Internal Audit Report writing constitutes the most critical and significant component of any internal audit assignment regardless of the size, location and complexity of business, process or department audited.
The end result of an internal auditor’s work is the Internal Audit Report. The internal audit team may have worked for days and months together on completing an audit assignment and may have identified critical control lapses, processes not followed correctly or other issues which could lead to loss of time, money, manpower, etc. These now need to be presented to key stakeholders and Internal Audit Report is the only way to highlight the work done and the value the Audit will bring to the organization.
What is an Internal Audit Report?
Standard 2400 of the International Professional Practices Framework (IPPF) 2013 states that the Internal auditors must communicate the results of the engagements
Thus, going by the above standard, an Internal Audit Report is a document provided by the internal audit department communicating the results / outcome of the engagement to key stakeholders. It is also an important document to agree action plans and timelines with the auditee in order to remediate the finding or potential improvement area.
Components of an Internal Audit Report:
Before delivering an effective audit report, it is of utmost importance to have a broad view of the major objectives and recipients of relevant assignment.
Once the objectives, scope and recipients of the internal audit report are known, drafting an audit report will be simpler and will ensure that relevant outcome is gained.
Standard 2410 of the IPPF 2013 states the criteria for communication. Communication must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans.
Thus, going with the above standard, it is mandatory that the following sections are part of the internal audit report:
- Objectives: Any audit engagement is done keeping in mind the major objective(s). Objectives define the intended outcome to be achieved as a result of the audit. These objective(s) are either a result of a risk based assessment, instructions received from Audit Committee or Senior Management. The objective(s) should be clearly stated in the internal audit report.
- Scope of Audit: Every audit engagement has certain set parameters i.e. scope of the audit, this should be clearly highlighted in the report. Further limitation to scope if any should be clearly highlighted. Scope should also include, period covered, documents verified, etc. during an audit. Thus, scope of an audit basically defines the depth of an audit engagement.
- Detailed Observations / Findings: This section should cover the detailed finding revealed during the course of audit. This section should commence with a brief title of the observation and then followed with the detailed narration. Factual information in figures, amounts, quantity, etc. should be reported here or as part of an Annexure to validate the observation thereby emphasizing the impact of this observation / finding. It is also beneficial to add the sample verified out the total population so that a relative analysis is known thereby enhancing the flavor of the observation. E.g. we verified a total of 100 vouchers out of 1000 and observed that for 50 vouchers the supporting documents were improper. Thus, there existed an error rate of 50%. Risk involved should also be clearly stated in order that the reader can associate with things that may go wrong if observations/ findings are not rectified.
- Recommendations: These are suggested corrective action plans that the internal audit department recommends the audit management team to execute so that the impact of the observations highlighted are reduced / mitigated. They call for action to existing conditions or improve operations. These recommendations may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. The recommendations should generally be specific, identify the person who should take action, and very brief and precise.
- Action Plans / Auditee’s Comments: These are the corrective action that the auditee agrees and plans to execute to mitigate or control the finding identified. If the auditee agrees to accept the risk and decides not to take any action, then such comments should be mentioned in this section. These action plans forms an input for the follow up audits in future to ensure that agreed action plans were executed or not. Action Plans should also clearly include timelines and action owners.
Apart from the mandatory requirements in the audit report, there are other sections that can be added to the internal audit report for better presentation. These being as follows:
- Header Page: This is the cover page of the internal audit report. It generally should give the Company’s Name, Address, Contact Details, Name of the Assignment, Month in which audit report is issued, etc.
- Cover Letter: This is the first page of the internal audit report. It should generally include the addressee’s details on the top (left hand side). The Cover Letter should outline the subject of the audit report and the type of audit (Compliance, Financial, Operational, and Investigative). It should also include a briefing about the review conducted, intended recipients, any restrictions on the contents or circulation, the signature of the signing authority from the internal audit department and date. The cover letter can also include a statement stating that the engagement was conducted in conformance to the International Standards for the Professional Practice of Internal Auditing.
- Table of Contents: This is generally the subsequent page after the Cover Letter page. It contains a brief title of the each section and sub-section forming part of the internal audit report along with the relevant page numbers for easy reference.
- Introduction: A brief introduction / background of the assignment conducted such as department, process information, its linkage to the strategic objectives of the entity, its significance on account of its failure, manpower involved, etc. can be provided in this section. This section can be at the beginning of the report before the start of the scope and objectives.
- Executive Summary: An executive summary is a brief section before the commencement of detailed audit report it summarizes the findings, recommendations and action plan in minimal text. The idea of having an executive summary to briefly summarize all the observations of an assignment and give an overall opinion of its risks to the entity. It is to give a macro view of the assignment and the risk it carries to the Company’s business. This section should not just highlight the non-conformities only but also should include the positive points so as to give equal credit to the process audited. Any scope limitations and disagreements during the audit with the auditee should also be clearly highlighted. It can end with an overall conclusion/ opinion.
- Degree of Significance of Findings: The observations highlighted also should be supported with the degree of its significance. Generally they are of three types: (Major, Moderate and Insignificant). These classifications are generally based on the best judgment of an internal auditor and may vary from person to person. The criteria to rate any observation should generally be based on the impact and criticality of the finding highlighted. The definition for each of these criteria is given below:
- Major: Where a devastating effect can happen to the process based on the finding highlighted due to which continuity of operations can be disrupted tremendously.
- Moderate: Where a significant effect can happen to the process based on the finding highlighted due to which short term continuity of operations is possible but long term sustainability of the operation might be difficult if rectification / controls are not tightened.
- Insignificant: Where there would be very minimal effect to the operations under review and no major impact is expected. Nevertheless, rectification to the operations is required so as impact on it is not worsened and remains under control.
Essentials of writing an effective Internal Audit Report:
Any internal audit report should contain 5 elements to be effective and deliver the right message to its audience. These 5 elements are also known as 5Cs:
Criteria: These are the standards / benchmarks as defined and used for making an evaluation, testing or verification. It can be in the form of a policy, procedure, guidelines, rule, mandate, circular, etc. A question to ask here is: “What should exist?”
Condition: It is the factual evidence that was observed during the course of audit. A question to ask here is: “What does exist?”
Causes: This defines the reasons for difference between the expected and actual conditions. A question to ask here is: “Why did the problem occur?”
Consequence: It is to state the risk or exposure the entity could face if the condition is not consistent with the criteria. A question to ask here is: “What is the risk / negative outcome because of the finding?”
Corrective Action: It refers to the action recommended to correct conditions to improve operations and may include suggestions for enhancing performance. The question to ask here is: “What should be done to rectify this error?”
Apart from the above essential requirements for internal audit report writing, there are some further guidelines which can be observed for drafting any audit report, adherence to which can bring out a more qualitative and effective audit report. These guidelines being:
Precision: The observations noted should be precise. Redundant phrasing and inexact terminology should be avoided. A thumb rule can be made that the sentence in the audit report should not exceed more than 15 to 18 words. Further, ambiguous words can be avoided such as reasonable, key, etc.
Consistency: Terminologies used in the audit report should be consistent throughout the report. E.g. if the word “Human Resource Management” appears in the report, it should be used consistently. Thus, substitute words e.g. Personnel Management should be avoided.
Avoid Passive Voice: Passive voice is a dull and difficult way of reading any document. The audit report should be free from such sentences which seems challenging for the reader to grasp. E.g. instead of reporting “Based on the information available, no irregularity in operation was found”, it can be said “The audit team did not any evidence of irregularity in the available information”
Internal Audit Report is the end result of an internal auditors’ hard work. It takes a lot of practice to write clear, concise and actionable audit reports. As it is said “Practice makes a man more perfect”. Thus, taking every opportunity in writing the audit reports, reading other audit reports and reading and understanding the relevant Internal Audit Standards and Practice Advisories will help in improving the skills of drafting and producing useful and effective audit reports.