We Need Fair & Balanced Audit Reports

Key Takeaways

• Accuracy Alone Is Not Enough: Audit reports can be technically correct while still presenting an incomplete or misleading picture if they fail to include relevant context.
• Balance Improves Credibility: Including progress already made, existing plans, and resource constraints helps ensure reports are fair and maintain management trust.
• Context Matters for Boards: When reports omit key operational realities, they risk giving boards a distorted understanding of risk and remediation progress.
• IIA Standards Emphasize Objectivity: The IIA’s Global Audit Standards require communications to be both accurate and the result of a fair and balanced assessment of all relevant circumstances.
• Progress Should Be Reported: Effective internal auditing recognizes both weaknesses and the steps already taken to address them.

Deep Dive

Norman Marks reflects on a hard-earned lesson from his time as a VP of IT at a large financial institution. Drawing from a real-world audit experience, Marks explores why audit reports must go beyond technical accuracy and present a fair and balanced view of risk. While audit findings may be correct, he argues that failing to acknowledge context, progress already underway, or operational realities can distort the true picture for management and boards alike.

Why Audit Reports Must Be Fair and Balanced

If you want credibility and trust from management, your reports need not only to be accurate but also fair and balanced. Let me give you a real-life example from my time as a VP in IT at a large financial institution.

The audit report identified several gaps in our information security and recommended that we take immediate corrective actions. The gaps were true, as was the description in the report of the level of risk. The corrective actions were correct – they were what needed to be done.

But, while the report was “correct”, it was neither fair nor balanced.

Let me explain.

I had moved over from internal audit (where IT auditing was part of my portfolio) about a year earlier. During that year, I had identified the need for enhanced information security; hired an outstanding Information Security team (Administrator, Manager, and Analyst); selected and obtained approval to acquire a security solution (ACF2); developed and obtained approval from senior management for our detailed implementation plan; developed information security policies; and, we were ahead of our implementation plan.

None of this was mentioned in the audit report. Neither was the fact that we had given the auditor a copy of our implementation plan, and every single “finding” they reported was not only included but also scheduled for action.

There was nothing in the report that we didn’t know; there was nothing that wasn’t included in our regular reports to senior management. When I asked the auditor whether we had the resources to move faster, he said we did not. He also said that we had prioritized our activities correctly. But he refused to say anything about resource limitations in the report. He just asked that we do what we could not do.

The only “added value” was that the report would now provide the board with information about the level of risk. But that report would present a distorted, unfair and unbalance picture of the state of affairs.

The report was accurate, but it was neither fair nor balanced. The IT audit manager refused to make any changes. The CAE supported him. They told me I could point all of that out in my ‘management response’.

This was a life lesson for me. (And yes, I still feel the pain today.) I already knew audit reports needed to be fair and balanced. Now I knew why.

Hidden away in Considerations for Implementation of the IIA’s Global Audit Standards, Standard 11.2, Effective Communications, is this:

Methodologies, such as supervisory reviews, should enhance the degree to which engagement communications are:

Accurate – free from errors and distortions and faithful to the underlying facts. When communicating, internal auditors should use precise terms and descriptions, supported by information gathered. Internal auditors also should consider other standards related to accuracy, including Standard 11.4 Errors and Omissions.

Objective – impartial, unbiased, and the result of a fair and balanced assessment of all relevant facts and circumstances. Findings, conclusions, recommendations and/or action plans, and other results of internal audit services should be based on balanced assessments of relevant circumstances.

Being fair and balanced doesn’t impair our objectivity or independence. Reporting progress as well as what remains to be done is good internal auditing.

Do you include successes as well as weaknesses?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.