What If You Didn't Write Audit Reports?

Are you ready to set aside tradition, everything you have ever believed and done in internal auditing? Do you have a truly open mind?

I hope so.

If an Audit Report Goes Unread, Is It Needed?

I recently surveyed people on LinkedIn about whether they ask their customers on the board (or audit committee) and in senior management whether they read the audit reports. Most said they do. Only 15% said their customers read the entire report while 27% said they only read the executive summary.

If they only read the executive summary, what is the point of sending them more?

Imagine that a chief audit executive (CAE) attends a meeting of the CEO’s executive team and asks what information they would like to receive. Let’s further imagine that they are brutally honest. They tell the CAE that they value internal audit, but:

• The reports are too long, 
• They take too much time (of which they have little to spare) to read, 
• They arrive weeks after the audit has been concluded, and 
• They don’t always make it clear what (if anything) they need to know and act upon. Saying something is high risk is not the same as saying which senior executive, if any, needs to be personally involved.

The executives tell the CAE that they rely on their direct reports to tell them if there’s a problem, and fully expect them to take care of any and all issues. The audit report usually doesn’t tell them anything new that they need to know.

Some ask for an email with a few bullet points instead, maybe just the overall opinion if there’s a serious issue, and what it should mean to them. They don’t really need an audit report when everything is fine or there are only minor issues that their team is handling.

In fact most of them are thinking (even if they don’t say it), “Why can’t the CAE dispense with audit reports and just give them a call if there is something important to discuss?”

Related Article: A Time for Ruthless Change in Internal Audit

Something's Got to Give

The CEO agrees with the need for change and asks the CAE to find a way to communicate only what needs to be communicated and make it easier for her team to absorb and act on the results, if needed. She herself would be happy getting a monthly or even a quarterly status report. (Reading audit reports is not something she looks forward to. It’s usually how she passes time when she flies.)

If there is a serious issue, she expects the CAE to meet with her or the appropriate top executive to discuss it. The last thing she needs is to read a bunch of words and have to figure out what to do with them.

The CAE mentions that some of his peers have a practice called a “one-page audit report” and passes a copy of one around.

The executives shake their heads and tell the CAE that even the one page has more data than valuable information, and they don’t need to get one after every audit. The CAE thanks them but makes no promises other than saying they will see what they can do.

But when the audit committee members give pretty much the same response, the CAE is persuaded that action is necessary.

Why Write Audit Reports?

He takes some time to think and asks himself some hard questions.

Why do we write audit reports – even if they are just a page or two?

There can be many reasons, including:

1. It’s what we have always done

Would you accept that answer from management when you ask them why they're doing something? I certainly hope not!

Only do what adds value to your customer.

2. The IIA requires us to write an audit report

That isn't true. Neither the previous IIA IPPF nor the new GIAS require a written audit report.

This is what GIAS says:

Standard 11.3: Communicating Results

Learning Opportunities

Conference

Sep

16

HR Tech Conference Las Vegas 2025

Register

Conference

Oct

27

Gartner HR Symposium/Xpo Orlando 2025

Register

Conference

Nov

17

KMWorld Washington 2025

Register

Webinar

On demand

AI in Customer Service: Faster Resolutions, Happier Customers

Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.

Watch Now

Webinar

On demand

Accelerating Healthcare Ops with AI

Sign up to see how your peers are putting AI to work — and making it stick.

Watch Now

Webinar

On demand

From Nice-to-Have to Non-Negotiable: Prove the Value of Your EX Stack

Transform your tech stack: prove its value, secure your future.

Watch Now

Conference

Sep

16

HR Tech Conference Las Vegas 2025

Register

Conference

Oct

27

Gartner HR Symposium/Xpo Orlando 2025

Register

Conference

Nov

17

KMWorld Washington 2025

Register

View all

Requirements: The chief audit executive must communicate the results of internal audit services to the board and senior management periodically and for each engagement as appropriate. The chief audit executive must understand the expectations of the board and senior management regarding the nature and timing of communications.

The results of internal audit services can include: 

• Engagement conclusions.
• Themes such as effective practices or root causes. 
• Conclusions at the level of the business unit or organization.

Note this sentence: “The chief audit executive must understand the expectations of the board and senior management regarding the nature and timing of communications.” The IIA is telling us that we must communicate the results of our work (i.e., our assurance, advice, and insight) to our customers on the board and in senior management in a way that helps them do their jobs. It doesn’t say how we communicate, or even that we must do so after every audit. It says “periodically…and…as appropriate.”

3. It’s our end product, our deliverable

No.

Our deliverable is the assurance, advice and insight the board and management need — that their systems, processes, controls and organization provide reasonable assurance that the more significant risks to the achievement of enterprise objectives are at desired levels.

The IIA’s new standards define the purpose of internal auditing.

Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.

It doesn’t say that our purpose is to write audit reports.

The audit report is, at best, a way to communicate that information.

4. It documents the fact that we completed the audit

Why is that even necessary? What do we need to prove? Are we going to get sued? It’s highly unlikely.

Will the external auditor need to rely on our work? Maybe, and if so we need something to show them. OK, but the working papers may well be sufficient, together with any memo confirming agreed action items.

Do the regulators demand a report? Maybe, but most organizations don’t have that burden.

…and don’t forget that the CAE reports progress on the audit plan to the board (or audit committee of the board) every quarter. That’s documentation.

5. It’s the best way to communicate our results and make sure actions are taken

I strongly doubt that!

• It takes time and resources away from auditing
• It’s a one-way communication by us to them. The best communication methods allow for two-way discussion.
• It asks our customers to spend their limited time reading our reports, as if they are more important than other issues on their desk
• Is it how our customers want to receive information? Do they get multiple reports from every other function, such as Information Security, Compliance, Treasury, etc.? Those other functions probably provide monthly or quarterly reports. But we don’t?
• Operating management are informed in the Closing Meeting and work with us to define any action items necessary to upgrade processes and controls. That meeting is documented, and maybe we can have a follow-up memo to confirm the agreed action items. Do these customers need more? We can use that memo later if we need to follow-up on the status of corrective actions, or in planning future audits.
• Senior management is entitled to rely on their teams to address the issues we identify and to complete agreed action items. Do we need to tell them what all those action items are? Why do they need to know? They need to know as soon as possible of serious issues, not wait until we send them a written report.
• The audit committee of the board is updated on the results of our work at their quarterly meetings. What more do they need? Again, they should be notified directly and immediately of very serious matters.
• Nobody is ever persuaded to do something by a written report without a discussion.

Consider These Alternatives to Writing Audit Reports

So what should we do?

1. Set aside the notion that we MUST write a report at end of every audit.
2. Recognize that in-person meetings allow for constructive discussions and are more likely to lead to management taking ownership and getting action items completed. They are also a great way for us to build relationships and credibility.
3. Understand your customers. What do they really need to know, and what is the best way to deliver that information to them?
4. Do all your customers want to receive that information the same way? Can you make it easy for them?
5. Recognize that some issues simply don’t need to be reported beyond the process owner, especially if they have been corrected.
6. Consider what the best way is for management (and us) to keep track of all their action items. Some functions, like IT, have processes designed to keep track of them.
7. Do we have specific requirements we have to meet from the regulators and/or external auditors?
8. Now design your communication process or processes.
9. Monitor how they work and periodically check in with your customers.
10. Adapt, be flexible, and take advantage of technology where it would help.

Do you agree?

Are audit reports the best way to work with all your customers?

Are you prepared for change?

Learn how you can join our contributor community.