Internal audit and review reports

Internal auditors, external auditors, and consultants who perform internal audit and review engagements provide reports to management (internal audit reports). These reports are important because they provide documentary evidence of the work performed, the conclusions reached and the recommendations made. The quality and presentation of such reports makes a substantial difference to the value added by internal audit and those performing similar functions.
Internal audit reports are different to statutory auditors’ reports produced by external auditors because statutory reports are governed by legislation and either national auditing standards, or International Standards on Auditing. Statutory auditors’ reports are highly codified, and usually fairly brief by comparison with internal audit reports, and they are often available for public inspection. Statutory auditors’ reports are produced for the benefit of shareholders and other stakeholders whereas internal audit reports are produced for the benefit of management; they are generally private documents and are not normally available for public inspection.

On the other hand, internal audit reports are similar, in some respects, to reports to management on the design and implementation of controls provided by external auditors to management during the course of, and at the end of, statutory audits. The method of production of such reports is similar, for example. Both internal and external auditors draft these sorts of reports on the basis of the findings of their work and there will usually be a split between significant and insignificant matters, and a summary or overall evaluation of the more important matters. Draft reports will often be discussed with management to confirm the findings and to establish management’s likely response. Responses are often incorporated into the report. Reports will often be redrafted several times, particularly in large organisations, after which the report will be issued. If management have not commented at an earlier stage, a formal response may be expected later. It is normal to follow up on recommendations or agreed action points in order to establish how the issues have been dealt with.

External auditor reports to management deal in substance with, inter alia, issues relating to the design and implementation of internal controls that have come to the external auditors’ attention during the course of the statutory audit. They generally deal with weaknesses in systems, the potential consequences and provide recommendations to management. Whilst internal audit reports may appear to be similar, they are different in substance.

Internal audit engagements are usually undertaken as part of a pre-planned program of work with a variety of objectives as part of an entity’s overall corporate governance arrangements. These objectives can relate to the risks faced by the business, internally and externally, and / or they can deal with the enhancement of performance.

Whilst there are common elements to the two types of reporting, risk-based reporting tends to look at the current position and internal issues, whereas enhancement of performance tend to be more outward and forward-looking. Risk-based reports might include establishing whether existing systems are properly aligned with the overall objectives of the entity. For example, internal auditors may be requested to establish whether human resources systems are capable of, and are actually delivering, the development and retention of the best staff in an entity’s particular market. Where it is believed that systems are not properly aligned, internal audit may be requested to make recommendations in relation to changing the existing systems, or implementing new systems, in order to achieve corporate objectives. Reports relating to the enhancement of performance may involve a review of the market, and management’s business strategies and overall risk management systems at a higher level. Whatever the assignment, there will almost always be a formal report which should be clear, balanced and constructive, consistent in style and concise.

Internal audit reports will usually contain a header page giving a title (the subject matter of the report), a distribution list, the date of production of the report, the identity of the authors and some sort of reference number. They will usually include an executive summary providing the background to the project (an introduction), summary terms of reference, the major outcomes of the work, the key risks identified and key action points or recommendations, and a summary of any further work required. The main body of the report includes detailed findings, action points or recommendations and will often include alternative recommendations. It gives details of responsibility for actioning the points, the costs involved with the various recommendations, and time-scales for implementation. Appendices will often contain the full terms of reference, tables or questionnaires used, flowcharts and systems diagrams, timetables, details of tests performed, and any other relevant information.