Toby DeRoche has an interesting web site, Insight CPE. It’s worth a look (especially his post, Stop auditing useless controls), and I appreciate his thoughtful comments on my various posts.
On his blog (at that site), he recently wrote: How to report issues in an agile audit approach.
There’s a lot of interest in agile for internal audit these days. (For example, my friend Clarissa Lucas has just published Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices.)
But how does agile auditing affect how you communicate the results of an internal audit engagement?
I very much like what Toby has written in his blog post (with my added emphasis):
Our agile audit approach audits what matters when it matters. Our reports should not include drawn-out explanations of risk assessment processes and detailing every issue we found for the past four years. If there is meaningful trend analysis, then show the information. Otherwise, never water the reporting down with irrelevant information. Presenting low-risk issues only inflates the numbers and makes things look worse than they really are at the moment. Once the reader gets into the detail, they may disregard the entire report if they think we add only fluff without substance.
Our goal is not to make it look like we did lots of work…
