How Long Should an Audit Report Be?

Is most internal audit report the right length? For many consumers of audit reports in the executive suite and boardroom, the answer is probably that they’re “too long!”

Audit reports may run to extraordinary lengths these days. For example, I recently talked to one organization where they could easily extend over a hundred pages. One hundred pages are clearly too long for anybody to rationally expect our stakeholders in top management and on the board to want to read them. When are there 100 pages of value, actionable information, in an audit report?

So, is the answer ten or twenty pages? Is it two or three? Let’s tackle the question in a different way.

Audit reports are a communication vehicle. The IIA Standards do not require that we write an audit report. Instead, they require that we communicate the results of our work to our stakeholders. So, a better question is: What should we communicate?

When is Will It Stop Hurting?
When you visit the dentist because you have a toothache, do you want even a three-page report? Probably not. You want to know: (a) Can he or she stop the pain? (b) When will that be done? (c) Is there a serious problem? And (d) What is this going to cost me? You don’t want to be asked to read a recap of your dental history, the status of recommendations from your last visit, or a report on the depth of your gums. You want to receive the information you need, concisely and clearly written, without wasting a minute of your time.

What about your executives and board members? What information do they want to get from you? They want to know:

  • Is there a problem that is serious enough to potentially affect the organization and the achievement of its objectives in a material way? Is there a problem I need to worry about at my level?
  • Are the right actions being taken?
  • Is there anything I need to do personally?
  • Is there anything I need to make sure others are doing?

So why do we include more? Is it because we feel a need to justify our existence? I know of chief audit executives who insist that every audit report has at least one finding and recommendation. Why? If you have this need, this irrational compulsion, stop!

Is it because the report is a form of documentation, or because it is really being written for a regulator rather than the executive readers? Both are equally wrong.

The Elevator Version
Imagine this. You enter the elevator at your company’s head office and are greeted by your CEO. She asks you about the audit your team recently performed of the Treasury function, saying that she is interested in the results. Do you tell her about the background of the audit? How about your scope and objectives? Do you list all the medium and low issues? Or do you just tell her whether there were major issues that merit her attention, whether management is taking the right corrective actions and any other insights that would be of value to her?

So why do we put more than these essentials in a written audit report? Why hide valuable, actionable information in a haystack of unnecessary detail? The length of the audit report, if one is even needed, should be just enough to tell the consumers of the report what they need to know—and no more.

Ah, I can hear you saying that the report has to include all the findings so you can make sure management owns the issues and will take necessary corrective actions. But do the executives and board members need to see that level of detail in the report? Weren’t these all discussed and agreed upon at your closing meeting (and if not, why not)?

Send a note to those present at the meeting, confirming the discussion and the corrective action details (who will do what by when, and other details). And then keep what you send to the executives and the board limited to what they need to read and no more.

Make it easy for them to pick up your reports promptly, digest the actionable information, and take whatever actions are needed—now when they are needed. Make it easy and not hard for them to read, understand, and take any necessary actions.

If you don’t waste their time with trivia when you have something to say they are far more likely to listen.

What say you? Can we cut most audit reports back to half a page? Let’s hear your thoughts in the comment section below.

Internal Audit Isn’t the Brakes, It’s Part of the Navigation System

I have always been on the lookout for clever ways to describe an internal audit role in an organization. Elevator speeches are fine when you have 60 seconds to describe the value your profession brings to an uninformed bystander. I even shared some ideas for the elevator speech in a blog earlier this year. However, an elevator speech doesn’t hold a candle to a well-crafted sound bite that will leave a lasting impression.

One of my favorites used to be “internal audit is the brakes that allow the organization to drive faster.” The reasoning behind this analogy is that brakes are a critical component in a vehicle. To be sure, they are used to prohibit a vehicle from moving. But more importantly, brakes are crucial to maintaining control of a vehicle. Of course, well-resourced, independent internal audit functions add little value if they impede an organization’s ability to take risks and achieve results. But they add value when, like brakes on a car, they empower management and the board with information to slow down or stop if critical risks lie ahead.

Over the years, I have come to view the “internal audit-as-brakes” analogy to be a bit outdated. It envisions internal audit as being primarily control-focused. Today, internal audit provides much greater value than merely a set of brakes. After all, a vehicle with an outstanding braking system can still end up in the wrong place. Brakes are great for stopping or slowing down. However, they do little to help change course. Internal audits in the 2020s must help create – not just protect value!

I believe a more powerful analogy is that an internal audit is a critical component of an organization’s navigation system. Consider the value of a modern navigation system. Once the departing and arriving locations are enter, a navigation system provides timely and crucial feedback on the progress of the journey. The friendly voice provides turn-by-turn advice on reaching the destination. It recognizes when a turn has been missed and quickly alerts the driver to “make a legal U-turn.” It can be program to recommend routes that are faster, less congested, or avoid tolls. Some alert the driver when the speed limit is being exceed, or the vehicle is being taken on unsafe roads.

Much like the navigation system in a vehicle, an internal audit shows its powerful value by:

  • Providing assurance that the organization is progressing on the course charted by management and the board.
  • Provide recommended corrective actions when the organization is of course (please make a legal U-turn).
  • Identifying risks in advance (much like a navigation system warns of an accident or road congestion ahead).
  • Alerting management and the board of compliance risks/failures (think excessive speed).
  • Providing assurance that the organization has “arrived at its destination.”

To succeed, organizations in the 21st century must manage risks – both internal and external, whether related to finance, operations, strategy, technology, regulations, or reputation. While organizations are raising the bar on effective risk management, executives face extraordinary headwinds spawned by a turbulent environment in which risks materialize virtually overnight. In the past five years, we’ve faced the most extraordinary global pandemic in more than a century, more global financial turmoil, cybersecurity breaches that even target our infrastructure, corporate failures induced by toxic cultures, the #MeToo movement highlighting sexual assault and harassment in the workplace, and more. In the immediate future, we are facing the prospect of severe supply chain disruptions, inflationary pressures not seen in 40 years, and likely more nasty surprises from COVID-19. Relying on a good braking system will be inadequate to navigate the hills and valleys that lie ahead. Instead, organizations need strong navigation systems with well-resourced and independent internal audit functions fully integrated to succeed.

Granted, my updated analogy may be oversimplified. Strong internal audit functions add value in a multitude of ways, and we are never more critical than management and the board in navigating risks that our organizations face. However, I find it is useful to think through analogies such as this one so that I can better articulate the internal audit’s role in ways that everyone can understand.

I welcome your thoughts.

Board of Directors – Is One Required For a SOC 2 Audit?

Upon scanning through the Common Criteria for a SOC 2, it doesn’t take long to come across criteria related to governance and the overall control environment. In particular, Common Criteria 1.2 (CC1.2)/COSO Principle 2 specifically addresses the role and expectations of the board of directors to provide oversight of internal controls. For small businesses or less mature organizations, this can be a potential hindrance in moving forward with a SOC 2. However, is a formal board of directors absolutely required to successfully address this criterion for a SOC 2 examination? Are other forms of governance sufficient? The purpose of this post is to examine this requirement in relation to a SOC 2 report and its application for organizations where a board of directors is not required or is not feasible or even unwarrant based on the nature of their entity.

What is a Board of Directors?

In the traditional sense (i.e. in relation to a corporation), a board of is a group of individuals, elected by shareholders, who form the governing body of the company and oversee management and the strategic direction of the organization. The board typically consists of internal executives as well as outside directors who are not employed or engage with the organization. The board of directors makes decisions on behalf of the company and its shareholders.

When is a Board of Required?

Certain organizations, such as public companies and S and C corporations, are legally required to have a board of directors in place. This is further defined by state laws. The board composition and roles and responsibilities are address in articles of incorporation, bylaws, and/or company charters. As such, public companies and corporations are well-positioned to satisfy requirements related to governance performed by the board of directors. However, limited liability companies (LLCs) and sole proprietorships, for example, are not require to have a board of directors. These organizations may elect to have a board of directors, but some may find it too costly or unnecessary to form a board of directors with independent board members.

What is the SOC 2 Requirement for a Board of Directors?

As set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and PrivacyCC1.2 states:

“The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. The following points of focus, specified in the COSO framework, highlight important characteristics relating to this criterion:

  • Establishes Oversight Responsibilities — The board of identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
  • Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
  • Operates Independently — The board of directors has sufficient members who are independent of management and objective in evaluations and decision making.
  • Supplements Board Expertise — The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.”

As stated, the criteria require that a board of directors be in place to provide adequate supervision and oversight of the organization. There appears to be little wiggle room when contemplating the need for a board of directors when engaging in a SOC 2 examination. However, the characteristics called out in the points of focus are not exclusive to a board of directors. A management team, or even an owner-manager, depending on the complexity of the organization, could fulfill the characteristics noted above. It seems reasonable that other forms of governance, depending on the nature of the entity, could provide adequate oversight where a board of directors is not in place.

Are There Alternatives to a Board ?

Per TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, the AICPA offers a broader definition of a board of directors:

“Individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.”

Based on the definition provided by the AICPA as noted above, those with responsibility for overseeing the entity are not confined to the traditional board of directors model. Rather, the AICPA recognizes that different forms of governance, depending on the nature of the entity, may be sufficient for the organization to achieve its services commitments and system requirements. So, yes, different forms of governance, depending on the nature of the entity, may be sufficient as an alternative to a board of directors

For example, for a less complex organization with fewer personnel, a service auditor may conclude that a senior management team or executive committee provides sufficient oversight of the company and that the achievement of the service commitments and system requirements is not impacted by the lack of a formal board of directors. In such an environment, management likely participates heavily in the supervision and reviews of key controls thus providing oversight of internal controls. They would be influential in the organization’s commitment to ethical and legal conduct and would also be involve in the recruitment and evaluation of employees and consultants to ensure adequate knowledge and expertise are present. In addition, management teams in this setting generally possess adequate competence and knowledge of the organization and its processes to provide adequate oversight without overreliance on others within the organization.