Should internal auditors rate audit reports when it creates friction between internal auditors and audit clients?
Audit opinion has been causing friction between the Chief Audit Executives and audit clients and as result, there is no commitment to resolve agreed actions to audit recommendations timely which expose the organisation to avoidable risks and losses.
Should internal auditors rate audit reports when it creates friction between internal auditors and audit clients?
So, what is audit report rating? This is grading of an audit report or an audit work on completion. Rating may be scored with a number-from one to five, with a colour-red, yellow, and green and with an adjective-satisfactory, unsatisfactory, less satisfactory, or acceptable, cautionary, significant, or unacceptable, or with other mechanism.
According to the IIA International Standards for Professional Practice of Internal Audit (Standards)communication must include objective, scope, and results.
The standards also explain results as final communication that must include applicable conclusions, applicable recommendations and /or action plans and where appropriate internal auditors’ opinion must be provided.
The same standards also explain opinions as ratings, conclusions and /or other descriptions of the results. On the other hand, the IIA Supplemental Guidance on Audit Reports (Communicating Assurance Engagement Results) describes engagement rating as a ranking or outcome which can be satisfactory, marginal, unsatisfactory, pass or fail. A survey by the IIA found that about two-thirds of internal auditor respondent said their organisations use some type of rating in their audit report.
Why does audit report rating matter to some internal auditors? The first reason is that it allows for comparability of one area, location, department, faculty, or unit to another. It is the best way to communicate clearly to executive management and the board. Further, it is a mechanism to express an independent opinion on the controls of the reviewed area.
Another reason is that standardised conclusion or rating helps senior management and the Audit Committee (AC) to prioritise remedial efforts in an orderly and efficient fashion.
Some internal auditors have also alluded to rating as the sure way to demonstrate the failings of the organisation for senior management to know there is work to be done.
The need to provide the AC with the right direction was cited as another reason because it is the way internal auditors can direct the attention of AC to issues that require attentions, resources, and continuous monitoring. Some internal auditors have also expressed concern that without a rating, it will be difficult to offer clear visibility to the Audit Committee on what they should worry about.
A deviation from a pass or fail marking encourages tolerance of compromise and this induces risk and marginalise reliance on the third line of defence. Rating also invokes punitive measure from executive management on audit clients which is good to some extent provided it is proportionate as it allows audit clients to take audits and implementation of agreed actions seriously.
Why some internal auditors disagree about rating audit report?
However, dissenting internal auditors about rating argued in EY Survey that rating are more trouble and effort than they are worth and cause friction between Internal Audit and management. Others have also stated that the absence of audit report rating allows for friendlier discussion, collaboration and forward- focus with audit clients.
Some also say that rating report make the Internal Audit more of a corporate cop-a tag the internal auditor wants to avoid because it gives them too many powers which could be abused by unfair report rating. Dissenters also say that when ratings are strictly formulated it brings in wake bias though it offers a bid picture outlook.
There is also the contentious issue of rating audit report by aggregating the risk rating at the individual level against a score criteria developed by Internal Audit though not accepted and approved by all stakeholders. A better option, some audit clients argued is for rating to be deduced from all audit test results than the focus on the exceptions making up the final report only. Disagreement over rating consumes a lot of time and energy which could be better spent on resolving the issues identified to ensure compliance and effect savings as soon as possible.
How does rating cause friction?
Firstly, there is unclear methodology leading to misunderstanding about how individual issues were rated had translated into an overall report rating. This is because there is no single accepted organisation-wide approach in some cases.
Thus, stakeholders are unable to distinguish one report rating from another especially where one report may have a lot of issues but have a lower rating than another with fewer issues. According to Richard Chambers (Former President and CEO of the Institute of Internal Auditors) in Blog post: ‘’Ratings can be a powerful tool but if management and the audit committee place undue emphasis on them, they tend to have a polarizing effect on line and operating managers whose work end up being summarised in a single word: unsatisfactory’’.
Secondly, process owners and audit clients hate rating which is a human nature to want good things to be said about you than bad ones. Also, they think it is demeaning for work that they have done for at least a year through thick and thin to be graded by a third party in two weeks or a month as unsatisfactory or fail.
Thirdly, the rating will be factored in performance reviews and compensations thereby affecting their career progression and economic circumstances including emotional trauma should audit client be placed on performance improvement plan.
Way forward- what can internal auditors do to minimise the friction? Internal audits should use rating more prudently by ensuring there is a common framework through discussion in workshops that are focused on controls and enterprise risk management.
In addition, to that Reports should be rated based on an agreed and approved internal audit, audit clients, and board-approved methodology. That way there will be a common language for auditors and audit clients to discuss observations including nuances of ratings.
Also, rating would be fairer if they are based on all audit tests-both compliance and exceptions instead of the focus on exceptions only that is currently being used by most internal auditors.
Way forward for internal auditors, management, and board?
In conclusion, rating of reports offer benefits by projecting the urgent needs of the organisation for attention. They are also fraught with some issues such as lack of objectivity and unclear approved rating methodology understood by all stakeholders.
I therefore suggest that internal audit management should hold workshop with process owners and audit clients to agree on rating of issues at individual level and at report level so that rated report can be accepted and resolved. It will also be better if senior management communicate circumstances under which staff may be penalised for unsatisfactory rated audit reports especially when some audit issues are more of design of controls than ineffectiveness of the existing controls.
For organisations, that do not rate their report but have good implementation rates they can hold on to what they have. Those having issues rating report can address the challenges because rating of report is a powerful tool to ginger remediation of agreed actions to internal audit reports.
Management and Board should ensure that rating adopted by internal auditors is one that has been reviewed as objective and simple to understand by all stakeholders-audit committee, executive management and line management and approved by the board. Ratings must be applied consistently in the organisation.
Rated reports must not be the driver of penal measures towards audit clients. Lastly, internal auditors must know their audience and tailor their writing in objective, clear and concise manner to their needs while the IIA must consider coming out with a supplemental solely on rating audit reports in future.
References:
International Standards for the Professional Practice of Internal Auditing (Standards)
Supplemental Guidance: Communicating Assurance Engagement Results
Writer:
Edward Ansah, Director of Audit, Kumasi Technical University