions and and is a result and logical, unnecessary and the essential to depending on
faithful to the of a fair- avoiding elaboration, organization the target the
underlying minded and unnecessary superfluous and leads to audience and significance of
facts balanced technical detail, improvements includes all the issue,
assessment of language and redundancy, where needed significant and allowing
all relevant providing all repetitiveness relevant management
facts and significant and and wordiness information to take
circumstances relevant and appropriate
information observations corrective
to support action
recommendati
ons and
conclusions
35
Internal Audit Report Format
Different organizations use different report formats (Word, Excel and PowerPoint)
Management will feel more comfortable if it becomes accustomed to the report format and
can readily turn to whatever is of interest
37
Executive Summary – Sample 1
Sr. Risk Risk Control Slide
Audit Observation Action Plan
No. Category Rating Rating Reference
Risk Category Financial Operational Compliance Risk Rating High Medium Low Control Rating Moderate Limited
38
Executive Summary – Sample 2
Responsible
Responsible
Issues
Issues Business
Business Impact
Impact Due
Due Date
Date
Person
Person
39
Detailed Observation – Sample 1
Risk Rating a High Medium Low Risk Category a Financial Operational Compliance Control Rating Moderate a Limited
1) Observation Heading
Issue: Root Cause: Recommendation:
Background:
40
Detailed Observation – Sample 2
Design System Operational
Critical Root Cause: Deficiency External
Deficiency Ineffectiveness
1. Observation Heading
Observation Risk & Implication Management Comments
Recommended Action
41
Typical Contents Of An Audit Committee Presentation
42
Audit Committee Dashboard – Sample 1
43
Audit Committee Dashboard – Sample 1
Open Audit Issues Unresolved / pending issues above Global CFO intervention/ support
Issue Closed during current quarter
( at quarter beginning) 6 months required
7 3 1
For details, please refer slide no. xx to 4 (For details, please refer slide no. xx (For details, please refer slide no. xx
xx to xx) to xx)
Process
4 Low Limited
Improvement
The major objective of internal audit review is to understand the key activities and controls in the business processes designed, review design
effectiveness of business processes and controls, assess the operating effectiveness of internal controls and provide recommendations for
business process and internal control improvement.
Internal auditors don’t plan and prepare work with the objective of preventing and discovering fraud and gives no assurance that the period
covered by an internal audit would be free of fraud or other irregularities. If during the course of internal audit, we come across any fraudulent
activity, we carry out our review in respect of that business process in detail and report on the same to the management and audit committee.
The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application of
sound management practices. The responsibility for a sound internal control system and the prevention and detection of fraud and other
irregularities rests with management. Work performed by internal audit should not be relied upon to identify all strengths and weaknesses in
internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Our focus is more on walkthroughs of business processes
and identification of internal control gaps so that the control environment can be strengthened further.
Internal audit procedures are designed to focus on areas of greatest risk and significance which are identified and agreed with management in
advance, internal audit scope and approved annual internal audit plan. Since the internal audit is executed by an individual internal auditor on the
basis of their ability to assess risk and situation of control environment of a particular audit area/entity, audit procedures may not disclose/conduct
an audit of all issues and/or other significant matters about the department/company, or reveal all errors, irregularities and frauds in the underlying
information due to limitation of skill set, time spent on an entity for audit and other uncontrollable limitations.
The approach employed during the internal audit work does not constitute a comprehensive review of all the operations and is subject to the level
of bias in the method of sample selection.
Internal auditors rely on management to provide accounting and other records for the purposes of audit work to ensure the authenticity of these
records.
45
Thank you