Here's a sample of audit reporting techniques. They start with simple and obvious ideas and gradually introduce more interesting tactics. Auditors tend to focus on increasing 'impact' by giving a more alarming statement of the 'risk' and by being brief. This is a dangerous tendency that can lead to difficult meetings, loss of credibility, and more talk than action. The tactics I recommend focus on giving helpful information and supporting sensible decisions, made without fuss. As far as possible we need to base our statements on facts, and avoid merely stating opinions.
|Weakness summary||“Authorisation of contracts is ineffective.”|
|Observation statement – existing control not being performed||“Four out of a sample of 5 authorisation documents had not been completed fully, with two completely lacking any evidence of authorisation.”|
|Observation statement – existing control not effective despite being performed||“Contract authorisation appears to be ineffective. Although all authorisation documents we tested had been completed fully, approximately 24% of contracts are unprofitable and of these some 10% are unprofitable for reasons that should have been clear before the contract was made.”|
|Observation statement – lack of a control||“There are no procedures for authorisation of contracts.”|
|Observation statement – existing control is not efficient||“The existing procedure for authorisation of contracts is inefficient. All contracts, no matter how low the risk involved, must go through the same procedure, which involves five signatures and two meetings.”|
|Risk statement||“If authorisation documents are not completed there is a risk of unauthorised contracts being entered into.”|
|Highlighting the risk with a risk factor||“Due to our rapid growth many proposed contracts are with parties with whom our company does not already have a commercial relationship …”|
|Developing implications||“… so if authorisation documents are not completed then there is a risk of unauthorised and unprofitable contracts being entered into, perhaps with parties we should not be contracting with at all.”|
|Quantification||“Due to our rapid growth, 19% of proposed contracts are with parties with whom the company does not already have a commercial relationship…”|
|Reference to further evidence||“In the past we have identified contracts with parties whose credit worthiness has not been assessed (IA report 2008:27)…”|
|Reference to similar cases||“A similar weakness was found in another part of the group last year that had resulted in bad debts worth over £350,000.”|
|Identifying breach of a rule/ standard/ policy/ regulation/ law||“In breach of group policy on authorisation of contracts, …”|
|Opinion words (where the words usually have a specially defined severity)||“The status of control over new contracts is unsatisfactory.”|
|Identifying routine mis-analysis of risk||“The risk assessment checklist for new contracts calculates a total risk score from a number of factors. However, the scales for these factors are in very different ranges so that, in effect, some factors are given much higher weights than others, for no good reason.”|
|Identifying specific instances of mis-analysed risk||“The assessment of credit risk at ‘low’ for this revenue stream, and subsequent decisions about how much to invest in credit risk management, were based on the expected loss due to bad debts, even though the large contract values imply that any losses that do occur are likely to be very large. This has not been taken into account.”|
|Saying what ‘should’ be done||“All authorisation documents should be completed fully.”|
|Restating the objective||“In order to prevent unauthorised contracts being made…”|
|Offering control alternatives||“Either existing procedures could be applied consistently using closer supervision or the procedure could be redesigned so that contracts with new customers require a more rigorous authorisation process than other contracts.”|
|Offering a more refined mitigation*||“Instead of requiring the full authorisation procedure for every contract, contracts could pass through a simplified authorisation procedure if the value is low or we have already been doing business with the customer for a year or more and the value is not above some higher threshold.” |
|Suggesting a rethink||“In view of the changing pattern of contracting and worsening macroeconomic climate we suggest it is time to review credit risk controls.”|
|Explaining audit limitations||“Due to a recent fire it was not possible to inspect all authorisation documents during our review.”|
* My late father, Tony Leitch, was a master of this tactic. As a retired architect he was very involved with local planning matters and the Kingston Upon Thames Society, pushing for a better built environment in Kingston Upon Thames. While most people object to planning proposals by pointing out problems with them, my father had a talent for suggesting better alternatives nobody had thought of. That meant that planning officers could never relax with him around. There was always a chance that he would stand up and suggest something that people liked much better than the planned development!
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.