The IA toolchain #4 — I would have written a shorter report, but I didn’t have the time.
I would have written a shorter letter, but I did not have the time — French Mathematician Blaise Pascal 1657.
What is an audit report for?
The processes and tools we use to “communicate the results” of our work are a key element in the IA toolchain.
There are plenty of good opinions out there about audit reports,
Norman Marks — Keep what you send to the executives and the board limited to what they need to read and no more. Make it easy for them to pick up your reports promptly, digest the actionable information, and take whatever actions are needed — now, when they are needed.
Richard Chambers — The ultimate objective of internal audit reporting is not to describe what we found or to make recommendations for improvement. It is to persuade readers to take action.
Sara James — Concise writing is part of clear writing — each needs the other. Both lead, happily, to useful, which means relevant.
The key point in achieving these is summed up by Tracie Marquardt.
Your stakeholders’ needs can change over time. So if you have an audience you communicate with regularly, make sure to build in a mechanism to find out if their needs and wants have changed.
Great audit reporting is useful and like any product, a continuing focus on user needs helps to make sure it remains useful. This means the starting point should always be your customers and understanding what they actually need (For more on understanding user needs see my blog on using the Jobs-To-Be-Done Framework in Internal Audit).
The experts above provide many valuable resources on the craft of writing persuasive audit reports. To go alongside this I have been thinking more practically about how technology solutions could help deliver communication in a way that is more efficient and effective for both auditors and our customers.
The Digital Audit Report
11fs is a financial services consultancy with a really clear view on what a Digital product is, they talk about the difference between a digitised product vs a digital product. The key distinction is between using technology to perform a legacy process (digitised) vs taking the underlying user problem and addressing it in an innovative way using technology (digital).
For example;
Legacy: Printed audit report
Digitised: Emailed version of the printed report that is static and not tailored for the various audiences.
Digital: A technology enabled approach that communicates outcomes quickly and clearly in a manner that is tailored to the user.
What might a Digital Audit Report look like?
To illustrate some key features of a digital audit report I have used the Atlassian Confluence and Jira tools. You could use another Wiki type tool like Notion or even SharePoint pages. If you work with technology teams maybe even a GitHub markdown document and GitHub issues and pull requests to track recommendations. I’ve used the IIA 5 C’s Model as a framework to ensure key elements are included in the report.
A Digital Audit Report would be:
- Concise — Reports should consist of nested levels of detail that provide the key facts in brief and provide the ability for customers to “drill down” if they require further detail. Using hyperlinks to background content and expandable text fields helps to present only the most important information whilst allowing users to drill into more detail if they prefer.
- Adaptive— The report is not a static product, it shows the status of remedial actions as they are completed and can be referred back to easily to track progress. Hyperlinks provide links to the underlying issue records in the issue tracking system.
- Modular — Key facts are defined as parameters that can be easily identified by stakeholders. These facts are then able to be easily aggregated and queried in future. A lot of work is often spent in crafting narratives about what we did and why we did it and the outcomes we found. By structuring all of this information the user can easily identify they key elements that are useful to them (see the issue table example above). Sometimes the user might be looking for the root cause while someone else may be more worried about the risk statement. By splitting all of the elements into clear data fields users can quickly find what they are looking for and be clear on the message.
- Flexible — The format of reporting can be easily adjusted as stakeholder needs change or to provide different views for stakeholders by combining the modules in different ways.
- Accessible — If a stakeholder wants to refer back to a report it is easy to find on company systems and specific text or subjects can found across all of the reports using a search. Reports should be accessible across the organisation where to learning. A wiki type platform like Confluence gives the ability to share the report easily throughout the organisation and provides access controls to restrict sensitive content. You can send a URL to a stakeholder to review and they can also use a search bar or navigation tree to find what they are looking for themselves.
- Collaborative — Reports should be able to be generated in a real-time collaborative process. This limits waste introduced by version control and review activity. A truly collaborative audit report could allow comment and discussion from all stakeholders throughout its life.
But it Doesn’t Look Nice Like My Reports
I’m sure some people will look at this and say It doesn’t look as flashy or polished as the meticulously formatted documents IA functions often spend hours and days on. The experts suggest we make audit communication as useful for the user as possible. So in my opinion losing some polish in formatting and design in exchange for efficiency, brevity and usability might be worth the trade-off.
