Mr. McLaughlin chaired the conference and led a session on Quality Assurance: Standards, Approaches and Peer Review. Mr. Eastman delivered the final presentation of the event, which he entitled, “The Why, What, How, When and For Whom of Audit Reporting.” A text of Mr. Eastman's presentation follows. We will also produce Updates soon on two other sessions from the conference.

NOTES FOR REMARKS BY:

MICHAEL EASTMAN, EXECUTIVE DIRECTOR, CCAF-FCVI INC. TO THE CONFERENCE
ON BEST PRACTICES IN INTERNAL AUDIT FOR THE PUBLIC SECTOR

My plan is to throw out for your consideration a range of different ideas about audit reporting, drawn from a number of leaders in the field. No single approach is likely to suit every organization, so I do not intend to present a “one size fits all” approach. I do hope, however, that each of you will be able to find a few good ideas that are suitable for your organization.

Why is audit reporting important?

I'd like to start by addressing the question of why audit reporting is important – or more to the point, why is it more important today than it was in previous years?

There are, I think, two broad reasons why audit reporting is more important that ever.

One: audit reports are getting a lot more attention these days. And two: they are getting more attention just when the demands are getting greater.

MORE PEOPLE ARE PAYING ATTENTION

We know why your reports are getting more attention. Can you spell “sponsorship”?

The internal audit function did its job in the sponsorship scandal. The Government of Canada came out of that experience saying, “Whoa, we need to pay more attention to what our internal auditors are telling us.”

So the government created the position of Chief Audit Executive in departments and agencies to give the audit function more profile at senior levels. It also strengthened the role and independence of departmental audit committees.

Treasury Board's Policy on Internal Audit says, “Departmental audit committees will prepare annual reports to their deputies on their activities, including assessments of the internal audit functions.”

The federal government also resurrected the position of Comptroller General, with responsibility to ensure that the internal audit function is vigorous across the government.

At the federal level, then, we now have Chief Audit Executives bringing internal audit reports to the attention of more powerful and activist audit committees and more attentive deputy ministers. We have audit committees charged with assessing the quality of the internal audit function in their organizations. And we have central agencies keeping an eye on things, too.

OTHERS ARE PAYING ATTENTION TOO

Bureaucrats were not the only ones to learn lessons from the sponsorship scandal.

Any good journalist covering public affairs will have noted that internal audit reports are a potential source of juicy stories. I'm sure you will have noticed, as I have, that the results of internal audit reports are increasingly finding their way into the headlines. What started out as advice to management is suddenly transformed into the scandale du jour for the entertainment and enlightenment of people across the country.

Journalists aren't the only ones looking at those reports. Special interest groups are reading them so they can track the evolution of their issues. Opponents of particular programs - think of industrial support programs or the gun registry- are looking for ammunition to support their views. No pun intended.

So, yes, audit reports are getting a lot more attention these days. From a lot of different people.

THE DEMANDS ON INTERNAL AUDIT ARE GETTING GREATER

Which brings me to my second point about why audit reporting is increasingly important: the demands on internal auditing are getting greater.

At our National Forum of Government Chief Internal Auditors two years ago, we discussed the role of internal audit in risk management. It came out in the discussion that, in some provinces and territories, the internal audit function was working closely with management to implement formal risk management policies and processes.

In others, internal auditors were initiating the development of a policy and framework; some were leading or facilitating training; and some were exploring the concept and encouraging managers to consider the advantages of a formal approach.

The group concluded that if a formal risk management function does not exist in an organization, the internal auditor has a responsibility to bring the matter to the attention of management as an audit issue. This is because risk management is a key internal control, and its absence signals a deficiency in the internal control framework.

At the federal level, the Policy on Internal Audit mandates chief audit executives to provide “annual holistic opinions to deputy heads and audit committees on the effectiveness and adequacy of risk management, control, and governance processes in their departments, as well as reporting on individual risk-based audits.”

So whatever role internal audit may play in the risk management process, reporting on risk is placing demands on the internal audit function.

This is a good example of how internal audit has evolved from fulfilling primarily a financial compliance function to playing a key role in an organization's governance framework. The bottom line is that the demands on internal audit reports - your tool for communicating your findings - have increased.

There are two other important trends I want to note here:

• One, the new reporting standards for federal, provincial and territorial governments, and
• Two, the growing pressure on internal audit to “follow the money” to ensure grants, contributions and loans to organizations outside of government are used appropriately.

I won't go into these trends in any detail except to say that they complicate the reporting mandate of the internal audit function - just as internal audit reports are receiving increased scrutiny. Not a perfect storm, perhaps, but certainly a heavy downpour.

What should internal audit reports contain?

Now let's move on to the what of internal audit reporting: What should internal audit reports contain? To answer this question, I consulted a number of expert sources.

In 2004, the Auditor General of Canada issued a report on Internal Audit in Departments and Agencies. It said audit reports should communicate the results of an audit, and contain a statement of assurance. The statement of assurance, it said, “informs the reader of the quality and rigour of the auditors' work and the sufficiency and quality of the evidence supporting the findings and conclusions.”

I found it interesting to read what the Office of the Auditor General of Canada says on its web site about the contents of its own audit reports. The web site says the Office's performance audits answer the following key questions:

• What did the audit look at?
• Why is it important?
• What would the audit team expect to find if everything were working properly?
• What did the audit team find: What is working well? What needs improvement?
• What did the audit team recommend to improve operations or performance?

On the matter of recommendations, the Internal Audit Policy of British Columbia's Office of the Comptroller General says audit reports must recommend corrective action where appropriate.

The United Kingdom's Government Internal Audit Standards provide a very thorough list of what should go into an individual audit report. They say the records for each audit assignment should include the following:

• the objectives and scope of the assignment
• how these objectives have been achieved
• a description of the objectives of the business area covered by the assignment
• the risks, controls and all other material factors examined by the assignment; together with the evaluation criteria employed by the auditors
• an evaluation of the effectiveness of risk management, disclosing weaknesses and non-effectiveness, over-control and poor value-for-money
• the opinion given
• any recommendations for improvement
• any areas of disagreement between the auditor and management that cannot be resolved by discussion
• disclosure of any relevant non-compliance with any of the government's audit standards in the conduct of the audit, and the reasons for the non-compliance
• any indicators of fraud that may have been detected, and
• how all these points have been reported to the sponsor.

The Auditor General of British Columbia conducted an audit of Internal Audit in BC Health Authorities in 2004. His report said audit reports should describe the purpose of the audit, the scope of the work carried out, findings relative to best practices, and recommendations for taking action where problems and deficiencies have been noted.

I think the point about “findings relative to best practices” is a good one.

Recently, over a period of several years, CCAF conducted an extensive research program on the subject of the performance reports that governments produce. One of our most valuable outputs was a set of nine principles for better performance reporting. Though performance reports are clearly different from internal audit reports, I think most of the principles are transferable.

One of the principles was to provide comparative information, as BC's Auditor General recommended. Let me quickly list the other eight:

• Focus on the few critical aspects of performance
• Look forward as well as back
• Explain key risk considerations
• Explain key capacity considerations
• Explain other factors critical to performance
• Integrate financial and non-financial information
• Present credible information, fairly interpreted
• Disclose the basis for reporting.

REPORTS FROM THE CHIEF AUDIT EXECUTIVE

Individual audit reports aside, there is also the question of what a chief audit executive should report to his or her senior management and/or board.

Institute of Internal Audit Standard 2060 says, “The chief audit executive should report periodically to the board and senior management on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan.” It continues, “Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.”

The UK Government Internal Audit Standards elaborate on this. They call for the Head of Internal Audit to present an opinion, in an annual report to senior management, on the overall adequacy and effectiveness of the organisation's risk management, control and governance processes.

The UK standards say this annual report should also:

• isclose any qualifications to that opinion, together with the reasons for the qualification
• summarize the audit work undertaken to formulate the opinion, including reliance on work by other assurance bodies
• note any issues the Head of Internal Audit judges particularly relevant
• compare work actually undertaken with the work that was planned, and summarize performance of the internal audit function against its performance measures and criteria, and
• comment on compliance with the government's internal audit standards.

How should internal auditors report?

I've talked about why internal audit reports are important, and what they might contain. Now let's look at how internal audit reports should be presented. We can deal with this one fairly quickly.

Obviously, reports should be factual and accurate.

The UK Government's Internal Audit Standards make these points:

• Reports should be clear, concise, and constructive.
• They should be security classified in accordance with organizational policies and should avoid unauthorized disclosure of material that would otherwise be subject to a security classification.

We tend to think of audit reports as written documents. But do they have to be written?

The United States Government Accountability Office has established Reporting Standards for Performance Audits. The number one reporting standard is, “Auditors should prepare written audit reports communicating the results of each audit.” [emphasis added]

The standard goes on to say:

“Written reports

(1) communicate the results of audits to officials at all levels of government

(2) make the results less susceptible to misunderstanding

(3) make the results available for public inspection, and

(4) facilitate follow-up to determine whether appropriate corrective actions have been taken.

The need to maintain public accountability for government programs demands that audit reports be written.”

The standard does allow that, “Audit reports may be presented on other media that are retrievable by report users and the audit organization. Retrievable audit reports include those which are in electronic or video formats.”

The message I take away from that is that there is always a need for a written report, with the possibility of complementary reports in other formats to suit particular audiences or uses.

When should audit reports be issued?

We've now covered why, what and how. The next question is when – when should audit reports be issued?

The Government of Alberta's Internal Audit Charter calls for Alberta's Internal Audit Office to report “following the completion of each audit engagement.” BC's Internal Audit Policy says much the same thing.

The UK Government's Internal Audit Standards say this of audit reports: “They should be issued promptly and within laid down timescales.” This implies that someone should establish timelines for audit reporting.

The Government of Canada's Policy on Internal Audit says audit reports should be “issued in a timely manner.”

So what constitutes “prompt” and “timely”?

The 2004 report of the British Columbia Auditor General on internal audit in BC Health Authorities offered this perspective: “To ensure that senior management and the board are informed about internal audit findings on a timely basis, it is important that audit reports be issued shortly after the audit has been completed.”

My reading of this statement is that senior management may only have a limited window of time to take appropriate action on audit findings, and that audit reports should therefore be issued while that window is still open.

As the US Government Accountability Office Reporting Standards for Performance Audits indicate, “A carefully prepared report may be of little value to decision-makers if it arrives too late.”

This could be a helpful insight if you are weighing competing priorities for getting reports out.

Compare that thought to this comment from the Auditor General of Canada, in her 2004 report on Internal Audit in Departments and Agencies: “To be useful, audit reports should be completed without delay and be easily accessible to the public in a timely manner.”

Note the words, “to the public”. The Auditor General's report said the total time it takes in the federal government from the planning phase of an audit to the release of the final report and its posting on a web site ranges from 11 to 24 months. This, said the Auditor General, is not timely.

The report continued, “The delays occur in the reporting phase of the audit, as this stage involves a departmental review of the report before it is released.” In other words, the public's interest in getting timely access to audit reports is coming second to management's interest in looking at the reports.

Which raises the question, “For whom, exactly, should audit reports be prepared?”

For whom should audit reports be prepared?

The UK Government's Internal Audit Standards say a written audit report should be issued to the sponsor.

The Internal Audit Policy of British Columbia's Office of the Comptroller General says a written report must be issued to the deputy minister or other appropriate officials of the ministry or agency.

The Auditor General of British Columbia, in his 2004 audit of Internal Audit in BC Health Authorities, said reports should be provided to:

• management responsible for the area audited
• the Chief Executive Officer, and
• the Finance and Audit Committees.

The Government of Alberta's Internal Audit Charter says that, for Ministry audits, the Office of the Chief Internal Auditor will provide a report to the deputy minister. It says that for an agency, board or commission, the report will be issued to the audit committee chair and copied to the CEO and deputy.

These are all perfectly valid audiences for internal audit reports. But increasingly they are not considered the only ones.

As more and more people recognize internal audit as an important tool for accountability, more and more people want internal audit reports to be available to the public, to whom government is ultimately accountable.

Like it or not, access to information laws are making internal audit reports increasingly accessible. Today, many governments are posting reports on their web sites for all to see. The bottom line is that the audience for internal audit reports is expanding.

Earlier this year, CCAF published a report entitled, “Users & Uses - Towards producing and using better public performance reporting.” Our research looked at how legislators, the media and the general public use the public performance reports that governments produce. It also suggested ways for governments to create more relevant public performance reports.

I think the internal audit community could learn from the key message coming out of that research: that reports should be written to meet the needs of the people who are going to use them. If journalists, special interest group members and others are now part of your audience, you need to take their needs into consideration. Not exclusively, but in addition to the needs of program managers, senior executives, audit committees and central agencies.

To find out if you are meeting the needs of your users, whoever they may be, you need to go out and ask them.

So there you have it: The Why, What, How, When and For Whom of Audit Reporting.

Copyright © 2006 CCAF-FCVI
Privacy Policy