By David Gitare
“If you can’t explain it simply, you don’t understand it well enough” – Albert Einstein.
It is traditional practice that at the conclusion of an Internal Audit exercise, the Internal Auditor issues a written report to the target audience detailing the results of their work. Thereafter, the Internal Auditor will periodically perform a follow-up to assess whether the agreed-to corrective actions have been implemented, are effective and are being sustained.
Any experienced Internal Auditor has encountered from time to time situations where the agreed-to corrective actions have not been implemented or sustained much to the Internal Auditor’s dissatisfaction. So, why is it tÅhat the results of well documented, factual and well-received Internal Audit reports go without being acted upon? All too often, the persons to whom the report is addressed are largely blamed for inaction whether by design or default. Rarely if at all, does the spotlight fall on the Internal Auditor when agreed-to corrective actions remain unaddressed.
As a matter of fact, some Internal Audit functions measure their performance using metrics such as the percentage of corrective actions implemented against the total corrective actions agreed to. The higher the percentage the better performing the Internal Audit function is deemed. To attempt to understand why well-intentioned Internal Audit reports are not acted on, this article will shine the spotlight on the conduct of work of Internal Auditors for two reasons. Firstly, to challenge Internal Auditors to reflect on the essence, quality and practicality of their work. Secondly, to assist the recipients of the Internal Audit reports to conduct conversations with Internal Auditors that will result in enhanced collaboration in the sustenance of an effective system of Internal Control.
As with any objective Internal Audit exercise, this article bases its review on the elements of the Institute of Internal Auditors (IIA)’s International Standards for the Professional Practice of Internal Auditing (Standards) and Practice Advisories as its criteria. The Standards are mandatory guidance by the IIA, meaning that effective Internal Audit functions are not expected to deviate from the requirements therein. By way of introduction, the Standards acknowledge that “Internal auditing is conducted in diverse legal and cultural environments; for organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization.” The introduction goes on to however clarify that “while differences may affect the practice of internal auditing in each environment, conformance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal auditors and the internal audit activity.”
The Standard provides the following interpretation for the performance standard 2010 on Internal Audit activity’s planning. “To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls”. It is perhaps with this Standard’s interpretation that the President of the Global Institute of Internal Auditors asserts that Internal Auditors can audit anything but not everything (Chamber, 2018). Now more than ever, thought leaders in the Internal Audit profession are calling on Internal Auditors to be agile, which means the ability to move quickly and easily especially due to the fast pace with which the operating environment is evolving. If Internal Auditors continue to give prominence to mundane and traditional concepts such as the annual risk assessment, the monitoring of the audit and risk universe, the annual internal audit plans, the annual or 3-year audit strategy, then they will certainly fail to address the key concerns or topics that keep an organization’s leadership awake at night meaning that the resultant Internal Audit reports will be shelved to accumulate the dust they deserve.
Internal Auditors must constantly reflect on the essence, quality and practicality of their work. Key to doing this is to constantly evaluate their performance against the Standards, strive to keep up with evolving and leading professional practices that seek to enhance performance to meet and exceed the requirements of the Standard, and learn from their mistake
Leading practice requires that risk assessment for the purpose of Internal Audit planning be a continuous exercise and the Internal Auditors must be ready to overhaul their plans if the changes in the operating environment so demand. However, in compliance to performance standard 2020, “the chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval.” With regard to Internal Audit’s risk assessment for planning purposes, the methodology adopted will determine whether the audience looks forward to receiving and acting on Internal Audit reports. According to ISO 31000, the Risk Management Standard, risk is defined as the effect of uncertainty on objectives. If the risk assessment process focuses on the effects to enterprise-wide objectives, then the more likely that the audience, especially at the leadership level, will be interested in what Internal Auditors have to report. The converse is true. A risk assessment process that focuses on risks to operational processes over risks to the achievement of enterprise-wide objectives is not only obsolete but a disservice to an organization.
Performance standard 2400 in the Standards is a set of quality standards relating to communicating the results of Internal Auditors work. Nowhere in the set of standards is it prescribed that Internal Audit results should be formally written or documented as the way to communicate Internal Audit results. The broad requirement by the Standard is that “Internal Auditors must communicate the results of engagements” and standard 2420 on the quality of communications prescribes that “communications must be accurate, objective, clear, concise, constructive, complete, and timely”. To translate the objective of performance standard 2400 into reality, Internal Auditors are required to communicate the results of their work, conveying to their audience the information they need, when they need it, in a readily-consumed and actionable form (Marks, 2018). The challenge to Internal Auditors is therefore to self-critique the urge to spend additional time preparing bulky documented reports as the communication means of choice and consider more rationally, the effectiveness of compelling verbal presentations and light email communications to achieve the agility required by performance standard 2400. To quote Albert Einstein, “if you can’t explain it simply, you don’t understand it well enough” and audiences have a knack to conclude that this is the case when an Internal Auditor presents bulky, convoluted reports. Consequently, the reports will highly likely not be acted on.
Leading practice requires that risk assessment for the purpose of Internal Audit planning be a continuous exercise and the Internal Auditors must be ready to overhaul their plans if the changes in the operating environment so demand.
Practice Advisory 2410 on Internal Audit communication criteria describes the following attributes of Internal Audit Observations;
• Criteria: The standards, measures, or expectations used in making an evaluation and/or verification (the correct state)
• Condition: The factual evidence that the internal auditor found in the course of the examination (the current state)
• Cause: The reason for the difference between expected and actual conditions
• Effect: The risk or exposure the organization and/or others encounter because the condition is not consistent with the criteria (the impact of the difference)
Internal Auditors will easily and accurately establish the criteria and condition. However, more often than not, the audience is almost always aware of the criteria and condition beforehand. It is the establishment of the true root causes and the articulation of the effects on enterprise-wide objectives that determine whether Internal Audit reports merit the attention and action of an organization’s leadership team including the Board. Objective, informed and effective recommendations can only be offered after the true root causes of theof the gap between the criteria and the condition have been credibly established. Establishment of true root causes is almost always the most difficult and perhaps the most valuable exercise when conducting Internal Audit activities. experienced Internal Auditors will confess to having encountered from its audiences such questions as; So what do we do? or, So what is the risk? How effectively these questions are answered will determine whether the audience will be keen to act on Internal Audit reports.
In closing, there will be varied reasons why Internal Audit reports will not be acted on. But before pointing the accusing finger to its audiences, Internal Auditors must constantly reflect on the essence, quality and practicality of their work. Key to doing this is to constantly evaluate their performance against the Standards, strive to keep up with evolving and leading professional practices that seek to enhance performance to meet and exceed the requirements of the Standard, and learn from their mistakes. References: • The IIA’s International Standards for the Professional Practice of Internal Auditing(Standards), effective January 2017 • Practice Advisories Under International Professional Practice Framework (IPPF), updated May 2015 • Revitalizing internal audit, Marks (2018) • Internal Auditors Can Audit Anything — but Not Everything, Chambers (2018)
David Gitare [email protected]