How to get a real added value from internal audits
Internal audits often deliver only part of their value ; opportunities to improve the company performance are missed.
The largest companies have set up internal audits structures and internal control processes. Beyond responding to Sarbanes-Oxley act (issued in 2002 after Enron scandal and others) they should contribute to a better company performance and risk control. Also, in a lesser extent, external audit done by financial consulting companies in order to certify accounts could bring more than confidence in companies’ financial statements.
How many audits findings or recommandations are used by senior management in their business decisions ? Not many. In the real practice, company performance improvements that were initiated from internal audits are still too scarce. Several studies on internal audit reveal that more than half of executives believe there is room for improvement. Internal Audit structure are costly: why can’t they deliver beyond their narrow focus on compliance ?
I see 2 possible reasons : the audit quality is not sufficient, the management see internal control and audit as another useless layer of reporting. Good news is that solutions do exist : let’s see how those issuess can be resolved. If you want to know more please check this web site : audit-value.com.
Reason 1 : Quality of audits. The quality of an internal audit report is of course absolutely essential to make it accepted and used by auditees to improve their performance and risk control. Several ingrediends are necessary :
- The first ingredient of a good audit report which is simply its perfect clarity. This quality, which seems achievable if the report is carefully written, is however not so common, even among carefully written reports ! Describe clearly and simply, a human reality often complex, full of different points of view, is much more difficult than it seems. Even if auditors found nice and strong evidences, the report clarity is not granted.
Indeed, an audit is like a food recipe: even with high quality ingredients (audit factual findings and evidences), the quality of the meal is not guaranteed. Report clarity requires to quantify findings and explain the impacts (loss of turnover or profitability, impact on customer satisfaction, etc.). Another flaw disturbing clarity of a report is the redundancy of the same finding. Beyond discomfort for the reader to encounter rehearsals throughout the report, there is a risk of presenting same finding with different views (positive or negative) which will disorient the reader: this dual appreciation is seemingly contradictory but indeed possible if these findings are used to answer different questions addressed by the audit.
- The second ingredient is to use an appropriate structure for the report, and I recommend to start with the conclusion in every bit of the audit structure (from the report structure to the paragraphs structure). Audit report should be written at the opposite of the methods learnt in schools, which promotes the “introduction — development- conclusion” order. Within a report section or paragraph, starting with the conclusion is required : within the first sentences the main idea has to be expressed. In addition, to insure the general consistency of the report where some redundancies are inherent between executive report / audit findings / recommandations, the ideas must be presented in identical order, starting with the most important.
- Surprisingly, a nice clear report providing a good picture of the situation, even without discovering facts unknown by management, is already highly helpful for senior management decisions. But of course we want to go beyond because audits can provide more : they can reveal new informations. To do this, the auditors must address the real value added questions that are interesting the top management. So, why don’t they ask those good questions ? It it quite amazing to see that it is often a matter of audit schedule management. During audits, the auditors process a high volume of informations, most of them of low value. When a potential high value information is processed, the auditor has to make a decision about the time he can allow to dig it (ask the good questions). The key is to have the time available. It is therefore firstly a question of audit schedule : if the audit leader is able to keep the audit schedule on time, auditors will have time to perform added value work. From there, auditors have to balance the audit report by allowing sufficient space to assessement of the technical and financial performance: risk management and activities should not be the only corner of appreciation of the entity. This performance analysis will be complemented with a challenge on the objectives themselves : experience shows that these goals need to be challenged. It seems that the top management sometimes lacks time and independent analysis of the operational management of the entity to set them relevant targets, although this is an essential task. Internal audit seems to be the only opportunity to challenge the performance objectives set by top management. Who else than internal audit have time and legitimacy to do this challenge?
Reason 2 : The management misunderstanding of what is internalt audit comes from the difference in perception of what are the risks between the vision of managers and the internal control methods perspective: managers are oriented “business risk” while internal control methods are oriented “common cross-risks ” (risks shared by all kind of businesses). The result of this difference is that the managers do not understand that internal control is intended to master all risks (business risks and common cross-risks) related to their activities.
- The managers of an entity engaged in a given trade are naturally inclined to see mainly the “business risk” (eg machine breakdown risks on a car production line, competitive risks in marketing activity, risks of bugs in software creation activities …) and remotely perceiving the “common cross-risks” (fraud, reliability of accounting, regulatory compliance …)
- For their part, the internal control procedures are standardized, so they provide reading grids that are primarily oriented on general risks shared by most business activities, it is the “common cross-risk” . This perspective intends to raise awareness among managers of these risks which are often underestimated. These general risks are potentially very numerous, and not to miss anything, methods try to cover a broad spectrum, far too broad: these good intentions are counter-productive. In addition, concerning business risks, methods of internal control are silent, because they can not identify all risks of all existing kind of business. The methods are indeed universal, suitable for all types of activities, they cannot embrace all kind of specific business risks
- None of these 2 visions are correct: the ideal internal control system for an entity is not standard; it is necessarily a custom instance to the entity concerned. It combines “common cros-risks” and specific business risks. Therefore, the internal control Director should adjust, within methods and the company’s internal policies, the balance between the “common cross-risks” and the business risks. In addition, the internal audit team can also offer support to entities, after auditing them, so that they benefit more from audits findings.