"Sharing the Knowledge" The website for internal audit professionals
"Sharing the Knowledge"
Written Internal Audit Reports Internal Audit reports should be accurate, objective, constructive, clear, concise, and timely. The Audit Report is the principal means by which audit findings are communicated to management and the Audit Committee for the purpose of reporting on the scope of the audit performed and the audit results. Each audit finding should be classified as a major control weakness, minor control weakness, exception, observation, or a violation of law, rule or regulation.
The audit findings summary should be of sufficient detail to identify the control weaknesses, exceptions, observations or violations of law, rule, or regulation, and should include supporting facts to the extent considered necessary. The risk exposure presented by a control weakness should be identified. A recommendation for corrective action should be included for each control weakness, exception, observation and violation of law, rule, or regulation.
Audit Report Contents Audit Reports should include, as applicable, the following:
Audit Name and Report Issuance Date
Audit Report Addressee(s): Identifies the process owners to whom the Audit Report is directed
Report Distribution List: Identifies all parties to whom the Audit Report is distributed
Scope and Objective of the Audit: Identifies the major activities, processes and functions reviewed and identifies the time period the audit is meant to review (dates of sample tested documents and procedures)
Auditor’s Conclusions and Internal Control Rating: Identifies the auditor’s opinion regarding the adequacy and effectiveness of internal controls to include an internal control rating
Narrative overview of the business activity and its associated internal controls
List and detailed explanation of the Major Control Weaknesses, Minor Control Weaknesses, Exceptions, Observations and Violations of Law, Rules and Regulations noted during the audit
Internal Auditor's Recommendation: recommendation for corrective action as it applies to each audit finding
Management Response: A section for management to include its written response to the audit finding and state any corrective action taken or planned
Target Completion Date: Identifies the date corrective action will be completed by management
Comment Owner: Identifies the manager responsible for ensuring corrective action is taken as it applies to the audit finding
Categories of Audit Findings Major Control Weakness: Identifies a control weakness that presents a high risk exposure or risk of loss, or that has a significant adverse effect on the achievement of an important operating objective related to a core business process, key business activity, or critical business function. Major control weaknesses generally require prompt corrective action to reduce the risk exposure.
Minor Control Weakness: Identifies a control weakness that presents a low to moderate risk exposure or risk of loss, or that has a minor adverse effect on the achievement of an operating objective related to a business process, business activity, or business function. Minor control weaknesses generally require timely corrective action to reduce the risk exposure.
Exception: Identifies an error or occurrence (event) which did not conform to established policy or an established control procedure, or a condition which does not conform to generally accepted control principles or business practices, however, it does not constitute a control weakness. A related control weakness may exist, depending on the nature and pervasiveness of the exceptions. Exceptions generally require corrective action to remedy the exception.
Observation: Identifies a condition such as an operating policy, operating procedure, or operating practice that is not efficient or effective, however, the condition does not constitute a control weakness. Observations merit management consideration to realize improved efficiency or effectiveness.
Violations of Laws, Rules and Regulations: Identifies violations of laws, rules, or regulations.
Internal Control Ratings Each Audit Report should include an overall internal control rating based on the audit findings. Commonly accepted ratings are as follows:
Satisfactory: The internal control system is effective. Established control procedures reasonably assure the achievement of operating and control objectives. If control weaknesses exist, they are only minor control weaknesses. Risk exposure or risk of loss is low.
Needs Improvement: The internal control system is generally effective. Only minor control weaknesses exist, however, their effect on the internal control system is more pervasive and the achievement of important operating or control objectives is not reasonably assured. Risk exposure or risk of loss is moderate.
Unsatisfactory: The internal control system is ineffective. One or more major control weaknesses exist that have a significant adverse effect on the achievement of important operating or control objectives. Risk exposure or risk of loss is high.
Draft Audit Report Issuance A Draft Audit Report should be issued to the addressees/process owners and any other individuals (i.e. executive management) included on the Distribution List. Draft Audit Reports should be issued on a timely basis following the completion of each audit.
Management Response to Draft Audit Reports A written management response should be provided for each major control weakness, minor control weakness, exception, observation or violation of a law, rule, or regulation included in a Draft Audit Report. As applicable, the management response to an audit finding should identify corrective action taken or planned and include a completion date for corrective action taken, or a target completion date for planned corrective action. Each management response should designate one comment owner. Management has responsibility for establishing comment ownership.
All written management responses to audit findings noted in Draft Audit Reports should be submitted to the Internal Auditor within a reasonable period of time (i.e. 10 calendar days) of the issuance date of the Draft Audit Report. Reasonable deviations from this time requirement may be allowed for valid reasons such as illness, vacation, or unexpected demands on time to meet the operating needs of the department or organization.
In the event management does not concur with audit findings, conclusions, recommendations, or the internal control rating, identified in the Draft Audit Report, management should, at its discretion, indicate the reason(s) in its written management response. Following receipt of management’s written response to a Draft Audit Report and prior to the issuance of a Preliminary Audit Report, the Internal Auditor should discuss with management and attempt to resolve any differences of opinion with regard to the Draft Audit Report audit findings, conclusions, recommendations, internal control rating or adequacy of a management response in terms of proposed corrective action.
Preliminary Audit Report (includes Management Responses) Following receipt of a written management response to each audit finding noted in a Draft Audit Report, the Internal Auditor should issue a Preliminary Audit Report that incorporates the written management responses. The Preliminary Audit Report should be issued to the individuals identified on the Distribution List. Management should have additional time (i.e. 5 calendar days) from the issuance date of the Preliminary Audit Report to review the Preliminary Audit Report and provide any additional or revised management response.
Final Audit Report to Audit Committee Following expiration of the allowable time for management’s written response, a Final Audit Report, incorporating management’s written responses or non-responses to audit findings and any corrective action taken or planned, should be issued to the Audit Committee.
Resolution of Differences of Opinion Any unresolved difference of opinion with regard to audit findings, conclusions, recommendations, internal control rating, or adequacy of a management response in terms of proposed corrective action should be arbitrated and resolved by the Audit Committee at their discretion. The Audit Committee’s determination should function to resolve the difference of opinion and bind all parties to the resulting determination. In the event the Audit Committee is unable to arrive at a determination, for whatever reason, the matter should be resolved by the Board of Directors at their discretion.
Management Follow-up on Internal Audit Findings Management should complete corrective action measures in response to reported internal audit findings in a timely and reasonable manner. The comment owner or designee should give written notice to the Internal Auditor upon completion of corrective action in response to an internal audit finding. In the event corrective action has not been completed by the established target completion date, the comment owner should provide a written notice to the Internal Auditor on the status of corrective action, circumstances or reasons that have prevented the completion of corrective action, and specify a revised target date by which corrective action will be completed.
Management Follow-up on External Auditor Findings Management should complete corrective action measures in response to reported external audit findings in a timely and reasonable manner. The Internal Auditor is typically requested to act as the coordinator of remediation efforts between management and external auditors when reasonable. In such a case, the comment owner or designee should give written notice to the Internal Auditor upon completion of corrective action in response to an external audit finding. In the event corrective action has not been completed by the established target completion date, the comment owner should provide a written notice to the Internal Auditor on the status of corrective action, circumstances or reasons that have prevented the completion of corrective action, and specify a revised target date by which corrective action will be completed.