In my previous articles ('Risk management and Internal Audit - Confidence for full speed ahead' and 'Integrated Assurance - Shine Brighter'), I have likened internal audit to a lighthouse, with the chief audit executive (CAE) acting as the lighthouse keeper, providing independent assurance to the captain (the board) on the navigator and crew's (operational management's) ability to manage risk and guide the organisation through turbulent waters to successfully reach its destination, achieving its objectives whilst minimising potential negative impacts.

This final article considers how the CAE should report back to the captain on how the function has supported the ship (the organisation). This is Internal Audit's opportunity to shine the light on itself, to highlight the value it has added to the navigation of the ship, supporting it through rough waters and successfully reaching its destination.  

Reflecting

If you were to prepare a report following any journey, you would probably provide a detailed account of your experience, including the purpose, route, any challenges encountered, and any notable observations or incidents that occurred during your trip, all while maintaining clarity and conciseness. It is exactly the same when communicating with the board, both at assignment and organisational levels.

However, we internal auditors have our own guiding light – the Institute of Internal Auditors (IIA) Global Internal Audit Standards (GIAS), and in this instance Standard 11.3, 'Communicating Results'.

Standard 11.3 emphasises the importance of effective communication between Internal Audit and the board. The aim is to ensure that the board is well informed about the organisation's journey, potential hazards and recommended course corrections.

As part of the CAE's wider strategic conversations and communications with the board, they should determine and address any specific reporting requirements, including the extent, nature and frequency of routine and annual reporting. The CAE should regularly revisit these requirements to ensure they continue to understand and meet those needs.

The standard outlines the requirements for the CAE, or in our metaphor the lighthouse keeper, to present audit results in a clear, concise and impactful manner. 

The depth of information provided within the annual report to the board will vary. One of the prime drivers will be the frequency and depth of routine reporting throughout the year; the extent of comment within the annual report should be sufficient to enable the board to understand the scope, breadth and depth of internal audit activities.    

The standard states that the CAE may be required to make a conclusion about the effectiveness of governance, risk management and/or control processes, due to industry requirements, laws and/or regulations. However, it does not mandate it.  

Domain 1: Purpose of Internal Audit speaks of how internal audit enhances the organisation's achievement of objectives, governance, risk and control processes, oversight, and reputation. It goes on to state that internal audit is most effective when it is performed by competent professionals, independently positioned with direct accountability to the board and free from undue influence and committed to objective assessment.

Flying the flag for Internal Audit

The annual report is the opportunity to hoist and fly the flag for Internal Audit, demonstrate how we meet this purpose statement and our value to the journey. I have always provided an annual opinion, and I believe it to be valued by my client management teams and their boards.  

Remember, this is the opportunity to shine a light on the impact of internal audit and sell its value to the ship's journey. I recommend addressing the following areas.

• The purpose of Internal Audit and the audit plan, including how internal audit activities support the ship.
• A summary of the journey's activities, the audits undertaken, findings and recommendations arising. (The second article in this series considered Integrated Assurance, and where the CAE is placing reliance upon the work of others; this should also be clearly articulated.) 
• A comprehensive overview of significant audit findings, including areas of concern and potential risks. Recommendations for improvement should be clearly articulated, highlighting the benefits of implementing these changes.
• The performance metrics for Internal Audit, including key performance indicators (KPIs) relating to the internal audit function, enabling oversight and demonstrating that Internal Audit is accountable to the board for its own effectiveness. This should include the efficiency and effectiveness of audit processes, as well as the impact of audit activities on the organisation.
• Any agreed challenges or limitations to scope and, if necessary, any restrictions encountered in the performance of agreed upon internal audit activities. Were there any significant diversions on our journey?
• Notable observations or themes from assignment outcomes. Looking back over the findings and conclusions of engagements, when viewed holistically, may reveal patterns or trends, such as root causes. In fact, we should also look for themes throughout all audit activities to ensure that they are communicated in a timely manner, as part of routine reporting.
• Opinion statement about the effectiveness of governance, risk management and/or control processes. Although this is not mandatory under Standard 11.3, remember we are flying flag. We should be prepared to take a holistic look at our journey and articulate an opinion based upon the outcome of our work.  

In this reporting, remember to use clear and concise language to present the outcome of the journey. Be mindful of the detail and frequency of previous communications, reiterate core audit findings and recommendations if appropriate, avoid the use of jargon and technical terms that may serve little purpose and rather just confuse recipients.

Use visual aids within the report such as charts, graphs, and infographics to illustrate key points and present summary information. Visuals can help simplify complex information, and make the presentation more engaging. 

Try to avoid lengthy reporting. Volumes of text often serve no purpose and simply cause readers to switch off.

Finally, encourage interactive discussion. The CAE should present their report directly to the board, invite questions and feedback to foster a collaborative environment, feed continuous improvement and ensure the board’s expectations are met now and in the future.

Ports of call

Rather than thinking of the ship's journey as point to point, think of it as a cruise liner, stopping off at many ports of call, enabling the opportunity to reflect on the journey so far, taking stock of surroundings and sharing experiences.  

The CAE should agree a communications protocol with the board, keeping members appraised of the journey throughout, reflecting on experience to date, tailoring the depth of reporting to suit, and ensuring a frequent and meaningful dialogue.

Voyage of discovery

Our organisational ships do not tend to just move under their own power, 'making way'; they are making way using propulsive machinery and 'steaming' forward. Effective risk management and collaborative internal audit help provide management and the board with the confidence to make the decisions necessary to move 'full speed ahead', or where 'slow' or 'smart steaming' may be more appropriate.

The annual report and opinion of the lighthouse keeper is the ideal opportunity to take stock, reflect back on individual assignment outcomes, identify important trends, consolidate learning and provide clear messaging to the board, to support the ship on its next journey, navigating a world of uncertainty, informing organisational pace and ensuring that when one wishes us 'bon voyage', it is not merely a good journey, but a successful journey in every sense.

Lee Glover FCCA - Director, Validera