A Hand Book On Internal Audit - Rajkumar S. Adukia
Audit Reports and Communication
7.1 Purpose of Audit report
7.2 Types of Audit Report
7.3 Format and content of audit report
7.4 Attributes of a report
7.5 Audit Reporting Cycle
7.6 Evaluation and Follow up
7.7 Specimen Internal Audit letter/report
7.1 Purpose of audit report
An audit report is the only output of the Internal Auditor’s work, which people outside the Internal Audit function get to see. It is a formal document summarizing the work done and reports the findings and recommendations. It is a means of communicating all of the auditor's work to management. The report must concisely present the total essence of the audit effort. Findings must be supported by sufficient evidence and be within the audit's scope and objectives. Each recommendation must fit the facts of the finding and materially reduce the potential risk as indicated by the facts of the finding. Each finding must be provable. It is not important what an auditor believes; the important thing is what the auditor can prove. Auditor beliefs, without proper documentation will not be carried to the report.
Whether audit report is a formally written document or an informal one it should have the following information:
7.1.1 Disclose findings: The report should present the findings both favourable and unfavourable in a concise manner so that the management can be apprised of the situation in an operation or segment.
7.1.2 Description of findings: Adverse findings should be described in detail. It could be internal control weakness or gaps or violations of procedures or any other audit concern.
7.1.3 Suggestions and Recommendations: the auditor should make some suggestions for prevention or correction of the deficiencies or gaps.
7.1.4 Documentation of plans and Views of auditee: The auditee may wish to provide clarifications on any of the issues reported or state the constraints or mitigating circumstances.
7.2 Types of Audit Report
With today’s technology and ever changing requirements, audit results can be reported in a wide spectrum of formats. Certain common approaches to reporting are presented:
• Oral Reports
• Interim reports
• Descriptive (regular) reports
• Summary audit reports
7.2.1 Oral Reports: Sometimes internal audit may want to report the results or any provide suggestions orally. This mode of communication should be supplementary to written reports. This mode might be used for reporting any findings, which may need emergency action, or as an oral presentation as a prelude to the formal written report.
It should not be used as a substitute for written reports as there are no permanent records other than meeting notes and misunderstandings may result unless detailed copious notes are taken.
7.2.2 Interim reports: When management or other recipients of report have to be informed of significant developments or problems for which prompt action needs to be taken, an interim report can be issued. Sometimes it is used to record the discussions in an oral presentation. The content of such a report is eventually included in the final report.
7.2.3 Regular reports: in most audit assignments a detailed descriptive report is given at the conclusion. The form and content vary widely in different assignments and different audit functions. A general format of such a report is given under “Form and content of audit report”.
7.2.4 Summary Audit report: Such reports summarise the audit report and describe the range of content. Such reports could be a summary of more than one report. They are usually prepared for audit committees or senior management who need to know the gist. The senior managers or managers with operating responsibility need to be given detailed report.
7.3 Format and content of audit report
The format of report would be guided by the company procedures and nature of work. A general format is suggested below:
7.3.1 Cover Page - A cover page showing the department name, audit title, audit number and audit date should be on each report. Lengthy reports may have an index.
7.3.2 Cover Letter - A letter should be written and signed by the Director /partner and made a part of the audit report. It will be as brief as possible.
7.3.3 Introduction - Describe the type of engagement (regular scheduled, special request, etc.) and the authority of the audit (agenda, special request). The name of the organization or activity being audited and provide any background information necessary. This can include nature and goals, volume or value, activities, location, staffing, etc. Refer to prior audits, if applicable, and discuss status of prior recommendations that have not been implemented, if necessary.
7.3.4 Statement of Objectives - The audit objectives are stated in the report and are the same ones that appeared in the detailed audit programme. The objectives should always be clear and concise and should correspond to the Audit Conclusions.
7.3.5 Statement of Scope - This section should describe the depth and coverage of audit work conducted to accomplish the audit's objectives. It would contain the calendar dates for the test work as well as a date for the evaluation of internal controls (if internal controls was evaluated), which would be the last day of the fieldwork. Include any significant information that the reader would need to know, such as a departure from procedures, data limitations, scope impairments or clarification of work performed.
7.3.6 Statement of Methodology - The statement on methodology should clearly explain the evidence gathering and analysis techniques used to accomplish the audit's objectives. For example, a description of audit procedures used and any sampling information would be included here.
7.3.7 Statement of Auditing Standards - The report should include a statement that the audit was made in accordance with auditing standards and disclose when applicable standards were not followed.
7.3.8 Audit Conclusions - The auditor must conclude on the stated audit objectives in the order in which they appeared in the report. The auditor should conclude in the negative or affirmative on each objective.
7.3.9 Findings and Recommendations - Each recommendation should be supported by a set of facts that make up an audit finding. The following is a brief discussion of the elements of a finding.
1) Facts - These are the conditions actually observed or that were the results of tests that were performed by the auditor. For complex issues, the background information and facts could be quite lengthy.
2) Criteria - A statement of the standards against which the condition should be measured. This should summarize the correct way of doing things and will be contrasted with the way things are actually being done. Some typical criteria are departmental or organizational policies or rules and regulations of the department/activity under audit. When specific criteria cannot be cited use "good business practice" or "internal control references."
3) Effect - This is also known as risk (either actual or potential). Describe or show the actual or potential effect on the condition. The risks could be inaccuracy, inefficiency, loss to assets. Provide a monetary value to the effect. If this is not possible, say so and emphasize the potential. Some of the risk areas could be:
a) Erroneous Record Keeping
b) Unacceptable Accounting (lack of an audit trail)
c) Business Interruption
e) Loss of Goodwill
f) Public Embarrassment
g) Loss or Destruction of Assets or Data
h) Misuse of Assets
i) Legal or regulatory repercussions
j) Excessive Costs
k) Revenue Loss
l) Competitive Disadvantage
4) Cause – The cause needs to be mentioned only when it is not obvious or it is something other than obvious one. For instance, where clerical errors have occurred, the cause may be the lack of training or a procedure manual rather than the obvious human error. This should be pointed out since it is at a management level.
5) Recommendations - Set out in simple, yet specific language, a remedy that management can follow to effectively correct the condition. In multiple part actions, a numbered step by-step solution assists in breaking down the recommendation into an easily understandable process. Emphasize that solutions other than those presented may be acceptable if it minimizes the condition stated in the finding. In some situations the necessary actions concerning our recommendations will be implemented before the final report is issued. Finally, always give management a business reason for implementing recommendations. Recommendations to comply with law must be implemented.
a. Auditee Responses - All recommendations will be followed by the auditee's response. Responses will be included verbatim.
b. Auditor's Comments - These comments are used as necessary to evaluate the quality of the auditee's written responses.
c. General Comments - This section is reserved for points of interest that are of lesser magnitude than findings, but of interest to management. Written responses from the auditee are not required for general comment items.
7.4 Attributes of a report
The audit report must be written in a neutral tone and flawless in its accuracy, logic, clarity, grammar and spelling. It is the only output of the auditor's professional efforts, which is seen by outsiders.
7.4.1 ACCURACY - Reports must be completely and scrupulously factual; every condition and recommendation must be based on evidence that is supportable in the work file. The evidence must be sufficient to support the findings and recommendations and at the same time, be in agreement with the stated objectives of the audit. Conditions reported must be well documented and the logic of the report inescapable. Statement of fact must carry the assurance that the auditor personally observed or validated (by testing) the fact(s). When conditions were not personally observed by the auditor but were documented through interviews with auditee personnel the fact should be made clear.
7.4.2CLARITY - Means making the reader understand what the auditor is trying to say while writing the report. The report must be clear enough that someone independent of the audit can read and understand it. Some impediments to clarity include:
• Dull and tedious writing styles.
• Poorly structured reports, recommendations, paragraphs or sentences.
• Technical terms and jargon.
• Making recommendations without properly setting the stage for them.
• Long discussions of technical matters.
7.4.3 CONCISENESS - This means cutting out what is superfluous. Eliminate what is irrelevant and immaterial. The content of the report depends on the report reader. Each group has its special needs and interests. The report cannot supply both sufficient details for the operating manager and a summary for the executive. The report is written for senior management. The Internal auditor can either provide a separate report to the operating management or details for the operating manager/supervisor can be provided upon request.
7.4.4 TONE - The report should be courteous and factual. Consideration should be given to the report's effect upon subordinate personnel and management. It should not be petty, but should sound like the voice of management. It is better to use simple words than high-sounding words. The report should be calm, objective, thoughtful and dispassionate. Always use the most direct, factual and objective word or phrase possible.
7.4.5 GRAMMAR AND SPELLING - All auditors are expected to use acceptable grammar, sentence structure and context. Additionally, spelling should be accurate.
7.5 Audit Reporting Cycle
It is desirable that during the course of the audit, a framework of the final report is developed so that the needed information is obtained on time. This will prevent delays in the report writing process. Important and sensitive findings should be shared with responsible managers immediately upon verification by the audit staff; memo reports may be used in this process.
As findings are completed, they are inserted in the proper sections of the report. The audit report is a process in itself, which starts with identification of findings, preparation of draft report, discussions of findings with the concerned people, management responses to audit findings and issuance of final report. An internal audit function may alter or skip any of the steps outlined below to suit its needs and purpose.
- Outline Audit findings
- Preparation of Audit report - First draft
- Discussion with client
- Preparation of Final Audit report draft
- Closing conference
- Issuance of Final report
- Outline Audit findings
a. Document all findings
b. Determine whether there is sufficient support for all findings
c. Determine whether there is pattern of deficiencies, which could mean procedural changes are required.
Preparation of First Draft
- The draft report should state that the findings, conclusions and recommendations set forth are preliminary in nature.
- The draft report should follow standard format.
- Ensure that figures and facts have been checked and cross-referenced to relevant workpapers.
- Review that the workpapers provide adequate support for items of significance
- Check for tone, spelling and punctuation.
- Issue report (stamped "DRAFT") to management for review.
Discussion with client
- Determine whether the management was aware of the issues and taking corrective action on the same.
- There should be no surprises - everything in the draft should have been discussed during the fieldwork.
- Be sure you can easily find supporting documentation for findings in the working papers in case questions arise at the meeting.
- Ascertain the causes for the deficiencies /problems. Find out whether there are any constraints or limitations for the shortcoming.
- Get the client comment on the draft report, and any inaccuracies or impractical recommendations resolved to the extent possible.
- Get management’s agreement on the facts and wording of the report.
- Ask management for written responses (give specific due date for responses).
Preparation of Final Audit report
- Ensure that management’s/auditee’s viewpoint has been considered.
- Determine whether the report is well written and in a manner that all intended recipients may understand.
- Ensure that audit staff who wrote the report agree with the changes made.
- Make sure that management’s /auditee’s viewpoint has been rightly stated and adequately rebutted, if necessary.
- Provide the management or appropriate staff adequate opportunity to study the report.
- Departmental administrators and managers have the opportunity to informally provide additional information, question findings, or challenge conclusions. On the basis of those discussions, the final report may be modified.
- Try to anticipate potential questions/conflicts.
- Inquire from the managers or appropriate staff whether they have any questions about the opinion or background or the audit process.
- Normally, only the administrators of the department being reviewed attend the closing conference to allow the parties most affected by the report to more freely and confidentially express their views, and to ensure the accuracy of the final audit report.
- Obtain current plans of follow up from the management /auditee.
Issuance of Final report
- The final report should include modifications and changes discussed and agreed to at the closing conference, if held, in addition to the auditee's written responses.
- The auditee's written responses will be reviewed by the staff auditor and the Audit Supervisor and evaluated in writing, if necessary.
- When differences of opinion persist even after the final draft, the report will be issued although it may be modified to reflect the position of the audited department or higher-level management. The differences should then be addressed in the component's written response to the final audit report.
- Before release, the report will be signed by all those responsible for the audit, which would normally be the Audit Director, Audit Supervisor and appropriate staff auditor.
- All changes to the report must be documented in the work file and signed off on by the staff auditor, Audit Supervisor and the Audit Director.
- Try to provide a balanced presentation by including departments' or units' notable strengths to credit staff for correcting past deficiencies and to recognise superior management.
- Make a final reading of the report for content, clarity, consistency and compliance with professional standards.
- File final report in project binders and cross-referenced to supporting working papers; provide explanations for comments deleted or changed significantly since original draft.
Dissemination of report
- The persons to whom the report is to be delivered will vary from organisation to organisation and from one assignment to another. Some of the recipients could be the Corporate Vice President, for Administration or the Vice President for Business and Finance, the Department Head, the CFO, the CEO, the Board of directors and the Audit Committee.
- In some organisations the BOD and the Audit committee may be presented with sAudit Committee with periodic summaries of audit findings, with access to summaries or full reports if requested.
- In certain organisations the report is published on the website. In that case, Copy the report file to the share drive for eventual publication on the web page. Take the original paper copy of the letter to the management and the signature page from the report to the webmaster. Those two pages will be scanned and converted into a PDF format document and inserted into the report posted on the share drive.
7.6 Evaluation and Follow up
At the completion of each audit, the cognizant audit manager will send an evaluation survey form to the primary clients of the audit. These should be completed and returned to the Director of Internal Audit, in order to ensure continuous improvement of these procedures and the internal audit function.
After receiving the response determine whether responses address the issues described in the findings, promise action that will correct the weakness reported, and include a reasonable completion date.
7.6.1 Follow up
Each organisation /department may have its own time limits for replying to the report and the internal audit department may have its own rules for follow up. Some internal audit function may conduct a follow up after six months or one year to and ascertain the status of open recommendations. Internal auditors should follow up to ascertain that appropriate action is taken on reported audit findings.
Internal auditing should determine that corrective action was taken and is achieving the desired results, or that management or the board has assumed the risk of not taking corrective action on reported findings.
A follow up report will be generated annually for distribution to Senior Management and the Audit Committee.
7.7 Specimen letter/report
7.7.1 Audit report cover letter
<On the letterhead of Chartered Accountant >
Report No. <Number>
CEO, <Company Name> Limited
Dear Mr. <CEO>
The audit team has concluded an operational review of the internal control structure and the recently implemented financial system SAP. The objective of our review was to evaluate controls in the financial system, compliance with policy & regulations and the effectiveness and efficiency of the current organisation authority structure.
The review covered operations of the period <date> to <date>. Please find enclosed two copies of the Audit Report of <Company Name> Limited completed on June XX, 200X. I am pleased to inform you that the review found that the financial department is well managed with generally good controls. However, controls need to be strengthened in few areas and documentation policies need to be more strictly enforced for travel expenses. A summary of the most significant audit findings are provided in Part II of the report.
The company must respond in writing to each audit finding. The proposed Corrective Action Plan should detail both short term corrective action to correct the specific deficiencies cited and, where applicable, long term corrective action. Long term corrective action should focus on modifying the system to prevent recurrence of similar deficiencies in the future.
We wish to express our appreciation for the co-operation extended to the audit team by you and your staff during the audit.
Membership No. <number>
7.7.2 Specimen Internal audit Report
AUDIT NAME :
AUDIT REPORT :
Scope & Objectives
EXECUTIVE SUMMARY :
INTERNAL AUDIT OPINION :
DETAIL REPORT INCLUDING AUDITEE RESPONSES :
AUDIT NAME :
Present audit status -
Recent past audits -
External audit coverage –
Scope & Objectives :
The scope of the (audit or review)
The scope statement should be brief and should include the timing, type and purpose of the work and the standards used when conducting the audit. Types of audits or reviews are financial, operational, compliance and EDP.
(E.g., The scope of the audit was financial and operational in nature. This routine audit was conducted on AAA Foods Limited during the period of (month) (year). The audit covered the period from dd-mm-yyyy to dd-mm-yyyy . The audit was performed to ensure that financial data was properly recorded and adequate operational procedures exist in all the operational areas. The audit was conducted in accordance with the applicable Accounting & Auditing Standards. Included reviews in the following areas:
a) Royalty payments;
b) Rent received from sub tenants;
c) Compliance with Food safety and hygiene regulations ;
d) Cash receipts; and
e) Credit card receivables .
The last day of fieldwork was ___________________.)
The objectives of the audit were as follows:
· Determine that cash receipts were recorded correctly as to account, amount and period and are deposited promptly (recording, safeguarding).
· Verify that credit card receivables were correctly accounted, applied and payments received from the credit card company.
· Determine whether food safety inspections have been regularly carried out at various locations and appropriate hygiene levels are maintained.
· Review inspection reports- internal and external and steps taken to correct shortcomings, if any.
· Whether royalty has been calculated correctly and has been paid to the brand owners timely.
· Whether contract has been drawn up with sub tenants and floor space, rent and facilities has been has been agreed upon.
Note: Audit is used in the report when actual tests are performed to corroborate the opinion. Review is used in the report when no tests are performed to corroborate the opinion. Comment should speak directly as to what was done, i.e., if a test was performed, the word test should be used. If a review was performed, the word review should be used.
Company - General
AAA Foods Limited
Provide information on background of company and its operations .Provide details of functions and personnel in departments. Mention whether any major change in the organisation since the last audit. (E.g. the company has opened new food centres at 12 more locations. The staff strength has risen to 15,000. The company is now undertaking a massive exercise to centralize its processing and accounting at the main office).
Mr. R. Xyz, senior partner of XYZ associates was in charge of the audit. The audit was conducted in accordance with auditing standards and policy & procedures detailed in the AAA Food Limited’s manual .These techniques included interviews with key personnel, review of approved documents, sampling of relevant files, and random inspections throughout AAA Food Limited’s system.
The audit entry meeting was held in AAA Food Limited’s main office on <date>. During this meeting, the audit manager briefed the operator’s management on the audit process and the team's audit plans. The officials of the company were regularly updated on audit progress and of all audit findings submitted. The audit was completed and the exit meeting was held in AAA Food Limited’s main office on <date> with the senior officials namely<name>.
Corrective Action Plan
Audit Findings identify a situation where a company policy, procedure, or activity does not conform to policies & procedures specified in the company’s internal audit manual or to the applicable regulatory standard. The company must respond in writing to each audit finding, detailing short term corrective action to correct the specific examples listed, and long term systemic corrective action to prevent recurrence of similar situations.
XYZ Associates will monitor implementation of AAA Food Limited’s Corrective Action Plan through the audit follow-up process.
Purpose & Limitations
The executive summary is intended to provide an overview of the audit process, and summarise the significant findings (discussed in the detailed audit report) and the conclusions reached. The reader should not frame an opinion solely on the basis of this summary. The detailed report should be read to obtain the complete understanding of the background, ramifications, and recommendations.
The audit examined AAA Foods Limited’s operations and finance divisions using applicable checklists referenced from the Internal Audit Manual. A total of xx operations and xy finance audit findings are reported. . These findings identified examples of non-conformance to the standards, regulations AAA Foods Limited’s policies or procedures. A number of the findings were administrative in nature and can be easily corrected, whereas others were systemic and will require particular attention to ensure that corrective actions are effective in addressing the identified system faults.
As discussed more fully in our opinion on page ______ of this report,
· List a summary of each finding (without ramification/implication statement). Cross reference to detail section of report.
INTERNAL AUDIT OPINION
In our opinion, we found the _________________________________ to be adequate, or inadequate (detail of inadequacies to follow the word inadequate).
We have identified opportunities to improve the controls of the (offices/areas/departments) involved in the... as discussed in this report.
(E.g. In our opinion, we found the financial transactions were properly recorded and the operational procedures adequate for the period under audit. However, there is still some scope for improving operating efficiency and effectiveness which are discussed in this audit report.
In our opinion, we found the financial transactions to be properly recorded, but the operational procedures inadequate for the period under audit. We have made some recommendations on improvement of efficiency and effectiveness of certain operating procedures as discussed in this audit report.
The areas requiring immediate attention are: <area>, which currently lack some essential elements; <area>, which require a detailed system to ensure that all requirements have been met; and procedures to monitor and report on <area> activities.
The above deficiencies notwithstanding, the review revealed that AAA Foods Limited is maintaining strict quality control standards and that a knowledgeable, competent management team has been assembled to oversee its staff and employees that have the ability and desire to operate within the regulatory framework. The company’s response upon learning of any deficiency was immediate and indicative of their focus on quality control.
Pages X through XX outlines the specific findings resulting from our substantive audit testing. These issues are discussed in detail in our report and are categorized first on the basis of departments .Within each division, the major primary findings (significant internal control deficiencies and items potentially having a significant or adverse effect on the unit’s operations) are mentioned first and then other matters (items of a lesser nature requiring attention, but not likely to have a significant or adverse effect on the unit’s operations).
Insert summary of the finding included in the Executive Summary
Insert summary of the finding included in the Executive Summary
Other Pages from This e-book
Foundation of Internal audit | Types of Internal Audit | Managing the Internal Audit Function | Audit programme and procedures | Computer Assisted Audit Techniques | Audit Work papers | Audit Reports and Communication | Internal audit and corporate governance | Appendices | Other Publications | About Publisher | About the Author