Chapter 7

Audit Report

Lesson 1

 Communication of the results of assurance and

consulting engagement is an integral part of any
assurance and consulting engagement due to various
demands by the board, management, and other
stakeholders to provide opinions as part of each
adding value services on the overall adequacy of
governance, risk management and control within an
organization.
International Professional Practices Framework (IPPF) or
the IIA Standard requires internal auditors to
communicate the results of engagement and occurs on
an ongoing basis as the engagement progresses.

Examples of Internal Audit

Opinion
The IIA Practice Guide on Formulating and Expressing
Internal Audit Opinions issued in 2009 enumerates the
following examples of internal audit opinion that the IAA
may be requested to provide:
An opinion on the organizations overall system of internal
control over financial reporting.
An opinion on the organizations controls and procedures for
compliance with applicable laws and regulations, such as
health and safety, when those controls and procedures are
performed in multiple countries or subsidiaries.
An opinion on the effectiveness of controls such as budgeting
and performance management when such controls are
performed in multiple subsidiaries and coverage comprises the
majority of the organizations assets, resources, revenues, etc.

Examples of Internal Audit

Opinion
The IIA Practice Guide on Formulating and
Expressing Internal Audit Opinions issued in 2009
enumerates the following examples of internal audit
opinion that the IAA may be requested to provide:
An opinion on an individual business process or activity
within a single organization, department, or location.
An opinion on the system of internal control at a
subsidiary or reporting unit, when all work is performed in
a single audit.
An opinion on the organizations compliance with policies,
Laws, and regulations regarding data privacy, when the
scope of work is performed in a single or just a few
business units.

 Based on the above enumerations, persuasive

communication is an essential skill for auditors at
all levels, and high-quality audit reports are a key
communication tool to truly add value to an
organization.
Consequently, communications must be accurate,
objective, clear, concise, constructive, complete,
and timely (IIA Standard 2420).
This allows the internal audit function to make sure
the facts are accurate and also initiates dialogue
regarding the best method of remediation for
identified observations.

 Results are communicated throughout the span of the

engagement using various forms of communications,
including memoranda, outlines, discussions, and draft
working papers.
audit report
the final engagement communication is often referred to as
is the formal way an internal audit function communicates
the results of an engagement to management and other
appropriate parties relying on the engagement outcomes.
The primary product of an IAA is the internal audit report in
which the internal auditors express their opinions, present
the audit findings and discuss the audit

 recommendations as a way of adding

value to the organization by
providing a reasonable assurance
whether or not the organization is
running well and whether effective
controls are in place.

 The audit reports produced by internal

auditors are very different from the reports
generated by external auditors.
They do provide an opinion on the fairness of
presentation of the financial statements.
Internal auditors typically issue reports at the
end of each audit that summarize their
findings, recommendations, and any
responses or action plans from management.

 Although the format and content of

the audit final communications may
vary by organization or type of audit,
they should contain, at a minimum,
the purpose, scope, and results of
the audit.

 An audit report may have an

executive summary, a body that
includes the specific issues or
findings identified and related
recommendations or action plans,
and appendix information such as
detailed graphs and charts or
process information.

QUALITY OF AUDIT COMMUNICATION

(IIA Standard 2420)
Communications must be:

Accurate
Objective
Clear
Concise

Constructive
Complete
Timely

QUALITY OF AUDIT COMMUNICATION

(IIA Standard 2420)
Accurate

Objective

Communications are free

from errors and distortions
and are faithful to the
underlying facts. The
manner in which the data
and evidence is gathered,
evaluated, and
summarized for
presentation should be
done with care and
precision.

Communications are fair,

impartial, and unbiased and
are the result of a fair-minded
and balanced assessment of
all relevant facts and
circumstances.
Observations, conclusions,
and recommendations should
be derived and expressed
without prejudice,
partisanship, personal
interests, and the undue
influence of others.

QUALITY OF AUDIT COMMUNICATION

(IIA Standard 2420)
Clear

Concise

Communications are
easily understood and
logical clarity can be
improved by avoiding
unnecessary technical
language and
providing all
significant and
relevant information.

Communications are to the

point and avoid unnecessary
elaboration, superfluous
detail, redundancy, and
wordiness.
They are created by a
persistent practice of revising
and editing a presentation.
The goal is that each thought
will be meaningful but
succinct.

QUALITY OF AUDIT COMMUNICATION

(IIA Standard 2420)
Constructive

Complete

Timely

Communications are
helpful to the audit
client and the
organization and lead
to improvements
where needed.
The contents and
tone of the
presentation should
be useful, positive,
and welt-meaning
and contribute to the
objectives of the
organization.

Communications
are lacking nothing
that is essential to
the target audience
and include all
significant and
relevant
information and
observations to
support
recommendations
and conclusions.

Communications are
well-timed, opportune,
and expedient for
careful consideration by
those who may act on
the recommendations.
The timing of the
presentation of audit
results should be set
without undue delay
and degree of urgency
and so as to enable
prompt effective action.

COMPOSITION OF THE REPORT

(IIA Standard 2410)
1. The engagements objectives and
scope
2. Applicable conclusions, opinion, or
audit findings/observations
3. Recommendations
4. Action plans or corrective action.

COMPOSITION OF THE REPORT

1. The engagements objectives and scope
Sufficient background information on the audit entity should be
provided to understand the context and significance of the audit report.
Scope is the area or process subject to the engagement and its
corresponding business objectives, related risks, and control activities.
Likewise, the audit scope should state what was and was not included in
the examination and specifies the period of time represented by the
activities examined.
Under Practice Advisory 2410-1, scope statements should identify the
audited activities. Additionally, the related activities not reviewed
should be identified, if necessary, to delineate the boundaries of the
engagement.
The nature and the extent of engagement work performed also should
be described.
The period of operations covered by the engagement scope typically
either as a point of time or a period of operations that is in the past.

COMPOSITION OF THE REPORT:

2. Applicable conclusions, opinion, or audit findings/observations
Conclusions and opinions are the internal auditors evaluations of the
effects of the observations and recommendations on the activities
reviewed.
They usually put the observations and recommendations in perspective
based upon the overall implications.
Engagement conclusions, if included in the engagement report, should be
clearly identified as such (Practice Advisory 2410-1).
Audit opinion or conclusion must take into account the expectations of
senior management the board, and other stakeholders and must be
supported by sufficient reliable, relevant, and useful information
otherwise known as sufficient and appropriate evidence. Internal auditors
may report that their engagements were conducted in conformance with
the International Standards for the Professional Practice of Internal
Auditing (ISPPIA or IIA Standard), only if the results of the quality
assurance and improvement program support the statement.

COMPOSITION OF THE REPORT:

2. Applicable conclusions, opinion, or audit findings/observations

Conclusions may encompass the entire scope of an

engagement or specific aspects. They may cover,
but not limited to, whether operating or program
objectives and goats conform with those of the
organization, whether the organizations objectives
and goals are being met and whether the activity
under review is functioning as intended.
IIA Standard 2410.A2 internal auditors are
encouraged to acknowledge satisfactory
performance in engagement communications
(audit client accomplishments, related issued and
supportive information).

COMPOSITION OF THE REPORT:

2. Applicable conclusions, opinion, or audit findings/observations

If a CAE issues an opinion, the CAE needs to consider the

scope of the audit work, the nature and extent of audit work
performed, and evaluate what the evidence from the audit
means concerning the adequacy of internal controls.
Such an opinion should express clearly:
The evaluation criteria and structure used.
The scope over which the opinion applies.
Who has responsibility for the establishment and maintenance of
internal controls.
The specific type of opinion being expressed by the auditor.

During consulting engagements, governance, risk

management and control issues may be identified.
Whenever these issues are significant to the organization, they
must be communicated to senior management and the board.

BASIS OF AUDIT
OBSERVATIONS
Audit Findings and recommendations
should be based on the following
attributes:
a) Criteria
b) Condition
c) Cause
d) Effect

BASIS OF AUDIT OBSERVATIONS:

a) Criteria
The standards, measures, or expectations used in making an
evaluation and/or verification.
Auditors should have a means of measuring or judging the
results and impact of matters identified on an audit.
This can be achieved through the development of a criteria
framework.
Suitable criteria are factors that are relevant and appropriate
to the particular characteristics of the audited organization
and against which actual outcomes can be objectively
assessed.
They focus on the results expected to be achieved by systems
of internal controls and ideally, are established before the
execution of the overall audit plan.

BASIS OF AUDIT OBSERVATIONS:

a) Criteria
These criteria should be relevant
reliable, neutral, understandable, and
complete.
In the absence of such principles, it is
recommended that internal auditing
should not render an opinion, since
there is no frame of reference to
objectively support the internal
auditors conclusion.

BASIS OF AUDIT OBSERVATIONS:

a) Criteria
In establishing suitable criteria, it is important for the IAA to
determine whether the organization has established basic principles
as to what constitutes appropriate governance, risk management
and control practices.
This would include:
A clear articulation of the definition of control adopted or used by the
organization
for example, has the organization adopted the COSO or CoCo model?

Managements understanding of what would constitute a satisfactory level

of control.
For example, satisfactory could mean that 90% (or another acceptable percentage) of
transactions within one control objective are conducted in accordance with
established control procedures; alternatively, it could also mean that 85% (or another
acceptable percentage) of overall controls are working as intended.

A clear articulation by management of its risk tolerances (Refer to Chapter

5) or appetite, including materiality thresholds.

BASIS OF AUDIT
OBSERVATIONS
b) Condition
The factual evidence that the internal auditor found in the
course of the examination (what does exist).

c) Cause
The reason for the difference between the expected and actual
conditions (why the difference exists).

d) Effect
The risk or exposure the organization and/or others encounter
because the condition is not consistent with the criteria (the
impact of the difference) in determining the degree of risk or
exposure, internal auditors should consider the effect their
audit observations recommendations may have on the
organizations operations and financial statements.

BASIS OF AUDIT
OBSERVATIONS
Each observation contains a statement of the condition
(the situation supported by audit evidence), the
criterion, the cause, the effect and a recommendation.
Persuasive evidence is presented in support of each
audit observation.
The impact of negative observations is quantified
where possible but otherwise presented in a compelling
argument including an analysis of potential risks.
Positive observations and conclusions are provided
where warranted.

BASIS OF AUDIT
OBSERVATIONS
Audit client accomplishments (satisfactory
performance), in terms of improvements
since the last audit or the establishment of a
well-controlled operation, may be included
the audit final communications.
This information may be necessary to present
the existing conditions and to provide a
proper perspective and appropriate balance
to the audit final communications.

Interim Reports
Communication of audit result occurs on an ongoing basis as the
engagement progresses.
Consequently, interim reporting in internal audit is allowed.
Interim reports may be written or oral and may be formal or
informal.
Interim reporting may be used to communicate information that
requires immediate attention, to communicate a change in audit
scope for the activity, undo review, or to keep management
informed of audit progress when audits extend over a long
period.
The use of interim reports does not diminish or eliminate the
need for a final report.
The form and contents of interim report will vary depending
upon the nature of the engagement and the needs of the client.

TYPES OF AUDIT OPINION

The IIA Practice Guide identifies the
types of internal audit opinion as
follows:
1. Positive opinion
2. Negative opinion
3. Qualified opinion
4. Disclaimer of opinion

POSITIVE ASSURANCE
(Reasonable Assurance)
Positive assurance is one of the strongest types of audit opinions.
In providing positive assurance, the auditor is taking a definite
position on the strength of the internal controls.
Consequently, a positive assurance opinion requires the highest level
of evidence. It implies not only whether controls/risk mitigation
processes are adequate and effective, but also -that sufficient
evidence was gathered to be reasonably certain that evidence to the
contrary, if it exists, would have been identified. The auditor takes
full responsibility for the sufficiency of the audit procedures to find
what should have been reasonably found by a prudent auditor
Positive assurance opinions provide the reader a high level of
confidence (but not absolute) and comfort in the reliability of the
underlying information. As such, internal audit activities are often
requested to provide such positive assurance opinions.

Varieties of a positive
assurance
Binary
internal controls are or are not appropriate in the situation
for example: internal controls are satisfactory or
unsatisfactory, effective or ineffective, etc.

Graded
the effectiveness of internal controls is rated using a
grading system
for example: red-yellow-green, 1-2-3-4-5, etc.

Directional
provides additional information about the direction of the
opinion since a previous report
for example Satisfactory, but diminished since last year.

NEGATIVE ASSURANCE
(Limited Assurance)
Negative assurance
is a statement that nothing came to the auditors attention
that would indicate inadequate internal controls.

Negative assurance opinion

merely states that the internal auditor has not seen problems
based on the work performed.

The auditor takes no responsibility for the sufficiency of

the audit scope and procedures to find all concerns or
issues.
Such an opinion is less valuable than a positive
assurance opinion as it provides limited assurance that
sufficient evidence was gathered to determine whether
internal controls were inadequate.

NEGATIVE ASSURANCE
(Limited Assurance)
Situations where a negative assurance opinion may be
appropriate include:
Work is being performed on a rotation basis across many audit
units with the scope of the work performed based on work in
multiple audit units.
In this case, a negative assurance opinion may be appropriate on the
individual units.
However, the combination of the evidence from all the units may be
sufficient to express a positive assurance opinion on the group of units.

Resources devoted to the audit were limited such that the

amount of audit evidence required to support a positive
assurance opinion was not obtained.
In this case, the negative assurance opinion should clearly state the
extent of work performed.

QUALIFIED OPINION
An opinion can be qualified with specific
findings that contradict the overall
opinion.
Qualified opinions can be useful in
situations where there is an exception to
the general opinion.
For example, the opinion may indicate that
controls were, satisfactory, with the
exception of accounts payable controls,
which require significant improvement

3. Recommendations
The recommendations in an internal audit
report
are designed to help the organization achieve
its goals (Adding Value to the organization),
which may relate to operations, financial
reporting or legal/regulatory compliance
may suggest approaches to correcting or
enhancing performance as a guide for
management in achieving desired results.
Recommendations may be general or specific.

3. Recommendations
Audit findings and recommendations may
relate to
effectiveness (La, whether goals were met or
compliance with standards was achieved) or
efficiency (i.e., whether the outputs were generated
with minimum inputs).
particular assertions about transactions
such as whether the transactions audited were valid or
authorized, completely processed, accurately valued,
processed in the correct time period, and properly
disclosed in financial or operational reporting, among
other elements.

4. Action plans or corrective action.

This portion of the report should present
what should management do about the
findings.
What have they agreed to do and when?
Recommendations flow logically from
observations and causes, are specific and
cost- effective, and are directed to specific
positions or individuals with the authority
to act upon them.

DISSEMINATING RESULTS
(IIA STANDARD 2440)
CAE
must communicate results to the appropriate parties.
is responsible for communicating the final results to
parties who can ensure that the results are given due
consideration.
If not otherwise mandated by legal, statutory, or
regulatory requirements, prior to releasing results to
parties outside the organization , the CAE must
Assess the potential risk to the organization;
Consult with senior management and/or Legal counsel as
appropriate; and
Control dissemination by restricting the use of the results.

DISSEMINATING RESULTS
(IIA STANDARD 2440)
When releasing engagement results to
parties outside the organization, the
communication must include limitations
on distribution and use of the results.
If a final communication contains a
significant error or omission, the CAE
must communicate corrected
information to all parties who received
the original communication.

DISSEMINATING RESULTS:
Errors and Omissions
If it is determined that a final audit
communication contains an error, CAE should
consider the need to issue an amended report
identifying the information being corrected.
The amended audit communications should be
distributed to all individuals who received the
audit communications being corrected (IIA
Standard 2421).
An error is defined as an unintentional
misstatement or omission of significant
information in a final audit communication.

CHECKLIST FOR REVIEWING AUDIT REPORTS:

The Substance of the Report (body of the report)
Sufficient background information on the audit entity
is provided to understand the context and significance of the
audit report.

The audit Objectives and the related criteria used to

arrive at observations and conclusions are stated.
The audit scope states what was and was not included
in the examination and specifies the period of time
represented by the activities examined.
The timing of the audit the methodology employed, and
the professional standards followed are described.
If appropriate, disclosure is made if any parts of the
engagement were affected by non-compliance with
professional standards.

CHECKLIST FOR REVIEWING AUDIT REPORTS:

The Substance of the Report (body of the report)
Detailed audit observations relate to the stated
objectives and criteria and logically support overall
opinions and conclusions.
Each observation contains a statement of the condition
(the situation supported by audit evidence), the
criterion, the cause, the effect and a recommendation.
Convincing or persuasive evidence is presented in
support of each audit observation.
The impact of negative observations is quantified
where possible but otherwise presented in a compelling
argument including an analysis of potential risks.

CHECKLIST FOR REVIEWING AUDIT REPORTS:

The Substance of the Report (body of the report)
Recommendations flow logically from observations
and causes, are specific and cost-effective, and are
directed to specific positions or individuals with the
authority to act upon them.
A conclusion, or a statement of inability to conclude,
is provided for each audit objective and is supported
by convincing evidence and analysis.
As appropriate, a statement of assurance is provided.
Positive observations and conclusions are provided
where warranted.
Appendices included in the report add value in
understanding the engagement results.

CHECKLIST FOR REVIEWING AUDIT REPORTS:

The executive summary

The executive summary

provides a brief overview of the audit entity,
reiterates the audit purpose, objective, and
scope, references the audit criteria and
methodology, and repeats the opinions or
conclusions with respect to each objective and
with respect to the overall engagement if
provided.

The statement of assurance is referenced or

reiterated, as appropriate.

CHECKLIST FOR REVIEWING AUDIT REPORTS:

The Style of the Report
The table of contents establishes the layout and structure
of the report and correctly represents headings and page
numbers in the body of the report.
Headings and text styles (e.g. italics, boldface, font size)
are used effectively and consistently to draw the readers
attention, e.g. topic or lead sentences, highlighted
recommendations.
Charts and other exhibits are referenced in the report and
appropriately labeled.
Paragraph and sentence structure support understanding,
e.g. single topic or issue, concise, logical
Initialisms and acronyms are explained or defined upon
their first use.

CHECKLIST FOR REVIEWING AUDIT REPORTS:

The Style of the Report
Language usage and terminology is appropriate
to the intended audience(s), e.g. the active voice
is used and jargon and overly technical
terminology are avoided or ?
A balanced tone is maintained.
Grammar and spelling are correct.
Appendices are presented in a uniform format
and are referenced in the body of the report.
Overall, the report is clear and concise - the
important findings, recommendations, and
conclusions are evident.

DISCLOSURE OF NONCONFORMANCE
(IIA STANDARD 2431)
When, nonconformance with the Definition
of Internal Auditing, the Code of Ethics or
the Standards impacts a specific
engagement, communication of the results
must disclose the:
Principle or rule of conduct of the Code of Ethics
or Standard(s) with which full conformance was
not achieved;
Reason(s) for nonconformance; and
Impact of nonconformance on the engagement
and the communicated engagement results.

DISCLOSURE OF NONCONFORMANCE
(IIA STANDARD 2431)
When, nonconformance with the Definition of
Internal Auditing, the Code of Ethics or the
Standards impacts a specific engagement,
communication of the results must disclose the:
Principle or rule of conduct of the Code of Ethics or
Standard(s) with which full conformance was not
achieved;
Reason(s) for nonconformance; and
Impact of nonconformance on the engagement and
the communicated engagement results.

MONITORING
CAE
must establish and maintain a system to monitor the
disposition of results communicated to management.
must establish a follow-up process to monitor and
ensure that management actions have been
effectively implemented or that senior management
has accepted the risk of not taking action.

IAA
must monitor the disposition of results of consulting
engagements to the extent agreed upon with the
client.

MONITORING
External Service Provider and Organizational
Responsibility for Internal Auditing
When an external service provider serves as the
IAA, the provider must make the organization
aware that the organization has the responsibility
for maintaining an effective IAA.
This responsibility is demonstrated through the
quality assurance and improvement program which
assesses conformance with the Definition of
Internal Auditing, the Code of Ethics, and the
Standards.

Summary