A short while ago, I was talking to an internal audit manager whom I had been helping with her audit of enterprise risk management at her company.
Unsurprisingly, her team found a great many issues. Communicating her opinion — that the risk management team and related activities were not seen as helping management make informed and intelligent decisions — was not going to be easy.
Part of the problem was there were some significant failings at a detailed level, such as not updating risk limits and other guidance on a regular basis as the business changed. It would be too easy to get distracted by the trees, rather than the state of the forest.
Her manager (the chief audit executive (CAE)) was strongly of the opinion that the organization needed a risk appetite statement — which the manager realized was not the issue (and we agreed was not a great concept).
The CAE had dictated that every audit report had to follow a strictly enforced format. So even though the best way to communicate an assessment of risk management is using a maturity model, that would not be permitted.
All I could do was sympathize and offer to meet with her CAE. My suggestion was to put a lot of effort into communicating the results of the audit through face-to-face meetings, even if they have to be through Zoom or similar. Constructive give-and-take discussions about what she found and why it matters would be of far more value and far more persuasive than any text document.
A More Flexible Approach to Audit Reports
As CAE myself, I gave my team a great deal of flexibility when it came to the audit report. There were some rules, of course, but they were principles rather than detailed regulations.
I had an exemplar format, but I wanted the team to do what would work the best rather than what would adhere rigorously to a standard.
For example, the opinion of the auditor had to be up front, the first thing the customer read — unless it was really necessary to explain the context first.
Another principle was that the auditor needed to use plain English, a rich language that can be used creatively to communicate the auditor’s opinion. Requiring standard language, such as a rating system, is limiting. If the auditor wanted to say that controls, etc. were not effective or adequate, that had to be explained in a way that the customer would readily understand. In fact, I encouraged them to write the way they would speak.
Suggestions for improvement had to be practical and what the auditor would do themselves if they were in charge.
The audit report had to be concise and readily consumed by the busy executive.
It had to communicate what they needed to know, and no more.
Standardization Isn’t Necessarily Effective
We are not limited to a rigorously enforced standard for communicating in person. Why should we be limited when we are writing? There is value to standardization, but it can also be a drag on effectiveness and the ability to deliver maximum value.
I welcome your thoughts.
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.