COMMUNICATING RESULTS

General

IIA Standard 430 and Statement on Internal Auditing Standards #2 give requirements and guidelines for communicating the results of audit work. This section of the audit manual describes our approach to communicating the results of audit projects.

Except for very small reviews, we will issue some form of written communication at the end of each project. The structure and content of this communication will be based on the nature and results of a project and what we need to communicate with whom. Results of small review can sometimes be communicated orally.

Regardless of the format, written communications (reports) should possess certain basic qualities. They should be:

• Objective- present information in a factual, unbiased manner.

• Constructive- focus on ways to help the auditee and lead to improvement rather than

criticizing errors and control weakness.

- Clear- be logical and easily understood, avoid unnecessary technical language, and provide appropriate supporting information.

- Concise- be to the point, avoid unnecessary detail, and express thoughts in the fewest

possible words. Generally, the first sentence of a paragraph in a report or close out

letter should identify the problem noted or the basic nature of a recommendation.

The choice of words used and tone of reports are as important as the information presented. For example, if we find a missing process-such as daily deposit of receipts- it’s better to say that the missing process is required by University policy instead of describing its absence as a violation of policy. Using neutral works increases the likelihood that management will provide an acceptable response and take appropriate corrective action. When writing reports, be guided by how the language used would sound to you if you were the manager of the area reviewed.

Findings, recommendations, and management’s responses in our reports should never identify individuals by name. Identifying someone using a position title or general terms such as "an employee" or "the individual named in the complaint" preserves objectivity and reduces potential legal liability for the University and the author of the report.

Reports are typically addressed to the Secretary of the Board of Trustees with copies provided to the President and members of management who are responsible for the area audited or who can correct any of the findings reported. However, close out letters for special projects may be addressed to the manager who requested the project and copied to the President and/or Vice President.

Until the final report is issued, all pages of the reports should be clearly marked "Draft".

Formal Reports

A formal report format should be used for routine audits, major special projects, and major misuse investigations. Formal reports consist of a title page; contents page; an introduction, purpose and scope, and findings, recommendations and management’s responses.

Close out Letters

The results of smaller special projects and misuse investigations will be communicated with a close out letter that summarizes the allegation reviewed or nature of a special project and the results of our review.

If the findings from a misuse investigation or special project cannot be adequately disclosed with a general statement or we need to obtain management’s responses to the findings, we will issue a close out letter accompanied by a Findings and Recommendations section like that of a formal audit report.

Some special projects may require a formal report for significant findings and a separate memo to department management listing less significant issues.

Management’s Responses

Whenever our reports present individual findings, we should obtain management’s response to the findings. These responses will be included in the report immediately after the related finding and recommendation.

The auditor who conducted the review is responsible for determining that the responses are adequate, complete, and address the issues in the report. Responses should state whether or not management agrees with the finding. The responses should state whether they will implement the corrective action suggested in the recommendation or describe alternative steps they will take to address the underlying issue. Responses identify the positions that will be responsible for making the corrections and the estimated date that corrective action will be complete.

If management disagrees with a finding or provides an inadequate response, the auditor in charge should work to resolve the situation. As a first step, the auditor should contact the individual to exchange additional information about the issues. If the auditee disagrees with the finding, the auditor should obtain and review additional information that supports the auditees’ position and , if necessary, provide additional details that support the finding. If the response is incomplete, the auditor should explain what changes are needed and ask that these be made.

If discussion with the auditee does not resolve the problem, the in-charge auditor and the Director of Internal Audit will work with each successive level of management to try to resolve the conflict.

We should not issue a report with the facts of a finding in dispute. Auditee management may disagree with the significance of an issue in a report, may prefer an alternative solution to the one suggested in our recommendation, and may even decline to take corrective action. However, any finding in our reports should contain accurate, complete information and management’s response should be clear about the exact nature of any disagreement.

If we are unable to resolve a disagreement about the significance of a finding or about the need for or adequacy of corrective action, we will include the auditee’s views in the report. If management has declined to take appropriate corrective action, our report should disclose that senior management has been informed of the risk of not taking corrective action and has accepted that risk. In both cases, all levels of auditee management should be given an opportunity to review the revised report.

Review of Draft Reports

After we have received responses from the auditee for each of the findings sheets issued during the audit, the senior auditor will prepare a draft report, which will contain all major findings that have been reached. Some major findings that are significant and have been corrected may be appropriate to include in the report to ensure that executive management and the Board of Trustees are informed about the findings and that corrective action has been taken.

The draft after being approved by the Director will be forwarded to the auditor and a formal exit conference will be held to discuss the report. The exit conference will enable all parties to agree on the factual content of the report and the fair presentation of the findings. The auditee will be allowed to present any additional information that could affect the report or findings included in the report. Any changes made to the draft will be agreed upon in the exit conference.

Issuance of Formal Reports

After the exit conference, the department will be asked to respond in writing to each specific finding within two weeks. Additional time can be granted but no later than two weeks prior to the next scheduled meeting of the Fiscal Policy Committee of the Board of Trustees. The secretary will insert the departmental response in italics after each finding in the body of the report.

After proof reading by the Director or Auditor-in-charge, the report will be sent to Printing Services to print and bind 55 copies. Approximately 8-10 days prior to the Fiscal Policy Committee Meeting the secretary will deliver 40 copies to the Secretary of the Board of Trustees for distribution to the Board and members of the Presidents Council and any other interested parties. Materials must be made available to the public seven days prior to the meeting as required by the State Freedom of Information Act.

[Back to Table of Contents]