Anatomy of an Audit Report

We will use a simplified audit report format to drive our discussion on audit content. The exact audit report template will vary by an organization’s industry, needs, and type of audit being documented. Often a professional practices group within the internal audit department will set strict standards on the format and content to be used. These strict standards help to maintain consistency across audits and will address any regulatory requirements for the particular industry.

A simplified audit report format will include three report sections, as follows:

1. Executive summary

2. Background

3. Findings and issues

The executive summary section will contain the overall opinion, judgment, or conclusion reached. Audit reports are an assessment of the overall health of the control environment being assessed. The executive summary is a holistic view considering all the controls within the environment being assessed. The executive summary is not used to showcase how an audit was performed but to quickly capture the conclusion of the auditor.

Getting the right tone is essential. Remember that an executive summary is a persuasive argument to motivate leadership into corrective action. If the tone of the audit report does not substantially match leadership perception of risk, then the auditor’s findings may be ignored.

All controls within an environment would rarely fail an audit assessment. It is important to put the risk in its proper context. Equally importantly, take the time to give credit for the control environment that is working effectively. When possible use precise data measurement to size the risk to leadership. Let’s consider the tone of these two statements:

• 10% of the transactions failed to process which could lead to [impact statement]

• 90% of the transactions were properly processed [impact statement]

This is the art of creating a persuasive argument that comes with experience. Putting the risk in the correct context through the creation of a balanced story sets the right tone. In both examples the impact statement is important to help management understand the impact if correction action is not taken. It can be a subtle difference in wording and tone that goes a long way in building partnership and credibility. A subtle difference can help an auditee’s mindset shift from a perception that the audit is criticizing their work to the audit is trying to improve the control environment and build upon their success.

The reasons for an unfavorable overall opinion must be stated. Auditing is said to be about contrast. An audit often will contrast the target state with the current state, for example, testing if the current deployed control is compliant with current policies or industry framework. In this example, the gaps between what is deployed control and the policy are the reason for the unfavorable opinion.

A strong reference target state for your opinion will make the audit report more persuasive. Examples of a strong reference target state are internal policies, regulatory requirements, industry norms, known information security vulnerabilities, and business objectives. Clear and concise evidence on control gaps against these authoritative sources adds to the credibility and persuasiveness of the audits.

When an overall opinion is issued, it must take into account the strategies, objectives, and risks of the organization. The opinion must be based on reliable, relevant, and evidenced information. The formulation of such opinions requires consideration of the following considerations:

• Impact of noncompliance—the urgency of remediation

• Opinion is objective, fair, impartial, and unbiased

• Opinion is balanced and considers mitigating and compensating controls

• Clear and concise—can the risk be explained in business terms avoiding unnecessary technical language

The background section will contain more structured data than the executive summary. Think of the background more like an appendix in a book. It contains supplemental material that can be useful for readers who are not familiar with the subject or the audit engagement details.

The background section contains the details on the following:

• Scope—This details the processes and controls that were examined during an audit. For example, An audit may review access management (AM) control environments

• Scope exclusions—This covers any processes and controls that were excluded from the scope, for example, if AM for vendors were excluded.

• Time period—This refers to the point in time under audit examination, for example, AM control environment as it exists from January 2021 to December 2021.

• Control environment—This is a high-level description of the control environment.

The control environment description would help any reader who is not familiar with the business or processes being assessed. This could include a description of the accountable business units, past regulatory issues, and recent technology changes and migrations.

The background section intends to put the audit reports’ observations and opinions in context. Let’s suppose a business just built a brand new data center and a number of the processes are not fully working. This may be considered less significant given the industry and management’s expectation on a burn-in period needed to get operations fully functional. Conversely, an existing data center facility with a stellar track record of performance begins to have processing failures. In the latter example, management may consider the processing failures and noncompliance gaps more concerning.

The finding and issue section will contain the individual observations that elevate to audit findings. Each audit finding would detail the observations and include an opinion on the root cause. Audit issues with high impact on the organization are usually referenced in the executive summary. The underlining detail and description of the finding would be in the finding and issue section.

This section would describe in detail the rationale of the noncompliance, any reference authoritative sources used, and the root cause of the failure. Achieving clarity and precision in audit observations is essential to understanding what went wrong and must be clear about the impact to the organization if the issue is not remediated. The construction of the audit issue must be precise and clear such that management can action remediation.

The root cause is critical to get right for the management’s remediation to be effective. The root cause is what leads to the defect and noncompliance. For example, if someone failed to take action, was it due to training or poor management oversight or a design flaw within an application? Understanding the root cause of an audit issue will allow management to formulate an action plan to permanently fix the defect.

Evidence highlighted in the audit issue gives substantiation to your professional audit opinion. An audit must assess the nature, competence, sufficiency, and evaluation of the audit evidence to determine its accuracy. An audit finding must be relevant and the evidence must be reliable. Consider the old saying, “all poodles are dogs, but not all dogs are poodles.” Be sure the evidence being presented in your audit issue is directly relevant to the conclusion and opinion being asserted.