The sense and nonsense of advice in an audit report

There are varying opinions on the inclusion of advice in an audit report. On one side there are the "hardliners" who feel that an assurance examination does not lend itself to giving advice and on the other side there are the "consultants" who feel that giving advice is the best thing in the auditor's life. In this little blog, I offer some personal insights on the pros and cons and hope it will help inform your decision to advise or not.

There are quite a few internal auditors who give advice in their audit report because they think they 'should', because: they always did that. Or, they think it is expected of them without first having checked that expectation with those esteemed colleagues who receive the report and are expected to do something with it. My tip of the day: think carefully about whether you should or even want to give advice. In many cases it is better not to, because:

1. who the hell are you? Or: it comes across as pedantic ... if I, as an auditor, am going to give advice to a well-paid director who is responsible for managing his risks, then maybe it would be better if that director just went home and I went to do his (probably better paid) job. After all, isn't that what every director is supposed to do? Control his risks by implementing measures? He's probably not responsible for more than that right?
2. (again) who the hell are you? Or (again): it comes across as pedantic... Yes this is the 2nd time but this time for another important reason: the advice mostly results in hassle, friction and whining. It causes delays because a lot of hours go into fine-tuning the opinions. I regularly draw the following picture (see figure) with my clients who have problems with continuous budget overruns of internal audits: the green line shows an ideal distribution of hours during an audit (most hours in preparation and execution, completion preferably within a day) and the distribution of hours of audits that go over budget (red). It turns out that, in audits that go heavily over budget, it is mainly due to endless consultation and coordination on the recommendations. Fortunately, most of my clients employ directors who don't like it when it suddenly appears that they don't have their affairs in order. And they don't like it at all when a wisecracking auditor adds salt to the wound by telling them what to do. They usually know that themselves. With those clients, we immediately stopped giving advice and guess what: hours stayed within budget and the assessments of the directors/managers skyrocketed.
3. It doesn't "belong" that way (and certainly not according to the hardliners). Internal Auditors conduct investigations into the quality of internal control in an organization. Or at least something similar. Also known as problem-oriented research. The purpose of the investigation is to determine that internal control is adequate. Actually to determine whether there is a 'problem'. So if it is not satisfactory, what do you do? Right: say it's not good. And let them fix it themselves. Then a while later the auditor can determine if it is indeed fixed!
4. You don't know the cause at all. Any advice where you haven't researched the cause (and believe me, that's a lot different than a survey asking, "is there a problem?") misses the mark. Either chances are it doesn't make sense, or you are used by the organization to move in a direction that pleases them but doesn't eliminate the cause. Suppose you see that somewhere function separation is missing or the design of an IT system is flawed. Then what is the cause? No budget? Incompetence? High workload? My advice (oy what am I saying now?) is: stay away as much as possible from root cause analysis without research to back it up.
5. The best advice is a good standards framework. If you do a good audit, you have made a solid risk analysis and it is clear what the most important controls are for each risk. In the appendix of your report, you will hopefully also find the framework of standards with a score or indication of whether each control is good or not good (or in between). Then the only meaningful advice you can give is: "resolve the findings, see appendix".
6. If they need advice, they will ask for it. Adopt a constructive and cooperative attitude and you will be asked if they can't figure it out. Just put in your report that you are willing to help if you feel comfortable doing so.
7. It takes time/money. Time and money that could be spent giving assurance or doing other research. Most opinions are open doors, at worst nothing is done with them at all. The worst is when an externally hired auditor necessarily wants to give opinions. Instead, just ask if they want to come by for an hour to talk about what needs to be done. Better than spending a good amount of time on an advisory paragraph with all the discussion around it.

Of course, there are plenty of reasons why, on the contrary, you should give advice in a report. Here are a few:

8. This one is similar to the last reason (#7) for not doing it at all: they are asking for it! Nothing is nicer when you can help people, and it's even nicer when they appreciate your help! So do that and go all the way. Sometimes I am asked for advice. For example when there is a persistent problem (often something to do with culture or behavior) or a huge challenge where everyone is caught up in the details and nobody has an overview anymore. Or because, as an Internal Auditor, I am the only one who oversees just about everything in an organization. Good reasons to give advice!
9. People expect it of you. Beware of that. 'People' is often 'the organization' and chances are it is an ingrained expectation, created in the distant past. Then enter into dialogue with management and e.g. audit committee whether they want to spend those expensive audit hours on that. Because: giving advice = less time for assurance and research. That need not be a problem, but do it well. So also by recording it in the Charter, after which you can start formulating nice recommendations.
10. Giving advice is the most enjoyable part of the internal auditor's job. Well. For me that's not such a strong reason, the fun is in the auditing and the added value in giving assurance. So for me it is not necessary (I think that was clear by now). But nobody is the same so if it makes you happy, go ahead but please pay attention to reasons 1 to 7.

There are surely more pros and cons to be thought of about giving advice, quite apart from the question of what advice actually means. In fact, everything about this topic is person- and organization-dependent. Do what works for you and your organization, but think about it carefully. I hope my little blog provokes thought and I am very curious to see what your next audit report looks like! Of course, I am open to lively discussion or feedback on this blog.

Carlo Bavius RE RO CRISC CRMA CIA, Associate Partner ARC People