Episode 27 | Improve reporting by answering these questions about your audience

The Assurance Show
Episode 27 | Improve reporting by answering these questions about your audience
/

 

Show Notes

In this episode we discuss how answering a few simple questions about your audience can improve your audit reporting.

These help make several report areas better:

  1. Scope and title
  2. Context
  3. Findings / Improvement opps

 

Transcript

Conor: 

Today , we’re going to be talking about how auditors can construct the best possible audit report. We’re going to discuss some areas where there’s room for improvement, and these are common observations we’ve made over the past little while.

Yusuf: 

So the question is why is this important to auditors? I’ll answer for internal audit, and you can talk about it for performance audit. For internal audit, key things are we want to produce better reports, we want people to be able to understand those reports, read them, act on them. We spend a lot of time doing our work and if the reports that we produce aren’t valuable or aren’t able to be used, then we’ve wasted a lot of time. And it’s just not satisfying, if you have a report that doesn’t create some level of impact. Our reports need to create impact, and in order to be able to do that, we need to make them better. The other thing is that as internal auditors we are always looking to improve. Continuous improvement is something that the better internal audit teams strive for. When we’re looking at our reports we’re always looking for ways in which we can make them better. Better quality, largely, is about the work that we do, of course. Better quality in reporting is about how the report is able to be used by the audience. Fixing these three things that we’re going to talk about today will help with that quality improvement. And this is why it is important to internal auditors.

Conor: 

The reasons it’s important to performance auditors mirror what you’ve just said. It’s around the quality of the product, but also delivering maximum impact. Same reasons. But the scale is slightly bigger for performance audits. They are a costly operation. They can take a long time. They’re resource intensive, not just for the auditors delivering the performance audit, but also for those entities and public sector employees. The onus really is an us to make sure that they’re actually delivering something valuable, that they are digestible, so that decision-makers whether they be parliamentarians or senior public sector employees can do something to benefit over that investment of time and resources.

Yusuf: 

So the three areas that we see issues with are. Firstly scope. The second is context. And the third is findings. In addressing those areas, there’s one broad overarching question that we can ask. And then for context, there’s a few detailed questions that we can get into to be able to better structure those.

Conor: 

And the absolute critical question we should be asking as auditors that draft reports is?

Yusuf: 

Who is the audience and how will they use the information that’s in this report. Audience is a key attribute of quality. If you look at the definitions of quality, it’s very clear that one of the key components of quality is understanding who the audience is and making sure that everything you do is tailored for them.

Conor: 

The question around your audience should come right up front, when you’re starting to put together the frame for your report.

Yusuf: 

Why don’t we jump into each of the three areas so that we can explore what it is that we’re going to be asking and why we’re going to be asking those questions. So the first one is scope. And in terms of scope, there’s two things that we need to make sure that we are covering off. The first is that the title of the report is reflected in the scope, and the scope is reflected in the title.

Conor: 

And setting the title, making it succinct yet detailed enough for the reader to understand what the audit’s about, that’s not always that easy to do.

Yusuf: 

If you put the wrong title out, you create an expectation around what is in the report. Sometimes you want to go longer. Sometimes you want to go shorter, but you don’t want to create an expectation by setting a title that is broader or narrower than what you’ve actually done. And the reason you don’t want to do that is that you create undue reliance on the work that’s done, you might want to make a title attractive for somebody or attractive to the audience, but then it needs to be truthful and honest as well. The other thing is that you don’t want to set a title that’s too narrow or too broad because you might not get people reading it that you want to read it. Within the performance audit world, often we want public sector entities that may not have been involved in the audit, individuals in the public sector to read those reports, to get that understanding. And often the first thing that people see is the title of the report. And then the second thing is that we need to include what’s out of scope. And saying what’s out of scope helps the reader to understand what is, and isn’t in scope. And when you have broad topics and there’s a number of broad topics that we’ve been looking into for a while as auditors, both performance auditors, and internal auditors. Culture, the use of data, cyber, business continuity planning and remote working, and a few other things like that. When you look at those topics, they are very broad and sometimes you can do audits that cover the whole topic, but quite often, the audits that you’re doing are covering certain specific aspects of those topics individually and you may have a series of audits. So explaining what is in scope and out of scope is important. If you’re using a framework to bring your different audit topics together under one umbrella, then you may want to use a diagram as well, to explain that. Quite a useful thing to use. So the question is how will the information be used? Who is my audience and how will they use the information? If we ask those questions, that helps us determine what our title should be. And then being very explicit about what is in scope and what is out of scope, so that people understand and don’t place undue reliance on our work.

Conor: 

Okay, what about context – moving on to number two what are some of the things we need to be thinking about there in terms of improving our reports?

Yusuf: 

Again, we want to ask that overarching question. Who is the audience and how will they use the information that we have. Now, this question, how will the information be used is a little bit broader as well, so sometimes you want to think about how the information might be used outside of your primary audience. Examples of those are individuals involved in compliance. If your audit report is going to be used by your external auditors or your regulators or some other body, then you may want to include some information in there that talks about limitations of liability and a few other things like that. That’s secondary. The main thing in understanding your audience, as it relates to context is obviously, as we said before, who’s your audience, but you’ve answered that question. The second question is what do they already know? So when you’re writing the context, you need to be able to explain what they already know, so that you know what you will and won’t include in that context section. You don’t want to go into reams and reams of paper, explaining what people already know. And that’s where the third question comes in. What do they need to know? If you know what the audience needs to know based on what they already know, you can then outline the broad context. What does this topic look like overall. In the public sector, how does that look across multiple entities? What are we talking about specifically as a topic? And then the second part of the context is how does that play out within the entity or entities that we’ve audited? So let’s say we’re talking about business continuity planning. Where we sit right now, beginning of November, 2020. We’re talking about, an increased focus on business continuity planning because of the pandemic that has hit us. And, you know, it’s still affecting us. Some of that broad context will then translate into we’re looking at this particular entity or this set of entities. How have they responded? How are they prepared to continue business? So how are they prepared to do remote work? Do they actually have proper plans in place? Those plans would now have been tested. What does that look like? That’s the broad context. And we see quite often that the audit reports, particularly audit reports that are produced by external providers, don’t provide that context. So they say, this is the scope. This is what’s in scope. And go directly to the findings. And then you’ve got to read the findings and try to figure out what is actually going on. The fourth question we need to ask is what needs to be done. If you are providing very high level findings, or you are providing no context to the findings, it becomes very difficult for the user of that report to determine what needs to be done. And then they’ve got to go and dig out all sorts of information to support what is in the report. And that may be relevant in some cases, but in many cases, it isn’t. You need to show what it is that you’ve seen and what needs to be done to address what you’ve seen so that the person can take that report, whoever is using it, or whichever team is using it and take that report and know exactly what they need to do with it. And then go into something with it.

Narrator: 

The Assurance Show is produced by Risk Insights. We provide data focused advice, training, and coaching to internal audit teams and performance audit teams. You can find out more about our work at datainaudit.com. Now, back to the conversation.

Conor: 

So they’re the four questions there to help you establish the context and reporting. Presumably you may not know the answer to all of these questions at the outset of your audit, and you may need to ask these questions as you perform your field work and go through the audit. Particularly around what does your audience already know and what do they need to know.

Yusuf: 

If you haven’t thought about these questions early on in the audit engagement, you may not be able to answer those questions at the end, it may be too late. So start writing the audit report at the beginning of the engagement. Begin with the end in mind. What is it that I need to be able to show? You’re then able to slowly construct what the report will look like and get the right information in place so that you can produce that report that is valuable and usable at the end.

Conor: 

Yep and you won’t be scrambling around at the end of your audit to try and fill in some of these blanks that you should have been able to answer. The third area is around how findings appear in reports.

Yusuf: 

What we’ve spoken about previously on this is that your findings need to be able to address three timeframes. And those three timeframes are past, current and future, which is, you know, quite simple. As the report is being delivered, there would be issues that need to be addressed or challenges that need to be resolved or opportunities for improvement, whatever we want to call them. We’ve got three broad areas where something needs to be done. Often you want to fix the issue, and that’s the current. So what are we doing about it right now? What’s the impact right now? In some cases you want to go and remediate what’s gone on in the past. So you may have had a control that isn’t working, an exception report that isn’t reviewed, or some sort of calculation that was done incorrectly. And in that case, if you know that that’s a problem, you can fix it in your current system. But then you may need to go backwards and fix the last few years to resolve a particular customer expectation. You then also want to make sure that, if there are any programs coming up in future, or if there are any changes that are coming up, you want to be able to determine whether the fix that you’re going to put in place now, is that sustainable? Is that something that’s going to be able to last, or if you’re putting in a tactical fix for the current, what is the strategic fix for the future? So those are the three areas and often we see a tactical fix to the current based on the sample that’s been evaluated. And that is not enough. Now what that means in terms of the overall report is that when we are reporting and when we’re talking about a finding, and sometimes you have a recommendation and this is not very common. But you then have, how is management planning to address this in the case of internal audit? How is the entity planning to address this in the case of performance audit? And you then want to be able to say, that fix is relevant to the past, and this is what we’re doing about it, relevant to current and this is what we’re doing about it, relevant to the future and this is what we’re doing about it. And that gives a broader perspective on how the issue is being addressed and addresses the question: how is this information going to be used? Then the second thing around findings is that you want to have good context in your findings. So you want to be able to explain how the finding looks in enough detail. Not getting into too much detail, but in enough detail that it can be understood. For example, benchmarking enables people to understand what the finding looks like relative to others. Because risk is usually relative. Particularly when you think about it in terms of timeframes. If you are able to show what other entities or similar entities are doing then you’re providing the context of the findings that enables the reader to understand how this looks relative to others. Why that’s important is that it’s very difficult to risk rate something and you risk rate to be able to prioritize. It’s very difficult to be able to prioritize something, if you don’t show how other people are doing something similar. And this is not necessarily something that has to be done with every finding or every report, but if you can, that’s very useful information.

Conor: 

Useful for the decision-makers who may have to implement that recommendation and it may be, putting in new controls or investing in something. If they have that benchmarking information that they can use to make a business case.

Yusuf: 

How big is this? What are others doing about it? What do we need to do about it? That then helps address the audience aspect. Those are five key questions. One overarching question, who is the audience and how will they use the information that you’re providing. And then for context, and that’s context individually, and also context within findings. Who are they? What do they already know? What do they need to know? And what do they need to do? Those are four questions we need to ask. Taking our scope to align with the title. Making sure that we cover off limitations of scope as well, or what we have not included in scope and diagrams are useful for that. The broad context under which the work is being done, the specific context that relates to the entity and then improving on our findings.

Conor: 

Thanks Yusuf.

Yusuf: 

Thanks Conor.

Narrator: 

If you enjoyed this podcast, please share with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com. The link is in the show notes.