Internal Audit Tales: Communicating Audit Findings Part 1

By Ralph Villanueva CISA CISM CIA CFE

Introduction

My previous article about lessons learned from selling drugs has garnered considerable interest - fortunately not from the authorities. The real lesson in that article though is about results-oriented communication. Hence, this and other subsequent articles will focus on lessons learned while communicating audit findings and recommendations, and I’m confident this will benefit anyone who brings both good and bad news about risk and compliance to the powers-that-be in the company.

Communicating Audit Findings

When I started out in internal audit in the 1990s, communicating internal audit findings and recommendations were done either in person or via print. Print means using a Word Star application in a PC XT connected to a dot matrix printer which prints in duplicate or triplicate, depending on how many company officers need to read it. ?There were no fancy graphics and definitely no email in the way we use it today. Distribution of the audit reports were done via office messenger. Our reports back then were voluminous and even hard to read, because the reader has to go over the entire report to get a sense of which audit findings matter.

A breath of fresh air came one day, when a new internal audit manager brought some effective ideas for communicating internal audit findings. She came up with this format:

1. A one-page executive summary with material audit findings and recommendations.
2. A bulleted list of audit findings and recommendations arranged in the order of materiality and risk.
3. The details of the report with photocopies of the supporting documents, Lotus 123 generated spreadsheet analyses and auditee statements.

This made life easier especially for the executives, senior managers and the board because they can see at a glance which audit finding matters most. They can readily make decisions or allocate resources to remedy the internal control weaknesses enumerated in those findings, or take proactive action against any fraud identified in the report. Life was easier for our internal audit team as well, because we were finally heard at a faster pace, and our importance and value was recognized throughout the company.

This was similar to the elevator pitch concept which I learned a few years later when I was working on my MBA. The human mind can only process so much in so little time, so focus on communicating the most important message you can get across, and the most important recommendation that you want done in the least amount of time.

Since then, we have so much electronic tools at our fingertips to communicate. We have email where we can embed screenshots and spreadsheets, as well as be able to attach and instantly send anything that’s on PDF or other document format. Don’t forget fancy presentation software such as Adobe or Corel, complete with bells and whistles. Or videos and animations. And include the ease of setting up online meetings via Zoom, Teams or other platforms, and the opportunity to present so much data while communicating in real time. Ironically, the ease of sending information electronically has inundated us with so much data that it is difficult to sift what matters most. The phrase “death by Power Point” is just an offshoot of this unfortunate trend, with “death by Zoom” not far behind. Yet there is still hope for everyone in internal audit, as well as those whose job is to communicate both delightful and unsavory news about governance, risk and compliance.

Takeaway

Hope means just focusing on three things – a summary, bullet points and the details. Consider the needs of your audience. They’re not there to digest Leo Tolstoy or Robert Ludlum – they’re paid to digest relevant information and take decisive action in the fastest way possible.

My next articles will focus on more communication lessons learned from my career journey – from internal audit to IT audit to IT security and data privacy compliance. These lessons professionally helped me in my journey and I’m sure it will help you as well. And yes, I speak in several conferences every year since 2010, and I would love to help my fellow audit professionals get on stage as well. Moreover, because I speak Spanish, I will come up with articles en Espanol para profesionales y colegas maravillosas desde Mexico hasta Argentina. Stay tuned.

Ralph Villanueva is currently an IT security and compliance professional for a publicly – listed global vacation ownership company, and has relevant professional certifications earned from over ten years protecting his stakeholders from IT security and compliance risks. In his previous professional life, he was an internal auditor for a decade, earned relevant certifications as well, and has protected his employers from fraud and financial risks due to weak internal controls and weaker company leaders. He also recovered tens of thousands of dollars through his audits. Though he is happy where he is right now, he is nevertheless waiting for the day when he can fuse these two magnificent professions into something that can generate enormous value to whoever makes it happen. Think Taylor Swift’s Eras and Beyoncé’s Renaissance tours, Oppenheimer and Barbie, Predator and Alien, Godzilla and King Kong, Freddy and Jason or Batman and Superman (sorry Robin). Yes, these are extreme analogies, but I’m sure you get the message. ? Ralph Villanueva. All rights reserved. ??