Internal Audit

Reporting Leading
Practices
Presented by XXX
Executive Summary
ABC Company: Audit of Pricing Spotlight on Strategic Initiatives
June 2020 | Company Wide | Sales Organization
Data Quality
Internal Audit analyzed pricing procedures and related systems, including controls and compliance People First
with policies. Observations related to internal compliance violations and overall process Efficiency
improvement and efficiency opportunities were identified. Management has agreed to
recommendations and is currently preparing detailed action plans to address these items.

By the 22K $12.5M 2% 4 800

Numbers Contracts Lost Contracts Below System Missing
Assessed (100%) Revenue (8%) Floor Issues Contracts

Areas of Focus

Missing Contracts Revenue Leakage

BU-A is an outlier
with 15% leakage
● 800 transactions (3.6%) were not ($7M)
8% of contract value eroded, resulting
associated with an executed contract, from:
resulting in legal and financial exposure ● Unapproved pricing
Pervasive issue
across all BUs, avg
● Indicative of broader opportunities for ● Contracts below floor
of 8% leakage
● Inaccurate invoicing
improvement within CPQ processes
● Unexecuted price escalations
Displays leakage % by BU
ABC Company: Mid-3T-2020 Internal Audit Summary
November 2020 | Company Wide | Periodic Progress Report

By the 44 55% 12% 3

Numbers Projects New Open High-Risk Emerging
Completed/Ongoing Audited Areas Observations Risks

2020 Plan, Top Risks

Status and Coverage Issue Status

●Cloud Security - Completed, 4 High Risks Open Issues Over Time

●Employee Safety - Completed , 2 High Risks
●HR Transformation - Completed, 3 High Risks
●Systems Consolidation - In Progress
●Fleet Optimization - Delayed

Projects by BU and Risk Top Risks Themes across BUs

Identified recurring risks during the previous 12 mo.
BU BU BU BU BU BU
Q1’20 Q2’20 Q3’20 Q4’20
A B C D E F
Aging: Priority Issues
Plant ●12% issues are unresolved after 1 year
Safety ○ -5% from prior period
IoT -
Sensor ●33% of current open issues are high risk
Counterfeit
IP
○ Up from 9% in Q1 ‘20
Reporting Leading
Practices

Introduction
Internal auditors must
communicate the results of
engagements. However, the
format, content, and timing of
such communications may
vary by organization and
engagement type.

IIA Standard 2400:

Communicating Results

6
Reporting - IIA Guidance
IIA Standard 2420 –
Quality of Communications
Accurate Free from errors and distortions and are faithful to the underlying facts.

Fair, impartial, and unbiased and are the result of a fair- minded and
Objective
balanced assessment of all relevant facts and circumstances.

Clear Easily understood and logical, avoiding unnecessary technical

language and providing all significant and relevant information.

Concise To the point and avoid unnecessary elaboration, superfluous detail,

How do you feel your current redundancy, and wordiness.
practices rate against these
quality components? Constructive Helpful to the engagement client and the organization and lead to
improvements where needed.

Primary Focus Area Lack nothing that is essential to the target audience and include all
Complete significant and relevant information and observations to support
recommendations and conclusions.
Improvement Opportunity Area

Timely Opportune and expedient, depending on the significance of the issue,

Not a Focus Area allowing management to take appropriate corrective action.

7
Reporting - Your Current State Assessment
IIA Standard 2420 – Current State Gap
Summary
Quality of Communications
Accurate
For Example
Objective
Purposes only
Formal internal audit-focused language
Clear

Lengthy, little visualization

Concise

Subject to wording/rating negotiations

Legend Constructive
Primary Focus Area
Lack of conciseness may mask themes
Complete
Improvement Opportunity Area

Long cycle times/editing

Not a Focus Area Timely

8
Reporting - Lifecycle

Project Exceptions, Formal

Objective Testing Reportable AC
Issues, project reporting
and Results Risk areas items reports
Test Plan

Your methodology should define what makes it past each filter and drive consistency.

9
Reporting - Grounding Principles
BRAND
Think about reporting in
context of your brand.

Grounding
Principles

AUDIENCE PERSPECTIVE
Think about the intended Think about the reader’s
audience. perspective.

10
Reporting - Words of Wisdom

“Stakeholders have last word on

whether internal audit adds value”
“Internal auditors have to provide
insight and foresight, not just hindsight” Richard Chambers Blog 10/01/18

Richard Chambers Blog 10/01/18

“Dear Internal Audit Client: I am sorry this

report is so long. I didn’t have time to write
“It’s hard to audit at the speed of a short one. The good news is, it’s so long
risk when your internal audit you probably won’t read it and give me a
processes move at the speed of hard time about the stuff I got wrong.”
glaciers!”
Richard Chambers 8/01/18

Richard Chambers 10/11/18

11
Reporting Leading
Practices

Ratings
Ratings - Introduction

“Ratings can be a powerful tool, but if Richard Chambers summarized the undesirable consequences of ratings
management and the audit committee in internal audit reports:

place undue emphasis on them, they ● Ratings may foster friction between internal audit and operating
tend to have a polarizing effect on line management. This is particularly true when ratings are used as
and operating managers whose negative indicators in performance management plans.

performance ends up being summarized ● Ratings add to the reporting process time (increasing how long it
in a single word: "unsatisfactory." takes to finalize an audit).

● Ratings may diminish the significance of important audit findings. If

the ratings are assigned only to the final report, and not to individual
findings or issues, the reader may overlook important results in the
audit report.

● Management is less likely to openly share known control

Source: IIA Article weaknesses with the audit teams.”
Ratings in Audit Reports: Lights or Lightning Rods?
By Richard Chambers 3/26/2019

13
Ratings - Leading Practices

“...more than two-thirds of IIA survey

respondents said they included ratings in
their audit reports.”

“Regardless of the methodology, the objective

for assigning ratings is typically the same: It is a
powerful way to draw management and the
board's attention to the bottom line of an internal
audit.”
Source: IIA Article
Ratings in Audit Reports: Lights or Lightning Rods?
By Richard Chambers 3/26/2019

14
Ratings - Leading Practice Examples

Overall
Ratings

Overall Rating
Designations
Benefits Cautions
Finding
● Clearly communicates the level of ● Decision to use ratings should be based
Ratings
significance or concern that internal audit on your stakeholder needs and
places on a report. expectations
Finding Rating ● Avoids the possibility of ● Clearly indicate the scope to which the
Designations misunderstandings by management or the rating applies to avoid unintended wider
Audit Committee attribution.
Rating
Methodology

15
Ratings - Leading Practice Examples

Number of Example Category Words Colors Icons Scales

Overall
Categories
Ratings

Overall Rating Two-Point Priority, Important

Designations
Satisfactory, Improvable, Unsatisfactory

Finding Three-Point
Ratings Highly Effective, Effective, Needs
Improvement, Ineffective

Finding Rating Four-Point

Designations Very Good, Good, Satisfactory, Weak,
Seriously Deficient

Rating Five-Point Trailing, Basic, Developed, Advanced,

Methodology Leading

16
Ratings - Leading Practice Examples

Overall
Ratings

Overall Rating
Designations
Benefits Cautions
Finding
● Helps management prioritize the timing, ● Clearly define the perspective to which
Ratings
level of resources, and extent of ratings apply - Corporate vs. Auditee.
remediation efforts.
● Rating system should balance ability to
Finding Rating ● Provides a consistent framework and differentiate severity and potential time
Designations language to communicate risks, audit debating between categories.
status, and track trends over time.
● No one clearly preferred method exists.
Rating
Methodology

17
Ratings - Leading Practice Examples

Rating Scale Components

Overall
Ratings
Same considerations apply in terms of number of
categories and how to display them.
Overall Rating
Designations Example Category Words Impact

Requires Action, Opportunity

Finding
Ratings Priority, Important Likelihood

High, Medium, Low

Finding Rating
Designations Minor, Moderate, Significant Velocity

Low, Medium, High, Critical

Rating
Methodology There should be linkage between finding ratings results and
overall rating methodology

18
Ratings - Leading Practice Examples

Descriptive Decision Tree Calculation

Overall
Ratings

Overall Rating
Designations ● Defines consideration criteria ● Depicts consideration criteria ● Leverages weighting and
and documents thought in the form of questions. formulas to calculate results.
process for rating results.
Finding ○ Materiality ● Provides transparent ● Reduces subjectivity and
Ratings ○ Brand risk/pervasiveness mechanism for process inconsistencies.
○ Legal/Regulatory risk owners to understand results.
○ Others
Finding Rating
Designations
More common Less common

Rating
Methodology

19
Reporting Leading
Practices

Report Format
Reports - Introduction

To keep your audience engaged, audit report

formats should be revisited every year or two.
And when you update, consider new ways of
presenting existing ideas.

No longer are we tethered to long paragraphs Bear in mind, studies show that the
and verbose explanations. We can average time a reader initially spends with
communicate just as effectively in words, something in the written form is 3-5
graphics, and colors. seconds. The reader wants to
determine as soon as possible if they care
Source: MIS|TI Article
or not about what’s being said.
Audit Writer's Hub: 7 Steps to Overhaul Your Audit Report
Source: MIS|TI Article
How to Write An Audit Report that Gets Results

21
Reports - Categories

Project Level Reporting Audit Committee Reporting

22
Reports - Internal Audit Project Level: Leading Practices

Current State
Fundamentals (Based on IIA Audit Reports Practice Guide and Implementation Guides) Leading Practice
Self-Assessment

Clear and concise overview of the engagement results to efficiently deliver critical
Executive
information with a persuasive, well-substantiated key message to stakeholders.
Summary It should not contain technical jargon or internal audit methodologies.
● Accurate,
Communications must include the engagement's objectives and scope. Scope Fact-based
Objective, defines specific processes, risks, business units and time period. Defining out of
Background, scope areas is recommended. Relevant background and key metrics provide ● Risk-based,
Scope & Approach context to the reader. Approach can provide clarity on extent of testing (i.e. inquiry, Relevant
observation, inspection, reperformance).

Observations should include the condition, criteria, cause, effect, and rating; be
● Clear,
Findings and Concise,
supported with evidence, brief and organized, and in simple language.
Management Recommendations and/or action plans must be included in the final communication Simple
Response and should provide a practical, feasible solution with owner and due date.
● Visual
Insights or Stakeholders look to internal audit to provide value and insights or
Recommendations recommendations are two ways this can be captured within project reports. ● Make your
best ideas
The distribution of the report must be directed to the intended recipients and
disseminated to the appropriate parties who can ensure that the results are given
stand out
Distribution due consideration. Written reports may be structured for multiple types of recipients,
or more than one type of report may be needed based on stakeholders’ needs.

23
Reports - Internal Audit Project Level: Current State

Questions to consider Report Component Considerations

● Overall delivery format

1. What aspects of your reporting process
work well? ● Departmental branding

1. What aspects of your reporting process ● Ordering

do not work well?
● Contents delivery format
1. What are the potential roadblocks to
making changes to the template or ● Contents details: purpose/audience
process?
● Use of appendices

24
Reports - Audit Committee Level: Leading Practices

Current State
Fundamentals (Based on IIA Audit Reports Practice Guide and Implementation Guides) Leading Practice
Self-Assessment

This is an opportunity for the CAE to illustrate the value enhanced and protected
Executive by the internal audit activity and the implementation of its recommendations.
summary Components may include highlights of activities within the quarter, progress against
plan, and key themes.

Provides a mechanism to report on processes for identifying significant risk and

control issues, including management’s acceptance of risk. Summarizes results of
Risk profile the periodic risk assessment process, changes to current year plan, emerging risks
● Accurate
and hot topics (watchlist).
● Thematic
Reports the results of internal audit activities, including completed projects defined in
Internal audit
the audit plan, updates on special requests made by the board/senior management,
● Concise
activities and and other internal audit activities (including investigations). Should focus on those
results matters requiring the attention of the Audit Committee. ● Visual

Tracking the status of management’s action plans ensures the tone and expected ● Insightful
Action plan
completion of the response is in line with the significance and urgency of the issue
tracking is important. Components include count/status of action plans and overdue items.

Internal audit charter, strategic plan and progress, departmental key performance
Internal audit
indicators and resources, quality assurance and improvement program, auditee
operations survey results, and other IIA Standards required reporting elements.

25
Reports - Audit Committee Level: Current State

Questions to consider Report Component Considerations

● Overall delivery format

1. What aspects of your reporting process
work well? ● Departmental branding

1. What aspects of your reporting process ● Ordering

do not work well?
● Contents delivery format
1. What are the potential roadblocks to
making changes to the template or ● Contents details: purpose/audience
process?
● Use of appendices

26
Reports - Examples

BRAND
Leading Practice Techniques Think about reporting in
● Visualization of Findings
context of your brand.

● Text to Table Formats

● Concise wording - headers, bullets, etc.
● Use of dashboards/balanced scorecards

Grounding
Principles

AUDIENCE PERSPECTIVE
Think about the intended Think about the reader’s
audience. perspective.

27
Reports - Example Visualization of Findings

28
Reports - Example Conversion from Text to Table Structure
Affiliate - Country X Needs Significant Improvement

Background Limited text as needed

Number of Brands FY18 Net Sales FY18 NOP Top 4 Customers represent 75% of
16 $182M $41.3M Sales

Scope Summary of Results

● Financial Accounting Significant Comments

Comments FY18 FY15
● Order to Cash 1. Master File Edit Reports
Significant 2 3
● Procure to Pay Observation Summary Statement
● Inventory High 4 6

● Warehousing Medium 15 10 1. I.T. - Access Security and Administration

● Fixed Assets Low 1 5 Observation Summary Statement
● Information Systems Total 22 24

Repeat Items 5
Out of scope areas:

29
 Reports - Example Concise Wording
Overall Results: Result Themes:
While the total percentage of manual journal entries was
The following observations were identified during the course of our within a generally accepted range, improvement
internal audit project: opportunities exist.
• Observed many good practices across in scope areas.
• Identified opportunities to tighten controls around payment ● The amount of manual entries posted can be
reduced.
authorizations and vendor file maintenance.
● There is opportunity to consolidate journal entry
• Provided insights into addressing the central challenges facing the responsibilities.
Procurement team which include: ● JDE is not currently configured to easily identify
• Balancing efforts to drive standardization and avoid becoming a manual journal entries.
‘disruptor’ to operations.
• Compensating for known system limitations within iProcurement Recommendation Themes:
Reduce the number of manual journal entries processed
and Oracle.
to further reduce time and risk of error
Exceptions: ○ There are recurring journal entries that are
● Eight of 11 (73%) affiliates could not provide requested customer posted manually
master or change reports to demonstrate payment term changes. ○ 1,195 manual journal entries for <$1,000
Consequently, we were unable to identify customers with 61+ day each were processed totalling <$400,000
payment terms for testing. ● Centralize more of the manual JE posting
● For the remaining three affiliates, 3 of 5 (60%) customers sampled had responsibilities to reduce the number of required
120-day payment terms that were not approved by the SVP, Corporate manual JE users. 30 of the 63 users posted less than
Controller. 50 entries.
● Configure JDE to clearly identify manual JEs for
ongoing monitoring and evaluation purposes. 30
Reports - Example Dashboard/Balanced Scorecard

31
Thank you