At various points in a CAE’s career you get chances to review the way you do things, either in a new role, or after a quality assurance review, or when you see something you like that another auditor does. I’ve written here in previous posts that I think the audit report is the key product. Yes I know we can report in other ways, presentations, online, verbally, through the medium of mime (okay I’ve not tried the last one yet), but the audit report is still a core product.
But what makes a good audit report? Well auditing standards are suitably vague; the performance standard’s requirement for each engagement to ‘where appropriate, contain internal auditors overall opinion and/or conclusions’ and ‘communications must be accurate, objective, clear, concise, constructive, complete and timely’. But what makes a good conclusion? In particular I want to focus on the idea of a conclusion. What should the assignment report’s conclusion look like in a risk based audit world?
I’ve always sought to report based on the client’s net risk. That is to risk rate the report according to the assessment of net risk. Does this mean that the report does not provide assurance? Can you rate a report in assurance? Well perhaps, but shouldn’t every report give full assurance? i.e I, as the CAE, should be able to provide full assurance over the opinion provided (or limit it if it does not have suitable work to support the scope of the opinion given). In other words I could give you full assurance that risk is badly managed. Similarly I could provide limited assurance over the fact that something is well managed. Does this mean the report would be red or green rated? Or by providing limited assurance am I really trying to say that I can assure you, client, that your systems provide you with no assurance? Strange.
For me the important thing is that clients manage their risk. So a report assuring them from an independent perspective over that risk status is valuable in my view. It focuses the management team and audit committee on net risk (which is ultimately the purpose of risk management). Assurance should always be full (in that the assurance should be full over the scope of the review being undertaken). Is the adequacy of risk an audit view or not? Well I believe it is both, It should be grounded in the client’s risk appetite, as independently considered by the auditor. Thus it is both the view of the auditor and the view of the client.
The second issue is how to deal with issue of smaller and larger scopes of audit. Clearly the risk even if poorly managed from something small is still small. Thus how does a single scale cope with this? I would suggest that it copes by having different risk levels. Thus a high net risk operational report is a medium risk tactical report and low risk strategic report. This takes time to train auditors, clients and audit committees to appreciate but makes perfect logical sense. It also helps to focus the auditor and the auditee on the real scale of things being assessed.
So what do you think? Have you reviewed your reporting recently?