Principle 11 Communicate Effectively

The chief audit executive guides the internal audit function to communicate effectively with its stakeholders.

Effective communication requires building relationships, establishing trust, and enabling stakeholders to benefit from the results of internal audit services. The chief audit executive is responsible for helping the internal audit function establish ongoing communication with stakeholders to build trust and foster relationships. Additionally, the chief audit executive oversees the internal audit function’s formal communications with the board and senior management to enable quality and provide insights based on the results of internal audit services.

Standard 11.1 Building Relationships and Communicating with Stakeholders

Requirements

The chief audit executive must develop an approach for the internal audit function to build relationships and trust with key stakeholders, including the board, senior management, operational management, regulators, and internal and external assurance providers and other consultants.

The chief audit executive must promote formal and informal communication between the internal audit function and stakeholders, contributing to the mutual understanding of:

• Organizational interests and concerns.
• Approaches for identifying and managing risks and providing assurance.
• Roles and responsibilities of relevant parties and opportunities for collaboration.
• Relevant regulatory requirements.
• Significant organizational processes, including financial reporting.

Considerations for Implementation 

Regular, ongoing communication among the board, senior management, and the internal audit function contributes to a common understanding of the organization’s risks and assurance priorities and promotes adaptability to changes. The chief audit executive should be included in the organization’s communication channels to keep current with major developments and planned activities that could affect the objectives and risks of the organization. The chief audit executive also should attend meetings with the board and key governance committees, as well as senior management and groups that report directly to senior management, such as compliance, risk management, and quality control.

In addition, the chief audit executive should discuss a methodology for communication with the board and senior management to determine the criteria defining significant issues requiring formal communication, the format and content of formal communication, and the frequency with which such communication should occur.

Meeting independently with individual senior executives and members of the board allows the chief audit executive to build relationships with them and learn about their concerns and perspectives. To better understand business objectives and processes, internal auditors should meet with key members of operational management, such as the heads of business units and employees who perform operational tasks. In certain highly regulated industries or sectors, meetings between the chief audit executive and external auditors and regulators may be appropriate.

The chief audit executive and internal auditors may initiate discussions with management and the board about strategies, objectives, and risks as well as industry news, trends, and regulatory changes. Such discussions, along with surveys, interviews, and group workshops, are useful tools for obtaining input, especially on fraud and emerging risks. Websites, newsletters, presentations, and other forms of communication can be effective methods for sharing the internal audit function’s role and benefits with employees and other stakeholders.

The chief audit executive may delegate individual internal auditors to be responsible for maintaining ongoing communication with the management of key functions such as business segment leaders, global operations, information technology, finance, compliance, and human resources. (See also Standard 9.5 Coordination and Reliance.)

Communication should include opportunities for ongoing, informal interaction between internal auditors and the organization’s employees. When informal interactions occur consistently, employees gain trust in internal auditors, increasing the likelihood of candid discussions that may not occur in formal meetings.  As a part of relationship-building, informal interaction may enhance internal auditors’ comprehensive understanding of the organization and its control environment. Rotating internal auditors into and out of assignments in specific business units or locations may balance the benefits of informal communication against the need to protect internal auditors’ objectivity.

Examples of Evidence of Conformance

• Documentation of the internal audit function’s plan for managing stakeholder relationships.
• Agendas or minutes from meetings among members of the internal audit function and stakeholders.
• Surveys, interviews, and group workshops through which internal auditors solicit input from internal stakeholders.
• Websites or web pages, newsletters, presentations, and other outlets through which the internal audit function communicates with stakeholders in the organization.

Standard 11.2 Effective Communication

Requirements

The chief audit executive must establish and implement methodologies to promote accurate, objective, clear, concise, constructive, complete, and timely internal audit communications.

Considerations for Implementation

Methodologies may include policies, criteria, style guides, and procedures to guide the internal audit function’s communications and achieve consistency. Communication methodologies should consider the expectations of the board, senior management, and other relevant stakeholders. (See also Standards 9.3 Methodologies and 15.1 Final Engagement Communication.) The chief audit executive may provide communications training to internal auditors, such as training in writing or preparing presentations of final communications.

Methodologies, such as supervisory reviews, should enhance the degree to which engagement communications are:

• Accurate – free from errors and distortions and faithful to the underlying facts. When communicating, internal auditors should use precise terms and descriptions, supported by information gathered. Internal auditors also should consider other standards related to accuracy, including Standard 11.4 Errors and Omissions.
• Objective – impartial, unbiased, and the result of a fair and balanced assessment of all relevant facts and circumstances. Findings, conclusions, recommendations and/or action plans, and other results of internal audit services should be based on balanced assessments of relevant circumstances. Communications should focus on identifying factual information and linking the information to objectives. Internal auditors should avoid terms that may be perceived as biased. (See also Principle 2 Maintain Objectivity and its standards.)
• Clear – logical and easily understood by relevant stakeholders, avoiding unnecessary technical language. Clarity is increased when internal auditors use language that is consistent with terminology used in the organization and easily understood by the intended audience. Internal auditors should avoid unnecessary technical language and define important terms that are uncommon or used in a way that is specific or unique to the communication or presentation. Internal auditors improve the clarity of their communications by including significant details that support findings, conclusions, recommendations and/or action plans.
• Concise – succinct and free from unnecessary detail and wordiness. Internal auditors should avoid redundancies and exclude information that is unnecessary, insignificant, or unrelated to the engagement or service.
• Constructive – helpful to stakeholders and the organization and enabling improvement where needed. Internal auditors should express information with a cooperative and helpful tone that facilitates collaboration with the activity under review to determine opportunities for improvement.
• Complete – relevant, reliable, and sufficient information and evidence to support the results of internal audit services. Completeness enables the reader to reach the same conclusions as those reached by internal auditors. Internal auditors should adapt communications to meet the needs of various recipients and consider the information they need to take the actions for which they are responsible. For example, communications to the board and senior management may differ from those delivered to the management of an activity under review.
• Timely – appropriately timed, according to the significance of the issue, allowing management to take corrective action. Timeliness may be different for each organization and depend upon the nature of the engagement.

The chief audit executive may establish key performance measures to monitor the effectiveness of internal audit communication, which can be used as part of the function’s quality assurance and improvement program. (See also Standard 8.3 Quality, and Principle 12 Enhance Quality and its standards.)

Examples of Evidence of Conformance

• Style guides, templates, and other documented methodologies for effective communication.
• Records of participation in training or meetings on effective communication skills.
• Final communications and other documents approved by the chief audit executive, as well as supporting documents that demonstrate the characteristics of effective communications.
• Presentation slides or meeting minutes that demonstrate the characteristics of effective communications.
• Records demonstrating the timeliness of communications.
• Workpapers that demonstrate the characteristics of effective communications.
• Workpapers with supervisory review notes on improving communication effectiveness.
• Results of stakeholder surveys regarding the quality of internal audit communications.
• Results of quality assurance and improvement program.

Standard 11.3 Communicating Results

Requirements

The chief audit executive must communicate the results of internal audit services to the board and senior management periodically and for each engagement as appropriate. The chief audit executive must understand the expectations of the board and senior management regarding the nature and timing of communications.

The results of internal audit services can include:

• Engagement conclusions.
• Themes such as effective practices or root causes.
• Conclusions at the level of the business unit or organization.

Engagement Conclusions

The chief audit executive must review and approve final engagement communications, which include engagement conclusions, and decide to whom and how they will be disseminated before they are issued. If these duties are delegated to other internal auditors, the chief audit executive retains overall responsibility. The chief audit executive must seek the advice of legal counsel and/or senior management as required before releasing final communications to parties outside the organization, unless otherwise required or restricted by laws and/or regulations. (See also Standards 11.4 Errors and Omissions, 11.5 Communicating the Acceptance of Risks, and 15.1 Final Engagement Communication.)

Themes

The findings and conclusions of multiple engagements, when viewed holistically, may reveal patterns or trends, such as root causes. When the chief audit executive identifies themes related to the organization’s governance, risk management, and control processes, the themes must 

be communicated timely, along with insights, advice, and/or conclusions, to the board and senior management.

Conclusions at the Level of the Business Unit or Organization 

The chief audit executive may be required to make a conclusion at the level of the business unit or organization about the effectiveness of governance, risk management, and/or control processes, due to industry requirements, laws and/or regulations, or the expectations of the board, senior management, and/or other stakeholders. Such a conclusion reflects the professional judgment of the chief audit executive based on multiple engagements and must be supported by relevant, reliable, and sufficient information. 

When communicating such a conclusion to the board or senior management, the chief audit executive must include:

• A summary of the request.
• The criteria used as a basis for the conclusion, for example a governance framework or risk and control framework.
• The scope, including limitations and the period to which the conclusion pertains.
• A summary of the information that supports the conclusion.
• A disclosure of reliance on the work of other assurance providers, if any.

Considerations for Implementation

The results of internal audit services may be based on individual engagements, multiple engagements, and interactions with the board and senior management over time.

Engagement Conclusions

While Standard 13.1 Engagement Communication requires internal auditors to communicate throughout an engagement with those responsible for the activity under review, the chief audit executive is responsible for the dissemination of final engagement communications to the appropriate parties. Appropriate parties may include the board, senior management, and/or those responsible for developing and implementing management’s action plans. (See also Standard 15.1 Final Engagement Communication.)

The chief audit executive should encourage internal auditors to acknowledge satisfactory and positive performance in engagement communications. Examples of good practices identified across engagements may be transferable to other parts of the organization or serve as a benchmark throughout the organization.

Themes

Tracking the findings and conclusions of multiple engagements may enable the identification of trends, such as the improvement or worsening of conditions compared to criteria, a root cause underlying the conditions, or an opportunity to share a practice that increases effectiveness or efficiency. Such trends also may lead to additional engagements that focus on the theme across the organization.

Communications to the board and senior management should include:

• Significant control weaknesses and robust root cause analysis.
• Thematic or systemic issues, actions, or progress across multiple engagements or business units.

Insights obtained from other assurance providers should be considered when identifying themes. (See also Standard 9.5 Coordination and Reliance.)

Conclusions at the Level of the Business Unit or Organization 

When communicating conclusions at the levels of the business unit or organization overall, the chief audit executive should consider how a conclusion relates to the strategies, objectives, and risks of the organization. The chief audit executive also should consider whether the conclusion solves a problem, adds value, and/or provides management or other stakeholders with confidence regarding an overall theme or condition.

The chief audit executive also considers the time period to which the conclusion relates and any scope limitations to determine which engagements would be relevant to the overall conclusion. All related engagements or projects are considered, including those completed by other internal and external assurance providers. (See also Standard 9.5 Coordination and Reliance.)

For example, an overall conclusion may be based on aggregate engagement conclusions at the organization’s local, regional, and national levels, along with results reported from outside entities such as independent third parties or regulators. The scope statement provides context for the overall conclusion by specifying the time period, activities, limitations, and other variables that describe the conclusion’s boundaries.

The chief audit executive should summarize the information on which the overall conclusion is based and identify the relevant risk or control frameworks or other criteria used as a basis for the overall conclusion. The chief audit executive should articulate how the overall conclusion relates to the strategies, objectives, and risks of the organization. Overall conclusions are usually communicated in writing but also may be provided orally.

Examples of Evidence of Conformance

• Final engagement communications, including engagement findings, recommendations, and conclusions.
• The chief audit executive’s outline, meeting minutes, speaking notes, slides, or documents indicating communication with the board and senior management.
• Analyses including data reports, diagrams, and graphs showing trends.
• Relevant risk or control frameworks or other criteria used as a basis for the overall conclusion.

Standard 11.4 Errors and Omissions

Requirements

If a final engagement communication contains a significant error or omission, the chief audit executive must communicate corrected information promptly to all parties who received the original communication.

Significance is determined according to criteria agreed upon with the board.

Considerations for Implementation

The chief audit executive and the board should agree on a protocol for communicating the correction. To determine the significance, the chief audit executive should evaluate whether the mistaken or omitted information could have legal or regulatory consequences or change the findings, conclusions, recommendations, or management’s action plans.

The chief audit executive determines the most appropriate method of communication so that the corrected information is received by all parties who received the original communication. In addition to communicating the corrected information, the chief audit executive should identify the cause of the error or omission and take corrective action to prevent a similar situation from occurring in the future.

Examples of Evidence of Conformance

• Internal audit methodologies for handling errors and omissions.
• Criteria agreed upon with the board and used by the chief audit executive to determine the level of significance.
• Correspondence and other records showing how the chief audit executive determined the significance and cause of the error or omission.
• The chief audit executive’s calendar, board or other meeting minutes, memos, and email correspondence where an error or omission was discussed.
• The original and corrected final communication documents.
• Documentation that relevant parties received the corrected communications.

Standard 11.5 Communicating the Acceptance of Risks

Requirements

The chief audit executive must communicate unacceptable levels of risk.

When the chief audit executive concludes that management has accepted a level of risk that exceeds the organization’s risk appetite or risk tolerance, the matter must be discussed with senior management. If the chief audit executive determines that the matter has not been resolved by senior management, the matter must be escalated to the board. It is not the responsibility of the chief audit executive to resolve the risk.

Considerations for Implementation

The chief audit executive gains an understanding of the organization’s risks and risk tolerance through discussions with the board and senior management, relationships and ongoing communication with stakeholders, and the results of internal audit services. (See also Standards 8.1 Board Interaction; 9.1 Understanding Governance, Risk Management, and Control Processes; and 11.1 Building Relationships and Communicating with Stakeholders.) This understanding provides the chief audit executive with perspective about the level of risk the organization considers acceptable. If the organization has a formal risk management process, the chief audit executive should understand management’s policies for acceptance of risk.

The chief audit executive may discuss and seek the board’s agreement on methodologies for documenting and communicating the acceptance of risks that exceed the risk appetite or risk tolerance. In addition to the requirements in the Standards, methodologies should consider the organization’s risk management process, policies, and procedures. The risk management process may include a preferred approach to communicating significant risk issues. Specifications may include the timeliness of communicating, the hierarchy of reporting, and requirements for consultation with the organization’s legal counsel or head of compliance. The internal audit methodology also should include procedures for documenting the discussions and actions taken, including a description of risk, the reason for concern, management’s reason for not implementing internal auditors’ recommendations or other actions, the name of the individual responsible for accepting the risk, and the date of discussion.

The chief audit executive may become aware that management has accepted a risk by reviewing management’s response to engagement findings and monitoring management’s progress to implement recommendations and action plans. Building relationships and maintaining communication with stakeholders are additional means of remaining apprised of risk management activities including management’s acceptance of risk.

When risks exceed the risk appetite, impacts may include:

• Harm to the organization’s reputation.
• Harm to the organization’s employees or other stakeholders.
• Significant regulatory fines, limitations on business conduct, or other financial or contractual penalties.
• Material misstatements.
• Conflicts of interest, fraud, or other illegal acts.
• Significant impediments to achieving strategic objectives.

The chief audit executive’s professional judgment contributes to the determination of whether management has accepted a level of risk that exceeds the risk appetite or risk tolerance. For example, if management has made insufficient progress on action plans, the chief audit executive may conclude that management has accepted a level of risk that exceeds the risk appetite or risk tolerance. Before escalating a concern to the board and/or senior management, the chief audit executive should address the issue directly with the management responsible for the risk area to share concerns, understand management’s perspective, and agree on an updated action plan.

The requirements of this standard are only implemented when the chief audit executive cannot reach agreement with the management responsible for managing the risk. If the risk identified as unacceptable remains unresolved after a discussion with senior management, the chief audit executive escalates the concern to the board. The board is responsible for deciding how to address the concern with management.

Examples of Evidence of Conformance

• Documentation of discussions and agreement with the board on methodologies for communicating risk concerns.
• Documentation of discussions about the risk and actions recommended to operational management and senior management, including minutes of meetings.
• Documentation explaining the risk concern and internal audit actions taken to address the concern, including the process of escalating the discussion from operational management to senior management.
• Documentation from meetings with the board, including private or closed sessions during which the concern was escalated to the board.

SIAAB Requirements

The chief internal auditor distributes the final engagement communication to the management of the audited activity and to those members of the organization who can ensure engagement results are given due consideration and take corrective action or ensure that corrective action can be taken. Where required by the internal audit charter or organizational policy, the chief internal auditor also communicates to other interested or affected parties such as external auditors and the board.

Copyright 2024 by The Institute of Internal Auditors, Inc., 1035 Greenwood Blvd, Suite 401, Lake Mary, FL 32746. Reprinted with permission.

Please close this window to return to Ability LMS and take the quiz.