Chief audit executives and audit teams may be comfortable with the fact that their approach to audit committee reporting has followed the same unwavering path for the past decade. But are they shortchanging themselves by not communicating results as clearly and engagingly as possible?
Three Protiviti executives – David Brand, managing director, Chicago; Jason Maslan, director, Chicago internal audit practice; and Ari Sagett, director, Chicago internal audit practice – addressed the all-too-frequent issue of stale audit committee reporting by offering some eye-opening leading practice examples in a recent webcast.
“I think it’s always good for companies to push themselves and try to do different things that might be of interest to the board – all within the charter of the audit committee and the internal audit charter,” Brand said during the webcast.
Because companies differ, examples cited in this article won’t necessarily fit every organization, though they represent a treasure trove of good ideas that internal audit departments might tailor to their own situations.
TYPICAL QUARTERLY CONTENT
A dashboard report on current activities needs to tell the committee what internal audit (IA) is doing and why, changes to the annual plan (if any), current status of the audit plan, and critical findings or emerging trends.
Other content typically includes staffing, resource limitations and costs-versus-budget year-to-date, results of special investigations, department performance metrics and scorecards, and any impairments on independence or objectivity.
More and more, boards also are tasking IA to evaluate information and bring to their attention what they ought to be reviewing, versus providing everything in a package for the board to sift through.
TYPICAL ANNUAL CONTENT
The checklist is familiar: report on the year in review, including identified themes, update the risk assessment and audit plan, report on results of the internal quality assurance and improvement program (remember: the quality program is supposed to be periodic, ongoing and external – not just every five years), discuss results of the external QA review, review and approve updates to the IA department charter, confirm independence of the IA audit activity, and disclose any nonconformance with IIA Standards. Offering an overall opinion on the company’s control environment is not an IIA requirement, but if you do, there are standards on how to proceed.
During the webcast, Brand said he is a fan of dashboards that incorporate graphics designed to enable the audit committee to quickly grasp a vast amount of information. One information-rich dashboard he recommends starts with “key message points,” which highlight important takeaways. The dashboard also includes a short summary of completed activities during the latest quarter and what’s next on the agenda. An “audit finding remediation status” section briefly covers follow-up on all identified issues.
Another dashboard example includes “direct support to control environment”—something not often captured, according to Brand.
“You as internal auditors might sit down with people and brief them on new regulations or the control environment; you might talk to new hires about what it means to have good controls or what appropriate evidence is – things you probably don’t issue reports on,” he said. “You could easily capture such activity on a dashboard like this and be able to explain to management some of the value you provide to the organization that’s beyond what shows up in a typical audit report.”
THE AUDIT CALENDAR
Maslan discussed some of the ways to present the IA calendar and plan to the audit committee. One that’s highly informative and easy to digest is divided into assurance projects (business process audit and information technology audit) and consulting projects. It includes a risk-level legend, a handy way to ground the reader into where the audit fell in the risk map from the overall risk assessment process.
Another calendar takes a more holistic view of the audit and breaks down activity by period, showing starting and completion points.
Meanwhile, a third example revolves around a quarterly update. It briefs the audit committee what audits were completed during a quarter and highlights a concept around the watch list which shows what risks are top of mind in the organization. Still another approach to the calendar takes IA activities and divides internal audit and SOX 404 compliance activities by quarter.
What is the best way to apprise the audit committee of the scope of projects recently completed? Maslan recommended highlighting processes that were evaluated and specific procedures completed that were in scope. An important piece to focus on here is the “out of scope” area. It helps develop an audit committee perspective by informing what was in scope and what was not accepted.
AUDIT REPORT SUMMARY
More informative than the typical audit report summary is one that provides not only a background of the audit and summary but captures the observations as well. If you have a handful of observations and want to roll them up to one of the root causes, this is a good way to put everything around the audit on a single slide, the webcast presenters said.
Another concept introduces the “overall rating” of the audit itself. It gives some background information and includes individual ratings by findings. In addition, it includes a “management response” that holistically provides a risk rating on the audit itself.
If you are in a large shop doing a lot of audits each year and start to bucket the audits by type – whether by function, department or division – this is a useful way to represent a scorecard perspective in order to understand how many audits are being completed by a given area and the overall rating and detail of the individual audit that comprises that rating.
RISK ASSESSMENT PROCESS
Audit’s main goal is to assure it has succeeded in identifying and measuring risk in a consistent manner in order to demonstrate it clearly gets back to plan. Sagett presented a slide showing the Protiviti risk assessment approach. On the left appears a bottom-up review that begins by identifying the audit universe; on the right is a top-down approach that identifies business risks and prioritizes them. The combination of those activities drives an outstanding view of the information and then creates a more robust plan.
Another unique example shows a quarterly view of how a company performs a risk assessment. The example focuses on a quantitative as well as qualitative analysis that is rationalized and socialized with senior leaders and then linked with different internal audit information. The ultimate goal is to create a focused risk-based quarterly plan to perform audits.
SHOWING RISK ASSESSMENT RESULTS
Auditors have many options at their disposal to depict this type of information.
Sagett said IA is familiar with conventional risk maps that focus on the significance or impact on one axis and likelihood of occurrence on the other.
“Now we are seeing some progressive departments moving more toward additional factors...things like velocity and persistence,” he said, citing an example that shows quadrants with the highest risk and maps the priorities based on their relative risk.
Another example he offered was from a company that decided to show its entire audit universe with an overlay of the actual risk rating, so a viewer can see more detail. That is a good way of supplementing the risk map, though it might actually be the combination of these two elements that paints the full picture for the audit committee.
Brand said one question that he frequently hears from organizations interacting with board members is: “How do I know if I have the right-sized department, especially in light of the multiple changes my company has experienced in recent years?” Benchmarking activity, unique from one organization to the next, is the easiest way to make that determination.
What does the company want from IA? What’s in the charter? What’s in the audit committee charter? What are the expectations of management? What role does IA play within the organization? How advanced, developed and functioning are the Level 1 and 2 controls? Do you have robust compliance? All of these questions factor into the conversation. Thinking them through in order to decide if the organization is right-sized can be a valuable exercise.
SARBANES-OXLEY PROGRAM OVERVIEW AND RESULTS
For companies going through the first year or two of SOX compliance, the most common way to report results to the audit committee is via a calendar of activities and milestones, said Maslan. This shows IA obligations as well as those of management; it also is smart to include an overlay with the audit meeting schedule.
“Doing it this way sets the foundation for SOX compliance and becomes a way of measuring progress,” he said.
Maslan’s next example featured colored pie charts for interim testing of internal control over financial reporting and IT general computer controls. The slide tells at a glance whether risk is low, neutral or getting worse.
A third example related to significant deficiency analysis.
“I like that it shows two different perspectives: the client management view and the external auditor view,” Maslan said. “It gives the audit committee a clue as to what the company and management are doing to address the issues and is a good tracking mechanism as we continue to evaluate significant deficiencies identified throughout the course of the year.”
AUDIT ORGANIZATION AND QUALIFICATIONS
There’s a growing trend to include this kind of information in audit committee reporting. Presenters in the webcast concurred that it was a good way to highlight the audit department’s capabilities and celebrate the group’s achievements on a more personal level.
One example identifies key members of the department, including information on their certification and experience. Some companies even dress up the report by adding photos of key executives. Others add total years of experience within the company (though not necessarily in audit) and years of experience outside the company.
A leading practice for a company with a substantial IA staff (i.e., 200 employees) is to show how many resources are budgeted, the number of filled or open positions, rotational positions, and co-sourced jobs. Requirements for certification and training also are outlined in this example.
Part of the measure of an IA department is the qualification level of its personnel. Global companies now tend to highlight certifications and language spoken – skills that will continue to grow in importance as organizations expand into new markets internationally.
REPORTS ON QUALITY
The webcast’s presenters reiterated how standards require IA to report on a company’s quality program. One approach is to use an Internal Audit Balanced Scorecard that shows criteria the audit department decided they would evaluate (e.g., open positions, professional certifications, minimum CPE credit all auditors should obtain per year, etc.). The scorecard shows the targeted execution and outcome.
An even better example was seen in a slide presenting the same criteria but in a format that tracked the status of external, periodic and ongoing audits in color-coded boxes.
Similarly, color coding allowed viewers to better visualize results in IA’s “Report on Coverage.”
Although it seems that no one disputes the importance of lively, efficient audit committee reporting, feedback from board members commonly reflects that such reporting comes across as somewhat stale.
Overall, the examples provided within this webcast made it abundantly clear that effective and attractive reporting is within every internal audit executive’s reach.
This article was written by Thomas Witom.