From RiskWiki
Jump to: navigation, search



Internal audit reports communicate audit findings to management in order to assist it in monitoring the efficiency, economy and effectiveness of the organisations operations, to improve the control framework and to ensure compliance with established policies, plans and procedures. The report should supply the manager with the information necessary to take or to initiate corrective action on any deficiencies reported. Effective monitoring of the control process depends on the flow of timely, accurate, concise and relevant information to managers, set out so that matters requiring attention can be easily seen and acted upon.

A further aspect of reporting is the updating of the Strategic Audit Program in accordance with Section 4.5 of the manual, that is the preparation of the SAP Update work paper.

RIAM Reporting Process


Discussion Paper Issued after field work to address findings: circulated to program management before exit interview
Exit Interview To review audit findings with operational staff, to correct errors of fact and to provide an opportunity to suggest rephrasing
Draft Report Draft report prepared after exit interview. Management comments may be included in draft report. Draft report circulated to program management for final comment
Final Report Locality audits to be signed by sams or by co assistant directors, depending on location. Final report to be provided to auditee in advance of wider circulation within the dept. Sams to circulate to state director, other sams, and to director, internal audit. Co assistant directors to provide to sams and to director, internal audit. The as, rmcb, will provide to the secretary and to caac.

National program reviews should be provided to auditee in advance of wider circulation within the organisation. The report will be co-signed by the audit manager, whether a SAM or co assistant director, and director, internal audit. The as, rmcb, will distribute the report to the secretary, caac, fass and state directors.

Program Reviews - State Based Activity


Locality Reviews

Audit Field Work Field work completed
Discussion Paper Address findings from field work
Exit Interview Discuss findings with operational staff
Exit Interview Record Include management comments
Draft Report Distributed to State Director and relevant Area/Branch Manager

Obtain management comments

Final Report Including management comments. To be signed by the State Audit Manager and Project Officers. Distributed to other State Audit Managers, Assistant Secretary - RMCB, each State Director and relevant CO Division Head.

Prepare and submit to Director Internal Audit SAP Update work paper

Outlet Audits

Audit Field Work Field work completed
Exit Interview Discuss findings with operational staff
Exit Interview Record Include management comments. Provide Outlet Manager with copy before leaving. Copy to Regional Manager
Report Compile findings from all Units reviewed within the Area. Signed by State Audit Manager and Project Officer. Distributed to Area Director, State Director, other State Audit Managers and Assistant Secretary RMCB. Prepare and submit to Director Internal Audit SAP Update work paper

Standard Report Structure (See Attachment)

Ultimately the product produced and of greatest significance to management is the report. Reporting should be standardised to ensure consistency of structure, coverage, presentation, language and quality.

Reports should have the following structure:

  1. Title page. This should include names of auditors and date of report
  2. Table of contents or index.
  3. Executive Summary
    A one page executive summary with the report title printed at the top of the page. This executive summary should be written to be easily understood by busy people who may not have any knowledge of the subject matter of the audit report. It should present the focus questions, answers and where a "no" or qualified opinion is offered, it should summarise the reason. Finally it should summarise the general audit opinion, giving brief mention to positive and negative findings.
  4. Executive Briefing
    Provides a summary of the purpose, objectives, assertions, approach, scope, boundary, the overall opinion, key findings and issues arising, and summary of agreed actions.
  5. Objectives and Approach
    Addresses the "How" and "Why" of the review, and defines the assertions on which the conclusions and findings are based.
  6. Scope and Boundary
    Clearly defines the matters covered by the review, and most importantly the matters excluded from the review.
  7. Brief Description of the System Reviewed
    Covers the background to audit: description of program or activity audited. Purpose of the Section/Systems, The People and Organisation Structure, the Principal Activities of the Section/Systems, Documents and Records (both manual and computer) and the Reports Produced from and to the Section/Systems. Inclusion of this description facilitates understanding of the issues, and assists other readers to judge whether the report is applicable to their area of responsibilities: identification of the Division, Branch and Section audited: reference to external and other internal audits of the same area in the last two years, and brief mention of their major findings;
  8. Checklist of Findings, Recommendations and Action Plans
    Presents in Landscape form a summary of the findings and recommendations in section 6 under the headings: "Findings" and "Recommendations". Tables include boxes for Action Plans to be referenced or detailed. This section assists in monitoring and following up responses to audit recommendations by the Audit Committee.
  9. Detailed Findings and Recommendations
    Positive and negative findings should be recorded so that the report is balanced. Negative findings (those which supress an Assertion) should be reported in much greater detail than positive findings (those which sustain an Assertion).

    The findings and recommendations have a standard structure:
    • Observation
      • The observed facts, relevant legislation, directions and industry relevant information.

    • Implications and Risks
      • Assertions suppressed or supported.
      • Principal risks and exposures.
      • Arguments in favour of, or reasons for, the breach and audit's comment.
      • Summation of audit's conclusion as to risk or exposure.

    • For convenience, it is advisable to have the implication and risk on the same page as the relevant finding.

    • Recommendations
      • Numbered, clear, specific and relevant recommendations for action.
      • Where alternatives are identified either by audit or the client they are presented and evaluated.

    • Management Comment
      • Management's response to the issues raised and action taken/to be taken and the officer to whom it is assigned. After discussion and exit interviews the all (or at least practically all) of your recommendations should be accepted by management. If not, you have not done your job correctly!

    Appendices are included as appropriate to:
    • Document systems
    • Checklist Findings and Recommendations with an Action Plan, or Acion Plan Blank form
    • Report data anomalies detected during testing
    • Explain complex concepts or definitions
    • Provide general discussion of management related issues or management theory which may assist management in decision making

Level of Detail and Alternative Structures

The basic principle is that the method of reporting should be tailored to the situation and the target audience. The standard structure of section 3 should be varied where circumstances, or the needs of the report's audience dictate. The RIAM Introduction to Internal Audit demonstrate different approaches to reporting. The intention here is not to restrict the method of presentation but to provide a default standard to be used except where approved by Internal Audit management. Other standards may also be adopted from time to time and will be incorporated in the manuul. ###INSERT REFERENCE### contains an set of worked example reports.

The first and most relevant variation in the standard applies to the level of detail presented to various levels of management. An "Observation, Implication & Risks, Recommendation, and Management Comment" format as standardised above needs careful use when reporting to senior management. The format is ideally suited to low level or line managers as it focusses their attention on administrative detail. Senior managers, however, have an interest in strategic issues and reports that show an analysis of problems in terms of their risk and root causes.

The second variation to the standard also relates to the level of detail and the level of management to whom the report is targetted. A report usually has multiple management audiences, and the standard above reflects that fact - Senior management through line management will find a section that presents the information at the level of detail they require from executive summary through detailed findings and recommendations. Where the audience is not so widely distributed a structure with more specific targetting may be appropriate.

Action Plans - The basis for Follow Up

Among the suggested appendices is one that presents either an action plan or a blank form upon which management can write an action plan. The Action Plan either as a blank or completed form has the following features:

  • It provides a checklist of all observations/findings & recommendations in the detailed part of the report. (Watch the detail here - there shouldn't be any !);

  • Matches the findings and reommendations to management's response (action);
    • Presents the detail for the management actions in the form:

Finding No Finding Recommendation Proposed Action By Whom By When Complete

  • This provides a rounding to the reports that allows management to pick up on key events and dates for their own review of the progress on implementing changes arising from audits; and

  • Facilitates systems excellence by encouraging the planning and implementation of appropriate corrective action while the issues are still fresh in the minds of management by providing them with the key planning document.

Standards for Reports

General standards for reports are that they should be:

  • Accurate
  • Clear
  • Concise
  • Courteous
  • Simple in style
  • Timely

A detailed discussion of the rules and standards for writing reports is included in Report Writing.

Specifically the difference between Good and Bad Reports include the following:

Good Reports Bad Reports
1. Easy to read Hard to read
2. Give background to audit & refers to other audit reports No background
3. Conclusions justified Unjustified conclusions
4. Technical details in appendix (including method) Technical details in report
5. Identifies major & minor findings Does not identify most important findings
6. Has views for each major findings Does not identify views for each major findings
7. Identifies who is responsible for each action Does not identify action
8. Good timing Bad timing
9. Recognises multiple audiences Does not recognise multiple audiences
10. Has one page executive summary Does not have executive summary
11. Reinstates awareness awareness of change process Does not demonstrate controlled change process