I apologize in advance to all my friends who make a living (at least in part) by helping people write what they believe are “effective” internal audit reports.
Every so often, we should challenge everything we do, but today I am focusing on internal audit reports.
After all, does the General Counsel write a report after every review they perform of a contract? Does the CIO write a report after a project is completed? In fact, are there any other functions within an organization that feel the need to write as many and as detailed reports as we do?
There are several possible answers. Let’s discuss some of the more obvious ones.
1. We have always written audit reports. It’s what we do.
This should never be our answer. We don’t accept an answer like this from management during an audit, do we. There has to be a reason based on the value to our customers in management and on the board.
2. We are required to write audit reports by IIA Standards.
This is a very weak argument. We should never do something just so we can say we comply/conform with the IIA’s Standards. There has to be at least as much value to our customers as it costs us in scarce resources. Remember that every hour on an audit report is an hour not auditing or providing advice on a risk that matters. It’s not as if we are going to get…
