INTERNAL AUDIT REPORT, REPORT REVIEWS AND REPLIES

DEFINITION

Internal audit report

It is a formal document in which internal audit summarizes its work by

reporting its observations and recommendations.

It is a major vehicle by which to describe the internal audits activities for

people both inside and outside of the enterp rise.

According to Sawyer, Reports are the auditors opportunity to get managements

undivided attention.

OBJECTIVES OF AUDIT REPORT

1. To assure management that business risks are well controlled

2. To alert them to areas where this is not the case and there are defined risk
exposures
3. To advise them on steps necessary to improve risk management strategies
4. To support action plans prepared by client management

FOUR BASIC COMPONENTS OF AN INTERNAL AUDIT REPORT

1. Objectives, timing, and scope of the review

It answers the question, Why internal audit launched the review?

Objectives broad statements developed by auditors and define intended

audit accomplishments

Timing refers to the period/date when audit procedures are performed and
to which the audit evidence applies

Scope a statement that specifies the focus, extent, and boundary of a

particular audit

2. Description of findings
It answers the question, What internal audit found to be wrong and why is it
wrong?

Based on the conditions observed and found during the review, the audit
report should describe the results of the audit.

1 | Page
 5 COMPONENTS OF AUDIT FINDINGS (5 Cs)

a. Criteria : the correct state

b. Condition : the current state
c. Cause : reason for occurrence of condition
d. Consequence : the impact of the difference
e. Corrective Action : the recommendation

3. Suggestions for corrections

It answers the question, What should be done to correct matters?

Audit reports should include recommendations, based on the findings, for

correcting the conditions and their causes.

4. Documentation of plans and clarification of views of auditee

It answers the questions, What will be done by the auditee?

The auditee may wish to state mitigating circumstances or provide

clarification of issues for any reported matters in disagreement.

ALTERNATIVE AUDIT REPORT FORMATS

1. Oral Reports

This mode might be used for reporting findings requiring emergency action,
or as an oral presentation, or as a prelude to the formal written report.

Such reports should only be supplementary and not a substitute to written

reports.

2. Interim or informal memo reports

Such reports are issued when the management has to be informed of

significant events or problems requiring prompt action.

A memo report should be used, at a minimum to describe the results of an

oral presentation.

THREE MAIN USES

1. They force the auditor to build the report as work is progressed.
2. They keep the audit manager up to date and allow interim reviews of work
performed
3. In this way they may be given to the client and so act as a continuous
report clearance device as well as bringing the client into the audit process
itself.

3. Questionnaire-type audit reports

2 | Page
 This type of report can be a useful interim summary to the formal audit report
or serve as an appendix to the formal report document.

4. Summary and significant finding audit reports

This report summarizes the various individual reports issued, any significant
findings, and the range of their content.

IMPORTANCE OF AN INTERNAL AUDIT REPORT

An auditor's report is considered an essential tool when reporting financial

information to users, particularly in business. An internal audit report helps the
management in decision making purposes because they depend their decisions and
actions based on the findings of the internal auditor.

USERS OF AUDIT REPORTS

FOR INTERNAL AUDIT REPORT:

The Audit Committee / Board

The Management
The External Auditors

The Audit Committee or the Board

o to facilitates audit follow-up.
o Evidence for auditor performance evaluation.
o Summarizes results of the audit work.

The Management
o Facilitates corrective action.
o to gain support of higher management.
o Serves as window in to operation for busy managers.
o Means to evaluate operating performance.
o Source of objective information about controls and operations.

The External Auditors

o Evaluation of the internal audit function.
o Examination of items already examined by the internal auditors.
o Observation of procedures performed by the internal auditors.

FOR EXTERNAL AUDIT REPORT:

The Shareholders
The Potential Investors
Creditors

The Shareholders
o to see if the company is progressing.
o If the money they have invested is properly utilized.

3 | Page
The Potential Investors
o Would it be of any worth if they will invest in the company?
o Is it a risky company?

Creditors
o How well the company is doing?
o Bankruptcy and going concern issues.

QUALITIES OF A GOOD AUDIT REPORT

Accurate
Objective
Clear
Concise
Constructive
Complete
Timely

STRUCTURE OF INTERNAL AUDIT REPORT

INTRODUCTORY PAGE
EXECUTIVE SUMMARY
AUDIT FINDINGS
RECCOMMENDATIONS
AUDITEES RESPONSE OR MANAGEMENT RESPONSE

INTRODUCTORY PAGE

ELEMENTS OF INTRODUCTORY PAGE

Title of report and objectives of review.

A brief, definitive title tells the reader what is contained in the audit report and is
also useful for various summary reports.

Report addressees and carbon recipients

An audit report should always be addressed to the one senior-level person
responsible for addressing report
findings, often someone usually at least one organizational level above
the auditee.

Audit scope and date of the fieldwork

Usually included with the statement of audit objectives is some abbreviated
information on the general scope of the audit and the approximate date of the audit
fieldwork.

4 | Page
 Locations visited and timing of audit.
The report cover page should clearly state when the audit fieldwork was performed
and also mention the locations visited.

Audit procedures performed.

A brief paragraph describing the audit procedures performed is often very helpful
to the report reader.

Auditors opinion based on the results of the review.

An internal audit report should always have some fairly general assessment of the
overall adequacy
of the controls or other concerns in the area reviewed.

EXECUTIVE SUMMARY

An executive summary is a brief section at the beginning of a long report,

article, recommendation, or proposal that summarizes the document .

EXECUTIVE SUMMARY SUMMARIZES:

SCOPE AND OBJECTIVE

AUDIT FINDINGS AND RECOMMENDATIONS
MANAGEMENT RESPONSE

Summary must answer these questions:

Briefly, what is this about?

Why is it important? or Why was it undertaken?
What are the major findings or results?
What more is to be done? or] How will these findings be applied?

Alternative approaches to developing and issuing internal audit reports

Audit reports with encyclopedic coverage

Description of the audit procedures performed.
Detailed explanations of audit findings
A highly summarized report.
Focus on significant issues

AUDIT FINDINGS

5 | Page
AUDIT REPORT FINDINGS SHOULD CONTAIN

Statement of conditions
- The first sentence in a report finding should summarize the results
of internal audits review of the area of concern.

What was found?

- The finding should discuss both the procedures and the results of
those procedures.

Internal audits criteria for presenting the finding

- Audit findings should always have a criterion, or a statement of
what should be used in judging the statement of condition.

Criteria of extremes
Clearly inadequate or outstanding performance is relatively easy
to appraise.

Criteria of comparables
Comparisons can be made between similar operations or
activities, determining their success or lack of success and
causes for the differences.

Criteria of the elements

In some cases, internal auditors incorrectly state their
performance criteria with such broad terms that it is impossible
to evaluate the reported condition.

Criteria of expertise
In some cases, internal audit may find it useful to rely on other
experts to evaluate an activity.

Effect of the reported finding

- Internal audit should always consider the question: How important?
when deciding whether to include an item in the audit report.

LEVELS OF EFFECT
DIRECT, ONE TIME EFFECT ON THE PROCESS
CUMULATIVE EFFECT ON THE PROCESS
CUMULATIVE EFFECT ON THE ORGANIZATION
HIGH LEVEL, SYSTEMATIC EFFECT

Cause or reason for the audit deviation

- The answer to the question: Why? Is especially important to
management when reading an audit report.

6 | Page
 TYPES OF CAUSE
o CONTIGUOUS- the action or lack of action that led
directly to the condition.
o TRANSITIONAL- the cause or causes that led to the
approximate cause.
o CORE- underlying cause.
Internal audits recommendation
- Audit report findings should conclude by recommending
appropriate corrective actions.

Recommendations

Types of Recommendations

Cause focused Address actionable causes; identify and

describe what is to be done to prevent recurrences of the
condition.

Condition focused address the condition identified and

describe what will be done to correct the condition.

Recovery-focused address the consequence of the

condition and describe what will be done to correct errors
caused by the condition.
.

TECHNIQUES TO PROVIDE BETTER AUDIT REPORT BALANCE

Provide audit reports with perspective.

- Internal audit should avoid the temptation to cite only those factors
that support its conclusions and to ignore those that distract from
them. Perspective is always added when listing the monetary effect
of a finding as well as the value of the entire account under review.
Report Auditee accomplishments.
Show planned actions.
- In situations where the auditee has taken, or has made plans to
take, corrective action prior to the completion of the audit, the audit
report should disclose this fact.
Report mitigating circumstances
- Mitigating circumstances generally consist of factors relating to the
problems or conditions discussed in the audit report over which
management has little or no control.

Include the audit responses as part of the audit report.

7 | Page
 - Auditee responses to a finding may contain information that
provides additional balance to an audit report.

Improving audit report tonal quality

- The use of positive and constructive words and ideas rather than
- negative and condemning language will give the report a positive
tone.

Alternative approaches to developing and issuing internal audit reports

Audit reports with encyclopaedic coverage

Description of the audit procedures performed.
Detailed explanations of audit findings
A highly summarized report.
Focus on significant issues

HOW TO WRITE AUDIT REPORT

The Audit Report is a process itself, which starts with:

1. Identification of Audit Findings
2. Preparation of first draft report
3. Discussions draft:
4. Exit meeting and Formal Draft
5. Final Report

Part I. Preparing to write an Audit Report

1. Learn the different types of Audit

Financial Audit
Operational Audit
Compliance Audit
Investigative Audit

2. Understand the basic goals of all audit reports.

Illustrating non-conformities
Outlining positives
Opportunities for improvement

3. Learn the types of all audit opinions.

4. Think about who will be reading the report.

Who will be reading your report, and what is their scope of knowledge on the
language you will use? An audit report is an official record of an audit project, so it
will likely be returned to in later years for re-audits. Define all the terms and

8 | Page
abbreviations you use, as the standard forms of communication have potential to
change.

Part II. Beginning your report

1. Know the style of audit reporting before you begin.

Provide perspective for the reader, Be precise, and avoid redundant phrasing
and inexact terminology.
Do not use passive voice.
Use bullet points.
Use gender neutral terms.
Do not use audit buzzwords.

2. Outline your audit report.

Determine if there is sufficient support to warrant the audit findings.

Review to determine where additional evidence may be needed.
Ascertain that all audit finding causes and effects of findings are considered.
Determine whether there is a pattern of deficiencies requiring procedural
changes or whether the findings appear to be isolated cases.

3. Write your Introduction.

Review findings drafts for adequate development.

Ascertain whether the findings are stated in specific rather than in general
terms.
Assure that all figures and other facts have been checked and cross-
referenced in the workpapers.
Review workpapers supporting all findings for adequacy of support and
disclosure of Items of significance
Check for adequacy of tone, punctuation, and spelling.
Ascertain whether there is sufficient support for the expression of the
auditors opinion or whether a qualification is needed.
Determine whether the cause, effect, and recommendations are adequately
developed.
Discuss methods of improving content and writing style with internal audit
team.
Prepare draft report clearly marked DRAFT.

4. Follow with the Purpose and Scope Methodology.

Why was the audit conducted?

What was included and not included in the audit?
What was the time period audited?
What were the audit objectives?

9 | Page
5. Continue onto the Statement on Auditing Standards.

Why was the audit conducted?

What was included and not included in the audit?
What was the time period audited?
What were the audit objectives?

6. Write the Executive Summary.

A brief description of what was audited, objectives, scopes, and time periods.
Statements of significant action plans.
Overall statements of concerns and conclusions.
Overall audit report rating.

Part III. Writing Your Results and Recommendation

1. Write an opening statement for your findings/recommendations section.

An audit report typically ends with results from the audits and recommendations
for improving the entity audited. Results and recommendations are the foundation
of a good report. Before you begin writing this section, provide a brief opening
statement that outlines the information you will be providing.

2. Understand condition, criteria, cause, and effect.

Criteria is an explanation of management goals and the standards use to

evaluate the program, function, or activity audited.
Condition is how effectively department management is meeting goals and/or
achieving standards. Goals can either be fully achieved, partially achieved, or
not achieved.
Cause is a statement on the reason things have gone well or poorly.
Possibilities include inadequate procedures, procedures not being followed,
poor supervision, or unqualified employees.
Effect states the result of the conditions, in quantifiable terms. Is the effect
increased risk or exposure? Is it monetary cost? Is it poor performance? This
should be addressed when you cover effect.

3. Make effective recommendations.

Be positive
Be specific
Identify who should act

4. Follow proper format

Include a cover page. The cover page should be three or four lines, and
outline the subject of the audit report and the type of audit.

10 | P a g e
 A memo should follow the cover page. The memo should be one or two short
paragraphs overviewing who and what was audited, who has received or is
receiving the report, and plans for future distribution.
A table of contents follows the memo, and it contains a catalogue of
chapters, page numbers, sections, and suggestions of the audit.
The report should be written in plainly-worded, non-technical language and
use proper grammar and paragraph organization.
Reports are organized by chapters, each with a title, and by sections and
subsections, each marked with a heading. Headings should go from general
to more specific.

Audit Reports: Follow-Up and Summary

Internal audit should schedule a follow report once the final audit report has
been issued.
Internal audit should play only a limited, specific role after the audit report
has been released.
Internal audit has a responsibility to produce audit reports that are readable,
understandable, and persuasive.
Internal audit receives a final payoff in its knowledge of the action taken by
auditees based on the internal report recommendations.

Audit Report and Workpaper Retention

SOX rules require that all audit-related records must be maintained for a
period of seven (7) years.
All paper-based audit reports and supporting workpapers should be deposited
in a secure corporate records storage facility.
Computer-based digital records and supporting papers can be supporting
materials in litigation or even government legal actions.

Effective Internal Audit Communications Opportunities

2400 - Communicating Results

Internal auditors must communicate the results of engagements.

Effective communication both on person-to-person basis and with larger

groups is a key component to internal audit success.
An internal auditor should have a good understanding of the problems
associated with effective communications and how to cope up with them.
Both parties in communications- especially the main activator- learn from the
questions and comments made by the receiver in response to a series of
messages.
The varying needs of people relate alternatives to competition, conflict, and
cooperation.

11 | P a g e
 Internal audit communication problems affect all steps in the communications
process and include:

1. Not giving proper consideration to the power relationships of message

senders and receivers.
2. Ignoring temporary emotional stress by either the sender or receiver.
3. Failing to properly evaluate the capacity of the recipient to receive and
understand the message.
4. Use of words that can have multiple meanings or can convey unintended
meanings.
5. Undue haste in the transmission of messages that undermine clarity and/or
credibility.
6. Perception that the sender wishes to satisfy personal needs, thus inducing
emotional resistance and blocks.
7. Failure to build needed foundations for the core message and related bad
timing.
8. Lack of clarity or conviction because of a reluctance to cause the receiver
dissatisfaction.
9. Impact of nonverbal actions, such as tone of voice, facial expressions, and
manner of communication.
10.Not giving consideration to the perceptions and related feelings of the
recipient.

Communication skills every Internal Auditor should have:

1. Receiving (receptive) skills

2. Sending (expressive skills)
3. Non-verbal communication skills
4. Managing the process

12 | P a g e
 RELATIONSHIP OF INTERNAL AUDITOR WITH EXECUTIVE
MANAGEMENT AND EXTERNAL AUDITORS

A. RELATIONSHIP WITH EXECUTIVE MANAGEMENT

INTERNAL AUDITOR REPORTING LINE

The IIA states that the Chief Audit Committee (CAE) should report functionally to the
audit committee or its equivalent. It also says that the CAE should report
administratively to the chief executive officer of the organization. Finally, the
guidance says, the chief financial officer, controller, or other similar officer should
ideally be excluded from overseeing the internal audit activities even in a dual role
(with the CAE reporting functionally to the audit committee).

According to the IIA's Practice Advisory 1110-2, report functionally means that the
governing authority would:

Approve the overall charter of the internal audit function, the risk
assessment, and the related audit plan;

Receive communications from the results of internal audit activities or

other matters that the CAE determines are necessary, including private
meetings (executive sessions) without management present;

Approve decisions regarding the appointment or removal of the CAE

including approving the annual compensation and salary adjustment of
the CAE; and

Make appropriate inquiries of management and the CAE to determine

whether there are scope or budgetary limitations that impede the
ability of the internal audit function to execute its responsibilities

In contrast, administrative reporting is the reporting relationship within the

organization's management structure that facilitates the day-to-day operations of
the internal audit function. Administrative reporting typically includes:

Budgeting and management accounting;

13 | P a g e
 Human resource administration, including personnel evaluations and
compensation of department staff;

Internal communications and information flows; and

Administration of the organization's internal policies and procedures.

Senior Management
Managers at the highest level of a company or organization, considered as a group.

Operational Management
Its task is to oversee and control the day-to-day operations of a business that
manufactures or sells goods or provides a service.

Audit committees
Responsible for the overall management of the auditing process and the auditors

B. RELATIONSHIP WITH EXTERNAL AUDITOR

Responsibilities of Internal Auditor

Internal Audit is a service to management. Its functions include examining and

evaluating internal control and providing assurance to the management. It is a part
of the organisations system of internal control and its scope includes ALL aspects of
internal control, not just financial control.. The scope of internal audit is much wider
than statutory/external audit. It should ideally cover all the organisations activities.
They include:

Financial audit accuracy, completeness and fairness of financial statements

Operational audit- effectiveness and efficiency of operations

14 | P a g e
 Safeguarding of assets

Review of projects

Management audit

Fraud detection- developing fraud exposures for every audit and detecting
red flags

Review of effectiveness of internal controlCompliance with laws, regulations,

policies and procedures

Preservation of ethical culture monitor the ethical climate and report on red
flags that may compromise ethics

Providing advise on reducing waste or inefficiency

Responsibilities of External Auditor

External auditors have to express an opinion on accuracy and fairness of financial

information. An external audit programme encompasses a full-scope financial
statement audit, an attestation of internal controls over financial reporting, or other
agreed-upon external audit procedures.

A typical report includes inter alia, information on:

Whether they have obtained all the necessary information

Whether the companies has kept all the requisite books of accounts

Whether the financial statements are in conformity with books of accounts

The financial statements present a true and fair view of the state of affairs

Proper records for assets, inventory, loans etc. have been maintained by the
company

Adequacy of internal control procedures

Existence of internal audit system commensurate with nature and size of

business.

Details of statutory dues and matters under litigation.

Benefits of coordination between Internal & External Auditor

15 | P a g e
 Varied strengths increase effectiveness

Increase in efficiency

Better audit coverage

Cost reduction

Better understanding of each others work

Building cooperation between Internal & External Auditor

Approval

Commitment

Communication

Trust

AAS 7- Relying upon the work of internal auditor

Relationship between internal and external auditor

Though the primary objective is different for both the auditors, some of their
means are same and the work of internal auditor may be useful to the
external auditor in determining the nature, extent and timing of procedures
to be performed

The external auditor should evaluate the internal audit function before relying
on the work and adopting less extensive procedures

The internal auditor cannot have the same degree of independence as the
external auditor so the opinion of the external auditor on the financial
statements remains his responsibility .

The Relationship Between Internal and External Audit

The coordination of internal audit activity with external audit activity is very
important from both points of view: from external audits point of view is important
because, in this way, external auditors have the possibility to raise the efficiency of
financial statements audit; the relevancy from internal audits point of view is
assured by the fact that this coordination assures for the internal audit a plus of
essential information in the assessment of risks control.

16 | P a g e
The importance of the relationship from internal audit and external audit is reflected
also by International Standards of Audit which foresees, among others:

The role of internal auditing is determined by management, and its objectives

differ from those of the external auditor who is appointed to report
independently on the financial statements. The internal audit functions
objectives vary according to managements requirements. The external
auditors primary concern is whether the financial statements are free of
material misstatements;

The external auditor should obtain a sufficient understanding of internal audit

activities to identify and assess the risks of material misstatement of the
financial statements and to design and perform further audit procedures;
The external auditor should perform an assessment of the internal audit
function, when internal auditing is relevant to the external auditors risk
assessments;

Liaison with internal auditing is more effective when meetings are held at
appropriate intervals during the period. The external auditor would need to
be advised of and have access to relevant internal auditing reports and be
kept informed of any significant matter that comes to the internal auditors
attention which may affect the work of the external auditor. Similarly, the
external auditor would ordinarily inform the internal auditor of any significant
matters which may affect internal auditing;

Internal and External Auditors and Audit Committees Need to Improve

Relationships

Better communication among internal and external auditors and audit committee
members can ease some of the tensions, according to a new report.

The report, from the Institute of Internal Auditors and the Center for Audit Quality,
found that improved communication and cooperation among the various auditing
roles can help with enterprise risk management at a company. The report,
Intersecting Roles: Fostering Effective Working Relationships Among External Audit,
Internal Audit, and the Audit Committee, highlights examples of such strong
communications and cooperation from organizations across the country, with a
focus on building a clearer understanding of what external auditors require to be
able to use the work of internal audit, and when it is not appropriate to use that
work.

How to Manage External Audit Relationships

External auditors are certified professionals who check the accuracy and
completeness of a business's financial statements. Managing the external audit
relationship can be difficult for small business owners who must balance the
auditor's requests for sensitive financial information, the need for company
confidentiality as well as the choice of which auditor to engage.

Choosing an External Auditor

17 | P a g e
 Business owners should seek an auditor who is keen to discuss issues as they
arise and who doesn't hide the risk of financial decisions from the company or
its managers.

Traits of a Good Relationship

The key traits that define a good relationship between the external auditor
and the business executives can be summed up in three words: collaborative,
congenial and communicative. This last trait is merely an extension of the
open communication policy the auditor and business should adopt starting in
the selection process. Collaborative and congenial mean both parties
recognize their obligations to the auditing process.

Consequences of a Bad Relationship

In most jurisdictions, the law requires companies to hire an external or
independent auditor, so any snag in that process may put the company at
breach of law. Further, the audit opinion may be delayed, withheld or
qualified if something goes wrong. A qualified opinion means the auditor can
complete her job but finds that the company hasn't provided full and clear
information or possibly has been subject to fraud or tax evasion.

Extending the Auditor's Engagement

A scope of work document should be drawn up at this point, specifying the
balance of work to be completed, the amount of time for the contract
extension and any procedural issues that need to be addressed. External
audits normally take place every 12 months, so any external audit
engagement lasting for more than a few weeks is likely to throw this schedule
off track in the future.

Interaction and Cooperation between Internal and External Auditors

Interaction and cooperation between the internal auditors and external auditors
should help the governing body obtain a more comprehensive view of operations
and risks whilst eliminating areas of possible duplication of audit effort. Good
communication between internal and external audit should also be of benefit to
senior managers as both audit engagements and subsequent recommendations to
the improvement of risk management and internal control will be better
coordinated.

If the external auditor should decide to use the internal auditors work in arriving at
their opinion, the process will be regulated by ISA 610.

Given the specific scope and objectives of their mission, the risk information
gathered by external auditors is typically limited to financial reporting risks, and
does not include the way senior management and the board audit committee are
managing/monitoring the organizations strategic, business and compliance risks.
However, internal audit function can provide assurance on these areas to senior
management as well as the governing body.

Whilst the objectives of external and internal audit activities are different, there may
be some potential areas of overlap, particularly in the area of financial reporting. In

18 | P a g e
particular, external audit may provide management letter comments in relation to
internal control weaknesses noted in the course of their audit engagement.

Internal audit should consider these points in its audit planning process and may
initiate separate follow-up activities to ascertain the effectiveness of managements
corrective actions. Similarly, external audit should consider internal audit findings as
an input into their own work.
Before the cooperation takes place, each auditor will assess the work that can be
reused from the other auditors.

19 | P a g e