It’s sad and frustrating when no one reads your team’s or your department’s audit reports. Sure, your auditee may look at the report, but when no one across your firm really cares about what internal audit has to say, it has a toxic and insidious impact on all internal auditors in the firm (both short term and long term effects) as well as on internal audit senior leadership.
Here are three key reasons your internal audit reports may not be getting the readership they should be getting or that you’d want them to get.
1. Potential readers don’t even know of the existence of your internal audit report
If they don’t know of your internal audit report, how are they ever going to read it? Too many audit departments have inadequate and insufficient distribution of the audit reports – the concerns/recommendations/issues may be raised in internal audit’s system(s), an audit report may be issued, but if you’re not distributing the report broadly it all doesn’t make any difference.
Sure, you’ll validate the issues once the auditee closes them/submits remediation work. You’ll make sure management/auditee actions are taken to remediate the issues and mitigate the risk. That’s core and that’s key. However, if you actually want people in your firm to read the internal audit reports you, your team, or your department put out, you need to make sure to include a broad swath of colleagues in your distribution.
Often times internal audit methodology is the cause for poor report distribution. In such cases — where IA methodology dictates distribution and doesn’t leave much room for an auditor’s or director’s professional judgment — your hands are a bit tied. Unless you’re senior-enough to be able to affect your department’s methodology, there’s not much you can do here. You should raise concerns within the department in a prudent and appropriate way, but you probably don’t want to be fully doing your own thing if there is a clearly-articulated methodology/approach for distributing audit reports within your department.
If your hands aren’t so tied, however, a bit of courage may be just what is needed for you to get more people to actually read your audit reports throughout your firm. Just include whoever you want to see the report in the distribution – whether the report is system-distributed or whether you email out the final report, this should be pretty easy from an operational perspective (but not from a mental perspective for too many auditors).
It’s just that simple — if you want the CRO to see the report, you’ve got to include the CRO in the distribution. Stop hoping that it’ll get to him/her somehow. If you want the Head of Sales to see your report, you have to include the Head of Sales on your distribution list – you surely can’t expect a super busy sales executive to read the report otherwise, can you? If you want the CFO on the distribution, include the CFO. It’s not rocket science, but it does require a bit of guts if you’re used to very limited visibly of your reports.
What use is an audit department whose reports are not widely distributed and widely read? What’s the point if no one truly cares and no one sees the conclusions you, your team, or your department make? You should obviously use professional and good judgment when thinking about your distribution list, and you should make sure you are the appropriate level/role to make the call – don’t jump over your audit lead or other mid-level/senior audit colleagues (eg. Director, MD, etc.) and be mindful of the overall culture in your department.
One more consideration to note here is report quality. This is addressed below, but make sure your report is truly top-notch on all points before you increase distribution – how pathetic would it be to broaden your distribution lists only to distribute poorly-written, boring, and useless reports that no one is going to ever read after they mistakenly read their first report (only to realize how much of a waste of their time reading it was)? Get your reports up a few levels before you increase distribution – make sure they are well written, make sure they are interesting, and make sure the format looks like you know that we are deep into the 2020s.
2. Your internal audit reports are downright boring at worst, and uninteresting at best
No one likes to read boring things, especially boring internal audit reports. Boring means a lot of things – it’s both referring to the words used, but it also references the presentation (eg. how the report looks like).
You want engaging content, written in a clear, concise, and matter-of-fact way. The audit report isn’t an academic paper – know your audience, and make sure you tailor the report to a somewhat broad corporate audience. Such an audience will be somewhat knowledgeable about the topic, but not very knowledgeable and surely not as knowledgeable as you or your auditees. Regulators may also read your audit report. You’re not writing just for your auditee/client – the auditee already should know the concerns/issues being raised and should be intimately involved in creating action plans to remediate them; they know a lot more than will be revealed in the executive summary of the report.
Presentation also matters. Even if your content is amazing, interesting, and useful (it’s probably not), you need to present the report in an appropriate way – that means it should be easy to open, not require creating accounts/logins to access, and should be done in a modern way (eg. clean, concise, clear, appropriate use of white space, etc.). You know how modern docs and modern copy look like if you’ve lived in North America for any period of time, and the same can pretty much be said if you’ve lived in Western Europe and many parts of Asia, Africa, and South America too. This isn’t rocket science, and you likely already know how to improve the look and feel of your internal audit reports.
As with anything, however, be mindful of your role within your department, methodology, department culture, and other key factors. In most internal audit departments, there is a standardized approach for reporting so it is very unlikely that even a Director-level role would be able to have any impact on how reports look like. More senior people — especially those closely involved with practices, processes, department operations, or methodology — are clearly more likely to have the ability to influence the look and feel of audit reports.
3. Your internal audit department (or team) is not known for raising valuable and key issues
Who cares if your report has ultra-wide distribution across your firm if you’re not raising any valuable issues/concerns or communicating key information within your internal audit report? By the same token, who cares if your report is written by Tom Clancy himself with a report design created in consultation with Ogilvy if your department is known for not raising key and valuable issues/concerns in audit reports? The answer is no one will care.
You can get a lot right, but unless your department is able to do robust audit work that gets at core issues relevant to the firm at large — not just to a pedantic auditor who has no clue of the bigger picture — no one will care what you have to say in your good-looking and well-written audit reports.
Good reports start with good audit planning and require robust testing/fieldwork performed by knowledgeable auditors who have sufficient confidence/stature to fully do their work and engage with the auditee appropriately – without this, your reports will be pure fluff. No one wants to read fluff. Start actually brining core concerns/issues/considerations into the light in your internal audit reports, and you’ll see how easy it is to get broad interest and readership in your reports.
Leave a Reply