IIA & Standards

Critiquing the IIA's Guidance on Communicating Audit Results

Global · · normanmarks.wordpress.com

Norman Marks reviews the IIA's new Global Practice Guide on Communicating Results of Internal Audit Services, highlighting both its strengths and weaknesses. He praises the emphasis on understanding stakeholder needs but criticizes the guide's adherence to a non-risk-based approach for audit opinions, advocating instead for conclusions focused on the effectiveness of controls over significant risks to enterprise objectives. Marks provides actionable recommendations for internal audit practitioners to improve their communication strategies, emphasizing clarity, timeliness, and a strong risk-based perspective.


Review of the IIA's Global Practice Guide

Norman Marks provides a critical review of the IIA's recently published Global Practice Guide, "Communicating Results of Internal Audit Services." Marks, who was involved in the development of the guide's 2009 predecessor, offers a balanced perspective, acknowledging excellent content while also pointing out areas he believes are in error.

Key Strengths Identified

  • The guide's opening statement, emphasizing the importance of understanding stakeholder needs and clarifying expectations with the board and senior management, is highly commended. Marks aligns this with his own philosophy: "Tell them what they need to know, when they need to know."
  • The guide's recognition that internal audit can observe patterns and themes across multiple engagements, leading to higher-level conclusions about systemic issues, is also highlighted as a valuable aspect.

Areas for Improvement and Criticism

  • Non-Risk-Based Audit Opinions: Marks strongly criticizes the guide's mandate for final communications to include a conclusion on the effectiveness of governance, risk management, and control processes of the *activity reviewed*. He argues that risk-based auditing should focus on providing opinions on the management of specific risks, not the entire activity.

  • Meaningless Terminology: The use of terms like "satisfactory" for control effectiveness is deemed "wholly unsatisfactory" and meaningless, as it fails to provide actionable information to stakeholders.

  • Lack of Focus on Enterprise Objectives: Marks suggests that engagement conclusions should articulate whether the system of internal controls provides reasonable assurance that in-scope risks are maintained at desired levels, directly linking to the achievement of enterprise objectives.

  • Inadequate Examples of High-Risk Findings: The examples provided for "high risk" findings are criticized for not clearly explaining how these issues significantly impact the achievement of enterprise objectives, making it difficult for management and the board to understand their true significance.

  • Omission of Continuous Communication with Management: Marks notes the guide's failure to cover the crucial aspect of ongoing, two-way communication with management throughout the audit process, including confirming facts, discussing risks, and agreeing on corrective actions before reports are finalized.

  • Absence of Overall CAE Assessment: The guide omits the need for a Chief Audit Executive (CAE) to provide an annual overall assessment of the organization's systems of internal control and risk management, a practice Marks found valuable in his own experience.

Norman Marks' Recommendations for Practitioners

Marks concludes with a set of practical recommendations for internal audit practitioners:

  • Adopt a risk-based approach, focusing assurance engagements on significant risks to enterprise objectives.
  • Communicate what customers need to know, when they need to know it, in an understandable and actionable format.
  • Agree upfront with customers on communication needs, timing, and methods.
  • Be fair and objective, acknowledging positive observations.
  • Discuss issues promptly with management to facilitate quick resolution.
  • Assess findings and overall conditions based on the effective management of risks to enterprise objectives.
  • Clearly state whether internal control systems provide reasonable assurance that significant risks are effectively managed.
  • Avoid unnecessary content and verbiage in reports.
  • Prioritize in-person communication when beneficial.
  • Be flexible in reporting formats, adapting to customer needs.
  • Regularly evaluate the effectiveness of communications and adjust as needed.

Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →