This blog looks to summarise the use(s) of the Five Cs in internal audit communication and links to our technical guidance on Effective Report Writing. The Five Cs can be used in a wide range of communication, not just internal audit reports. For example, the model can be used for working papers, both from conversations and testing, and will help structure and inform internal audit thinking conducted as part of any assurance engagement and/or advisory assignment.
The approach of all internal audit working papers/reporting needs to conform with IIA Standard 2410 - Criteria for Communications. The language used within this Standard and the following Standard - 2420 Quality of Communications - focuses on ‘clear’ and ‘constructive’ communication and not simply the presentation of unstructured information or data. To that end, using the Five C’s approach provides a framework for internal auditors when describing issues and presenting recommendations/actions for management.
The Five Cs stand for:
|
This blog focusses on how the Five Cs might be used to structure your written communication, including the structure of recommendations and/or agreed actions. It provides a framework which can be used by all internal auditors, regardless of the organisation or sector that they may work for. We will explore the Five Cs approach to constructing working papers, testing programmes and reports, using the above framework to form clear, coherent and actionable observations, findings, risks and recommendations and/or agreed actions.
When reporting, the most important elements of the Five Cs are the three middle ones. Condition, consequence, and cause require you to answer three simple questions:
These three questions are key to formulating your report, but also should form part of your approach to your working papers to ensure a clear audit trail exists from your testing to your findings and then the proposed actions/recommendations.
We will consider two examples below to illustrate how the Five Cs approach can be used to construct clear and effective communications.
Example 1: Financial audit: Key Control Account Reconciliations
When undertaking a Key Financial Controls audit, we may consider the organisation’s processes for completing and documenting key control account reconciliations. Consider the following breakdown or a possible recommendation that could be raised in this area.
Criterion: Under the Financial Regulations, key control accounts should be reconciled, independently reviewed and signed off by the Finance Director as part of month-end financial processes.
Condition: We selected a sample of five key control accounts and found that for the last three months (January - March 2022), there was no evidence that the Finance Director had reviewed or signed off the accounts.
Consequence: Without independent review, the Finance Director could not evidence that there was suitable oversight over the key control accounts, and this presented a risk that amounts between the key accounts were incorrectly posted, leading to potential misrepresentation in the organisation’s accounts.
Cause: Through discussion with management and walkthrough of the process, the Finance Director stated that they had reviewed the accounts, however to facilitate evidencing completion of this review, as per other month-end processes, a sign off box had not been included in the template for key control account reconciliations.
Corrective Action: A sign-off box will be included within the account reconciliation pro formas. In addition, refresher training will be provided to members of the Finance Team to reiterate the importance of documenting and retaining a clear audit trail for account reconciliations
Responsibility: Finance Director
Timescale: 1 May 2022
Example 2: Health & Safety Reporting
When considering the quality and integrity of health and safety information being reported to Management/Board, an internal auditor may consider whether the key performance indicators (KPIs) being reported are accurate and can be recalculated from underlying raw data. The following recommendation may be raised:
Criterion: Employee health & safety KPIs are reported to the senior leadership team (SLT) monthly. It is vital that the SLT receive accurate information in this area, so that informed and appropriate decisions can be made regarding employee health, safety and wellbeing.
Condition: We selected a sample of five KPIs from the March 2022 Health & Safety report to the SLT and reviewed the underlying raw data used to produce the KPIs. In one case (KPI 3 - Serious Accidents) we found that the figure reported to SLT (12) did not align to the underlying data and should have been 21.
Consequence: The SLT does not take sufficient corrective action to remediate the accidents or put in place preventative measures to avoid accidents or near misses being experienced by employees. Therefore, there is a risk that employees will continue to experience accidents/near misses leading to injury or death, and financial and legal implications for the organisation.
Cause: We undertook a walkthrough of the reporting process with the Health & Safety assistant. We found that the process is highly manual, requiring the assistant to manually count accident reports and submit a figure for reporting. Furthermore, we found that no independent checks are performed on the reported figures, prior to them being presented to the SLT.
Corrective Action: Management introduce data integrity checks on all KPIs reported to SLT as part of the Health & Safety Report. Consideration will also be given to the automation of the reporting process, to reduce the risk of manual data input errors.
Responsibility: Health & Safety Manager
Timescale: 1 June 2022
By consistently applying the Five Cs approach to constructing recommendations and communicating issues and results to management and the audit committee, internal auditors can better meet the expectations of IIA Standards 2410 and 2420. Thereby providing clear and actionable recommendations / agreed action which can be used to strengthen the organisation’s internal control environment.
Remember, communicating our results effectively is critical to the organisation, and using the Five Cs as a model provides internal audit with a framework to ensure key requirements for communication are met. Furthermore, using tools such as root cause analysis will help identify repeated findings across the organisation and add value through actions to address these weaknesses.
Further Reading
Performance Standards, International Professional Practices Framework