Académique Documents
Professionnel Documents
Culture Documents
Audit Report
Lesson 1
Accurate
Objective
Clear
Concise
Constructive
Complete
Timely
Objective
Concise
Communications are
easily understood and
logical clarity can be
improved by avoiding
unnecessary technical
language and
providing all
significant and
relevant information.
Complete
Timely
Communications are
helpful to the audit
client and the
organization and lead
to improvements
where needed.
The contents and
tone of the
presentation should
be useful, positive,
and welt-meaning
and contribute to the
objectives of the
organization.
Communications
are lacking nothing
that is essential to
the target audience
and include all
significant and
relevant
information and
observations to
support
recommendations
and conclusions.
Communications are
well-timed, opportune,
and expedient for
careful consideration by
those who may act on
the recommendations.
The timing of the
presentation of audit
results should be set
without undue delay
and degree of urgency
and so as to enable
prompt effective action.
BASIS OF AUDIT
OBSERVATIONS
Audit Findings and recommendations
should be based on the following
attributes:
a) Criteria
b) Condition
c) Cause
d) Effect
BASIS OF AUDIT
OBSERVATIONS
b) Condition
The factual evidence that the internal auditor found in the
course of the examination (what does exist).
c) Cause
The reason for the difference between the expected and actual
conditions (why the difference exists).
d) Effect
The risk or exposure the organization and/or others encounter
because the condition is not consistent with the criteria (the
impact of the difference) in determining the degree of risk or
exposure, internal auditors should consider the effect their
audit observations recommendations may have on the
organizations operations and financial statements.
BASIS OF AUDIT
OBSERVATIONS
Each observation contains a statement of the condition
(the situation supported by audit evidence), the
criterion, the cause, the effect and a recommendation.
Persuasive evidence is presented in support of each
audit observation.
The impact of negative observations is quantified
where possible but otherwise presented in a compelling
argument including an analysis of potential risks.
Positive observations and conclusions are provided
where warranted.
BASIS OF AUDIT
OBSERVATIONS
Audit client accomplishments (satisfactory
performance), in terms of improvements
since the last audit or the establishment of a
well-controlled operation, may be included
the audit final communications.
This information may be necessary to present
the existing conditions and to provide a
proper perspective and appropriate balance
to the audit final communications.
Interim Reports
Communication of audit result occurs on an ongoing basis as the
engagement progresses.
Consequently, interim reporting in internal audit is allowed.
Interim reports may be written or oral and may be formal or
informal.
Interim reporting may be used to communicate information that
requires immediate attention, to communicate a change in audit
scope for the activity, undo review, or to keep management
informed of audit progress when audits extend over a long
period.
The use of interim reports does not diminish or eliminate the
need for a final report.
The form and contents of interim report will vary depending
upon the nature of the engagement and the needs of the client.
POSITIVE ASSURANCE
(Reasonable Assurance)
Positive assurance is one of the strongest types of audit opinions.
In providing positive assurance, the auditor is taking a definite
position on the strength of the internal controls.
Consequently, a positive assurance opinion requires the highest level
of evidence. It implies not only whether controls/risk mitigation
processes are adequate and effective, but also -that sufficient
evidence was gathered to be reasonably certain that evidence to the
contrary, if it exists, would have been identified. The auditor takes
full responsibility for the sufficiency of the audit procedures to find
what should have been reasonably found by a prudent auditor
Positive assurance opinions provide the reader a high level of
confidence (but not absolute) and comfort in the reliability of the
underlying information. As such, internal audit activities are often
requested to provide such positive assurance opinions.
Varieties of a positive
assurance
Binary
internal controls are or are not appropriate in the situation
for example: internal controls are satisfactory or
unsatisfactory, effective or ineffective, etc.
Graded
the effectiveness of internal controls is rated using a
grading system
for example: red-yellow-green, 1-2-3-4-5, etc.
Directional
provides additional information about the direction of the
opinion since a previous report
for example Satisfactory, but diminished since last year.
NEGATIVE ASSURANCE
(Limited Assurance)
Negative assurance
is a statement that nothing came to the auditors attention
that would indicate inadequate internal controls.
NEGATIVE ASSURANCE
(Limited Assurance)
Situations where a negative assurance opinion may be
appropriate include:
Work is being performed on a rotation basis across many audit
units with the scope of the work performed based on work in
multiple audit units.
In this case, a negative assurance opinion may be appropriate on the
individual units.
However, the combination of the evidence from all the units may be
sufficient to express a positive assurance opinion on the group of units.
QUALIFIED OPINION
An opinion can be qualified with specific
findings that contradict the overall
opinion.
Qualified opinions can be useful in
situations where there is an exception to
the general opinion.
For example, the opinion may indicate that
controls were, satisfactory, with the
exception of accounts payable controls,
which require significant improvement
3. Recommendations
The recommendations in an internal audit
report
are designed to help the organization achieve
its goals (Adding Value to the organization),
which may relate to operations, financial
reporting or legal/regulatory compliance
may suggest approaches to correcting or
enhancing performance as a guide for
management in achieving desired results.
Recommendations may be general or specific.
3. Recommendations
Audit findings and recommendations may
relate to
effectiveness (La, whether goals were met or
compliance with standards was achieved) or
efficiency (i.e., whether the outputs were generated
with minimum inputs).
particular assertions about transactions
such as whether the transactions audited were valid or
authorized, completely processed, accurately valued,
processed in the correct time period, and properly
disclosed in financial or operational reporting, among
other elements.
DISSEMINATING RESULTS
(IIA STANDARD 2440)
CAE
must communicate results to the appropriate parties.
is responsible for communicating the final results to
parties who can ensure that the results are given due
consideration.
If not otherwise mandated by legal, statutory, or
regulatory requirements, prior to releasing results to
parties outside the organization , the CAE must
Assess the potential risk to the organization;
Consult with senior management and/or Legal counsel as
appropriate; and
Control dissemination by restricting the use of the results.
DISSEMINATING RESULTS
(IIA STANDARD 2440)
When releasing engagement results to
parties outside the organization, the
communication must include limitations
on distribution and use of the results.
If a final communication contains a
significant error or omission, the CAE
must communicate corrected
information to all parties who received
the original communication.
DISSEMINATING RESULTS:
Errors and Omissions
If it is determined that a final audit
communication contains an error, CAE should
consider the need to issue an amended report
identifying the information being corrected.
The amended audit communications should be
distributed to all individuals who received the
audit communications being corrected (IIA
Standard 2421).
An error is defined as an unintentional
misstatement or omission of significant
information in a final audit communication.
DISCLOSURE OF NONCONFORMANCE
(IIA STANDARD 2431)
When, nonconformance with the Definition
of Internal Auditing, the Code of Ethics or
the Standards impacts a specific
engagement, communication of the results
must disclose the:
Principle or rule of conduct of the Code of Ethics
or Standard(s) with which full conformance was
not achieved;
Reason(s) for nonconformance; and
Impact of nonconformance on the engagement
and the communicated engagement results.
DISCLOSURE OF NONCONFORMANCE
(IIA STANDARD 2431)
When, nonconformance with the Definition of
Internal Auditing, the Code of Ethics or the
Standards impacts a specific engagement,
communication of the results must disclose the:
Principle or rule of conduct of the Code of Ethics or
Standard(s) with which full conformance was not
achieved;
Reason(s) for nonconformance; and
Impact of nonconformance on the engagement and
the communicated engagement results.
MONITORING
CAE
must establish and maintain a system to monitor the
disposition of results communicated to management.
must establish a follow-up process to monitor and
ensure that management actions have been
effectively implemented or that senior management
has accepted the risk of not taking action.
IAA
must monitor the disposition of results of consulting
engagements to the extent agreed upon with the
client.
MONITORING
External Service Provider and Organizational
Responsibility for Internal Auditing
When an external service provider serves as the
IAA, the provider must make the organization
aware that the organization has the responsibility
for maintaining an effective IAA.
This responsibility is demonstrated through the
quality assurance and improvement program which
assesses conformance with the Definition of
Internal Auditing, the Code of Ethics, and the
Standards.
Summary