No two governing boards are same. Neither are their preferences for internal audit’s report outs of audit findings to the board audit committee(s). Let’s explore different approaches for providing information to the board, including the inclusion or complexity of completed reports, audit follow-up and other areas that are under internal audit’s responsibility (e.g., ethics hotline, conflicts of interest, etc.).
How is your audit committee structured?
How your audit committee is structured will depend on your institution. Your organization may have only one audit committee, or it may have several. For example, it is not uncommon for academic medical centers to have more than one audit committee. They may have separate committees for the academic institution, medical center and foundation. The number, size and make-up of your committee will likely influence the frequency of formal meetings, meeting agendas and content provided.
Presenting internal audit’s completed reports
Internal audit’s role is established in a charter or policy and typically includes a presentation of its audit activities and findings related to those activities to the audit committee. Some committees want more detailed report outs than others. Where some audit committees prefer internal audit present a summary of the audits and reviews conducted since the prior meeting inclusive of all findings and observations, others prefer only high-level risks be brought to their attention. So long as internal audit is providing the board with objective assurance and advice, the form the presentation takes can vary based on the board and its unique preferences. In our experience, committees typically like having, within the meeting materials, copies of the comprehensive reports that highlight each audit or review’s objectives, approach, findings and recommendations and, at its meeting, a high-level presentation of the findings and observations with the opportunity to ask questions.
Reporting on internal audit’s other responsibilities
Internal audit’s responsibilities do not stop once an audit report is issued. Depending on your organization’s structure and how roles and responsibilities are assigned, internal audit’s scope may vary. For example, internal audit may also oversee activities to ensure past internal control gaps have been addressed (i.e., audit follow-up), monitor the ethics and compliance hotline, manage the disclosure of conflicts of interest and/or facilitate enterprise risk management (ERM) processes. Typically, these items represent ongoing continuous monitoring activities for which updates are also presented as part of internal audit’s report out and provide important insight to potential risks to the institution’s strategic, financial and operational objectives. Again, the level of detail to which these activities are presented varies, but we find that committees often appreciate a verbal confirmation that these activities are occurring and mention of any particular areas, concerns or risks that have arisen.
Sample reporting approach
Baker Tilly provides internal audit services to numerous institutions through its co-sourced and outsourced solutions. Below is an effective approach to board reporting for many colleges and universities:
Internal audit project status
We begin our presentation by displaying a table that summarizes the status of our internal audit plan and other internal audit activities (e.g., audit follow up). This typically includes the title of each audit or advisory review, the stage of completion (e.g., not started, planning, fieldwork, reporting or completed), and the date on which the results were presented or will be presented. We also note or verbally discuss any changes to the plan since the last meeting when applicable.
Internal audit follow up
Audit follow up activities are summarized in a table for presentation purposes with more detail provided as an attachment to the meeting materials. The summary table is organized by audit year and project and notes the number of action plans developed for each review and the number of plans that have been completed as well as the implementation deadline (and revised deadline where appropriate). Once all action plans have been implemented for a particular review, this line item falls off this list so that only projects with outstanding action plans are presented. The detailed report included as an attachment provides additional context for each open item, including a summary of the recommendation to which the plan was developed, the risk level and a brief status update.
Results summary for completed projects
For presentation purposes, we include a summary of projects completed since the last meeting. The summary includes a recap of the project objective(s) as well as high-level recommendations made to address any issues or opportunities for improvement identified during our review. Within the meeting materials, but not the presentation itself, we typically include our detailed reports so that committee members have access to additional information if needed. The detailed reports:
- Introduce the topic, the objective(s) and approach for the review
- Include an executive summary to present an overview of the observations, recommendations and risk level
- Provide detailed observations and recommendations that are organized by risk level
- Summarize the information reviewed, the individuals that provided related content, testing procedures performed and testing results, as well as other relevant information (e.g., research or benchmarking procedures and results when applicable) within the appendices
Other internal audit activities
For institutions whose internal audit function also manages activities such as the ethics hotline and conflict of interest (COI) disclosures, we typically include a slide to present our role in each activity and verbally update the committee of any pertinent information.
For more information, or to learn more about how Baker Tilly’s higher education internal audit specialists can help your institution, contact our team.
