AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Use of the Five Cs in Communication

This  blog looks to summarise the use(s) of the Five Cs  in internal audit communication and links to our technical guidance on Effective Report Writing. The Five Cs can be used in a wide range of communication, not just internal audit reports. For example, the model can be used for working papers, both from conversations and testing, and will help structure and inform internal audit thinking conducted as part of any assurance engagement and/or advisory assignment.  

The approach of all internal audit working papers/reporting needs to conform with IIA Standard 2410 - Criteria for Communications. The language used within this Standard and the following Standard - 2420 Quality of Communications - focuses on ‘clear’ and ‘constructive’ communication and not simply the presentation of unstructured information or data. To that end, using the Five C’s approach provides a framework for internal auditors when describing issues and presenting recommendations/actions for management.

The Five Cs stand for:

  • Criterion (or criteria): What standards or controls are in place (or should be)?
  • Condition: This is your observation – what have you found to be the reality? It usually doesn’t match the criterion or criteria.
  • Consequence: What is/are the risk/s?
  • Cause: What is the root cause?
  • Corrective action: What are your recommendations, or senior management’s plans to fix things?

This blog focusses on how the Five Cs might be used to structure your written communication, including the structure of recommendations and/or agreed actions.  It provides a framework which can be used by all internal auditors, regardless of the organisation or sector that they may work for. We will explore the Five Cs approach to constructing working papers, testing programmes and reports, using the above framework to form clear, coherent and actionable observations, findings, risks and recommendations and/or agreed actions.

When reporting, the most important elements of the Five Cs are the three middle ones. Condition, consequence, and cause require you to answer three simple questions:

  • What exactly is the problem? Who is not doing what, or what is not in place?
  • So what? Why should the reader care? (If you articulate risk in terms of financial, regulatory, reputational, or health and safety consequences, readers should immediately see why.)
  • What caused the problem in the first place? Using root cause analysis will help identify the true cause, but also add value across the work of the internal audit function so that repeated identification of the same root causes can be addressed.  

These three questions are key to formulating your report, but also should form part of your approach to your working papers to ensure a clear audit trail exists from your testing to your findings and then the proposed actions/recommendations.

We will consider two examples below to illustrate how the Five Cs approach can be used to construct clear and effective communications.

Example 1: Financial audit: Key Control Account Reconciliations

When undertaking a Key Financial Controls audit, we may consider the organisation’s processes for completing and documenting key control account reconciliations. Consider the following breakdown or a possible recommendation that could be raised in this area.

Criterion: Under the Financial Regulations, key control accounts should be reconciled, independently reviewed and signed off by the Finance Director as part of month-end financial processes.

Condition: We selected a sample of five key control accounts and found that for the last three months (January - March 2022), there was no evidence that the Finance Director had reviewed or signed off the accounts.

Consequence: Without independent review, the Finance Director could not evidence that there was suitable oversight over the key control accounts, and this presented a risk that amounts between the key accounts were incorrectly posted, leading to potential misrepresentation in the organisation’s accounts.

Cause: Through discussion with management and walkthrough of the process, the Finance Director stated that they had reviewed the accounts, however to facilitate evidencing completion of this review, as per other month-end processes, a sign off box  had not been included in the template for key control account reconciliations.

Corrective Action: A sign-off box will be included within the account reconciliation pro formas. In addition, refresher training will be provided to members of the Finance Team to reiterate the importance of documenting and retaining a clear audit trail for account reconciliations

Responsibility: Finance Director

Timescale: 1 May 2022

Example 2: Health & Safety Reporting

When considering the quality and integrity of health and safety information being reported to Management/Board, an internal auditor may consider whether the key performance indicators (KPIs) being reported are accurate and can be recalculated from underlying raw data. The following recommendation may be raised:

Criterion: Employee health & safety KPIs are reported to the senior leadership team (SLT) monthly. It is vital that the SLT receive accurate information in this area, so that informed and appropriate decisions can be made regarding employee health, safety and wellbeing.

Condition: We selected a sample of five KPIs from the March 2022 Health & Safety report to the SLT and reviewed the underlying raw data used to produce the KPIs. In one case (KPI 3 - Serious Accidents) we found that the figure reported to SLT (12) did not align to the underlying data and should have been 21.

Consequence: The SLT does not take sufficient corrective action to remediate the accidents or put in place preventative measures to avoid accidents or near misses being experienced by employees. Therefore, there is a risk that employees will continue to experience accidents/near misses leading to injury or death, and financial and legal implications for the organisation.

Cause: We undertook a walkthrough of the reporting process with the Health & Safety assistant. We found that the process is highly manual, requiring the assistant to manually count accident reports and submit a figure for reporting. Furthermore, we found that no independent checks are performed on the reported figures, prior to them being presented to the SLT.

Corrective Action: Management introduce data integrity checks on all KPIs reported to SLT as part of the Health & Safety Report. Consideration will also be given to the automation of the reporting process, to reduce the risk of manual data input errors.

Responsibility: Health & Safety Manager

Timescale: 1 June 2022

By consistently applying the Five Cs approach to constructing recommendations and communicating issues and results to management and the audit committee, internal auditors can better meet the expectations of IIA Standards 2410 and 2420. Thereby providing clear and actionable recommendations / agreed action which can be used to strengthen the organisation’s internal control environment.

Remember, communicating our results effectively is critical to the organisation, and using the Five Cs as a model provides internal audit with a framework to ensure key requirements for communication are met. Furthermore, using tools such as root cause analysis will help identify repeated findings across the organisation and add value through actions to address these weaknesses.

Further Reading

Effective Report Writing 

Root Cause Analysis

Performance Standards, International Professional Practices Framework

Content reviewed: 1 February 2023