Internal Audit Best Practice – Audit Report Writing

APRIL 2016 – DEAN JONES CONSULTING

Presenter Experience

A results driven, detailed orientated, customer-focused risk and control management professional with extensive experience in planning, supervising and completing internal audits. Experience in insurance, banking, investment management, retail and with local authorities in the United Kingdom, Switzerland, Canada and the United States. An understanding of, and experience with, accounting practice and principles, GAAP, GAAS, SOX and IT knowledge and practice. In addition to exceptional written and verbal communication skills, the presenter has demonstrated effective leadership and development of Internal Audit personnel.Having recently launched a new business, Dean Jones Consulting, provides training solutions to businesses and individuals.

Agenda This presentation will focus on the art of writing

a best practice Internal Audit report. We will cover the following:

Purpose of the report Recap of the fieldwork Closing meeting(s) Format of the report Spelling and Grammar Review and delivery Readership of the final report

Purpose of the Report

The purpose of the Internal Audit report is to communicate to those on the approved distribution list, the:

Scope of the audit Summary of the area reviewed Timing of the audit Conclusions and results of the Audit Actions recommended/agreed Action owners

Recap of the Fieldwork

The successful completion of the fieldwork is key to the production of a quality report. Actions taken at the end of the fieldwork include:

Draft summary of each finding Communicate the test results Hold closing meeting(s) Document result of the closing meeting(s)

Closing Meeting(s)

For a successful closing meeting the following should be included:

Clearly defined agenda Direct and to the point Respectful of business management time Document the outcome of the meeting Send minutes to attendees

Format of the Report

While there are differences in the specific layout of reports used by different Audit functions across the profession, based on the presenter’s past experience the recommended layout is as follows:

Executive Summary Findings/actions Appendix

Executive Summary

The Executive Summary includes:

To/From/Title Background and scope Conclusion Distribution list (regular and specific to the audit)

Findings/Actions The following are included in the findings

section of the Audit report:

Recommendations/Actions Reference number Impact Levels Findings Recommendation/Actions Due Dates Responsible Persons

Appendix

It is suggested that an appendix of the report could include two specific documents:

The first would explain how the overall conclusion ratings are reached.

The second would explain how the individual ratings applied to each action are reached.

Both of these would be used to ensure consistency with all the Audit reports issued.

Spelling and Grammar

Important issues to consider when writing the report include:

Ensure that all spelling/grammar is correct Consider overseas readers Have another auditor proofread the report Don’t over complicate the language Don’t use jargon Learn from experience Language should be concise

Grammar The following are areas where mistakes could be

made:

Wrong tense/inconsistency Incorrect punctuation Misuse of capitalization Incorrect sentence structure Incorrect application of spelling out numbers Colloquial language Acronyms not spelled out Unnecessary technical language

Review of the Draft Report

There are two review stages. The first by Audit Management and the second by the relevant business management.

The first review should be completed within the pre-determined timescales to ensure that the draft report is issued in a timely manner.

The second reviews also have accompanying timescales communicated to the individuals in the business reviewing the report.

The timescales for review are in place to ensure that the draft report remains valid and/or high impact actions are addressed and commitment to address them is captured in the final Audit report.

These timescales are initially communicated when sending the audit announcement.

For performance purposes copies of the reviewed report with comments should be retained from both reviews.

Delivery of the Draft Report

Upon completion of the review of the draft report by Audit management, it must be:

Delivered on time to the applicable individuals to remain relevant.

Sent in the required format which could be either MS Word or PDF.

Delivered to a subset of those on the distribution list, i.e. most appropriate to respond to the recommended actions.

Sent to those on the distribution list by regular or specific to the audit completed.

Stored in a secure area which can only be accessed by Internal Audit staff.

Delivery of the Final Report

Comments on delivery to consider:

Consider how the report is to be delivered. With email you can prevent direct redistribution, although anyone receiving the report could send it using a separate email. Whereas using the internal post is less secure with no confirmation of delivery as with email.

The format of the report when sending by email can be set to MS Word or PDF. By sending as PDF, this can prevent any changes to the report.

Readership of the Final Report

The following are those expected to read/receive the final report:

Audit Committee(s)/Audit Management C-Suite Operational/Financial/IT Management Regulatory Compliance function Corporate Law function Enterprise Risk Management External Auditors

Agreed Actions

The agreed actions (those agreed recommendations/actions) should be stored in a secure area on the Audit drive.

High and medium impact actions should be followed up on a monthly basis until they are closed.

There may be instances in which testing is completed to verify that the high and medium impact actions have been completed by their implementation date.

Review Process/Feedback

Feedback should be sought from the management of the area(s) audited. This feedback should be acknowledged and captured to allow improvements to be made, where possible to the reporting process. Examples include:

Accuracy and readability of the report Timeliness of the draft and final reports Usefulness of the final report Ability to implement the agreed actions

Thanks and Feedback

Thank you for your interest. To ensure that the presentation is as beneficial as possible could you let me have any comments you have on the following:

Topic was relevant Organized and easy to follow Experience helpful Objectives met Trainer knowledgeable in topic

Please complete the short survey using the following link. https://www.surveymonkey.com/r/2H2XDGR Your input is appreciated.

Contact Details

The following are the presenter’s contact details:

Dean Jones Consulting, 2406 Colony Park Drive, Birmingham, AL 35243

Email: deanjones1368@aol.com Website: www.deanjonesconsulting.com Telephone: 224 725 9953