A brief guide to audit assignment reporting
You’ll report to stakeholders with your opinion on the effectiveness of the controls in place to manage risk, a balanced overview of key effective controls and to agree on actions that will address the key issues.
Principles and approach
A departmental template for written reports, guidance and training should be in place for audit assignment reporting. This template generally includes an opinion and overview section (to meet the needs of senior management) and an issues section (to meet the needs of local management) including the issue detail, the risk and agreed actions with dates and responsibility
The guidance and training should cover both verbal and written reporting, influencing skills, dealing with conflict and how to write effective audit reports. The department should continually improve reporting and seek to meet the needs of all stakeholders, from local to senior management and the audit committee
Audit opinions and issue ratings if used should be defined and communicated as an appendix to the audit assignment report and more generally to senior/executive management when introduced or materially changed
A balanced overview should initially be communicated to local management in order to provide a complete picture of the results of the audit and of the positive as well as the negative material findings
A balanced overview in the written report enables senior management and the audit committee to quickly understand why you’ve reached your opinion. It should be in context and include the key risks, key effective controls and key weaknesses identified
Audit findings should first be communicated in a face-to-face meeting if possible to:
- ensure there are no surprises:
- clarify the facts;
- avoid misunderstandings;
- influence management that action is required to address the unacceptable risks that exist; and
- discuss and agree those actions.
Contact with the manager about the purpose of this meeting. In the report, your findings should be grouped into key issues which concisely state:
- what you have found; and
- what your evidence is and therefore the risk.
In grouping findings into issues, you should consider if several findings have the same root cause, the same impact or the same source. For example, do they relate to not evidencing control, imply that data is insecure or all relate to the same team or manager? The most material issues should be reported first
Recommendations should be discussed verbally, but recommendations within the audit assignment report may be replaced by management actions in order to ensure that ownership of the risk clearly sits with management.