I like to be controversial and make people think.
I hope this is a post that will do just that.
Are you ready to set aside tradition, everything you have ever believed and done in internal auditing?
Do you have a truly open mind?
I hope so.
I recently surveyed people on LinkedIn about whether they had asked their customers on the board (or audit committee) and in senior management whether they read the audit reports. Most said they had asked. Just 15% said their customers read the entire report while 27% said they ony read the executive summary.
If they only read the executive summary, what is the point of sending them more?
Imagine that a CAE attends a meeting of the CEO’s executive team and asks what information they would like to receive.
Let’s further imagine that they are brutally honest. They tell the CAE that they value internal audit, but:
- The reports are too long,
- They take too much time (of which they have little to spare) to read,
- They arrive weeks after the audit has been concluded, and
- They don’t always make it clear what (if anything) they need to know and act upon. Saying something is high risk is not the same as saying which senior executive, if any, needs to be personally involved.
The executives tell the CAE that they rely on their direct reports to tell them if there’s a problem,…
