50
Chapter 7 Audit Report Lesson 1

Chap07 Audit Report - Lesson1

Tags:

Embed Size (px)

DESCRIPTION

asdas

Citation preview

Chapter 7 Audit Report

Chapter 7 Audit ReportLesson 1Communication of the results of assurance and consulting engagement is an integral part of any assurance and consulting engagement due to various demands by the board, management, and other stakeholders to provide opinions as part of each adding value services on the overall adequacy of governance, risk management and control within an organization. International Professional Practices Framework (IPPF) or the IIA Standard requires internal auditors to communicate the results of engagement and occurs on an ongoing basis as the engagement progresses.

Examples of Internal Audit OpinionThe IIA Practice Guide on Formulating and Expressing Internal Audit Opinions issued in 2009 enumerates the following examples of internal audit opinion that the IAA may be requested to provide: An opinion on the organizations overall system of internal control over financial reporting. An opinion on the organizations controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries. An opinion on the effectiveness of controls such as budgeting and performance management when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organizations assets, resources, revenues, etc. Examples of Internal Audit OpinionThe IIA Practice Guide on Formulating and Expressing Internal Audit Opinions issued in 2009 enumerates the following examples of internal audit opinion that the IAA may be requested to provide: An opinion on an individual business process or activity within a single organization, department, or location. An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit. An opinion on the organizations compliance with policies, Laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units. Based on the above enumerations, persuasive communication is an essential skill for auditors at all levels, and high-quality audit reports are a key communication tool to truly add value to an organization.Consequently, communications must be accurate, objective, clear, concise, constructive, complete, and timely (IIA Standard 2420).This allows the internal audit function to make sure the facts are accurate and also initiates dialogue regarding the best method of remediation for identified observations.

Results are communicated throughout the span of the engagement using various forms of communications, including memoranda, outlines, discussions, and draft working papers. audit reportthe final engagement communication is often referred to as is the formal way an internal audit function communicates the results of an engagement to management and other appropriate parties relying on the engagement outcomes. The primary product of an IAA is the internal audit report in which the internal auditors express their opinions, present the audit findings and discuss the audit

recommendations as a way of adding value to the organization by providing a reasonable assurance whether or not the organization is running well and whether effective controls are in place.

The audit reports produced by internal auditors are very different from the reports generated by external auditors. They do provide an opinion on the fairness of presentation of the financial statements.Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management.

Although the format and content of the audit final communications may vary by organization or type of audit, they should contain, at a minimum, the purpose, scope, and results of the audit.

An audit report may have an executive summary, a body that includes the specific issues or findings identified and related recommendations or action plans, and appendix information such as detailed graphs and charts or process information.

QUALITY OF AUDIT COMMUNICATION (IIA Standard 2420)AccurateObjectiveClearConciseConstructiveCompleteTimely Communications must be:QUALITY OF AUDIT COMMUNICATION (IIA Standard 2420)AccurateCommunications are free from errors and distortions and are faithful to the underlying facts. The manner in which the data and evidence is gathered, evaluated, and summarized for presentation should be done with care and precision.

ObjectiveCommunications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances. Observations, conclusions, and recommendations should be derived and expressed without prejudice, partisanship, personal interests, and the undue influence of others.

QUALITY OF AUDIT COMMUNICATION (IIA Standard 2420)ClearCommunications are easily understood and logical clarity can be improved by avoiding unnecessary technical language and providing all significant and relevant information.

ConciseCommunications are to the point and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness. They are created by a persistent practice of revising and editing a presentation.The goal is that each thought will be meaningful but succinct.

QUALITY OF AUDIT COMMUNICATION (IIA Standard 2420)ConstructiveCommunications are helpful to the audit client and the organization and lead to improvements where needed. The contents and tone of the presentation should be useful, positive, and welt-meaning and contribute to the objectives of the organization.

CompleteCommunications are lacking nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions.

Timely Communications are well-timed, opportune, and expedient for careful consideration by those who may act on the recommendations. The timing of the presentation of audit results should be set without undue delay and degree of urgency and so as to enable prompt effective action.

COMPOSITION OF THE REPORT(IIA Standard 2410)1. The engagements objectives and scope 2. Applicable conclusions, opinion, or audit findings/observations 3. Recommendations4. Action plans or corrective action.

COMPOSITION OF THE REPORT1. The engagements objectives and scope Sufficient background information on the audit entity should be provided to understand the context and significance of the audit report. Scope is the area or process subject to the engagement and its corresponding business objectives, related risks, and control activities. Likewise, the audit scope should state what was and was not included in the examination and specifies the period of time represented by the activities examined. Under Practice Advisory 2410-1, scope statements should identify the audited activities. Additionally, the related activities not reviewed should be identified, if necessary, to delineate the boundaries of the engagement. The nature and the extent of engagement work performed also should be described. The period of operations covered by the engagement scope typically either as a point of time or a period of operations that is in the past.COMPOSITION OF THE REPORT:2. Applicable conclusions, opinion, or audit findings/observations Conclusions and opinions are the internal auditors evaluations of the effects of the observations and recommendations on the activities reviewed. They usually put the observations and recommendations in perspective based upon the overall implications. Engagement conclusions, if included in the engagement report, should be clearly identified as such (Practice Advisory 2410-1). Audit opinion or conclusion must take into account the expectations of senior management the board, and other stakeholders and must be supported by sufficient reliable, relevant, and useful information otherwise known as sufficient and appropriate evidence. Internal auditors may report that their engagements were conducted in conformance with the International Standards for the Professional Practice of Internal Auditing (ISPPIA or IIA Standard), only if the results of the quality assurance and improvement program support the statement.

Conclusions may encompass the entire scope of an engagement or specific aspects. They may cover, but not limited to, whether operating or program objectives and goats conform with those of the organization, whether the organizations objectives and goals are being met and whether the activity under review is functioning as intended. IIA Standard 2410.A2 internal auditors are encouraged to acknowledge satisfactory performance in engagement communications (audit client accomplishments, related issued and supportive information).

COMPOSITION OF THE REPORT:2. Applicable conclusions, opinion, or audit findings/observations If a CAE issues an opinion, the CAE needs to consider the scope of the audit work, the nature and extent of audit work performed, and evaluate what the evidence from the audit means concerning the adequacy of internal controls. Such an opinion should express clearly: The evaluation criteria and structure used. The scope over which the opinion applies. Who has responsibility for the establishment and maintenance of internal controls. The specific type of opinion being expressed by the auditor. During consulting engagements, governance, risk management and control issues may be identified. Whenever these issues are significant to the organization, they must be communicated to senior management and the board. COMPOSITION OF THE REPORT:2. Applicable conclusions, opinion, or audit findings/observations BASIS OF AUDIT OBSERVATIONSAudit Findings and recommendations should be based on the following attributes: a) Criteriab) Condition c) Cause d) Effect

BASIS OF AUDIT OBSERVATIONS: a) CriteriaThe standards, measures, or expectations used in making an evaluation and/or verification. Auditors should have a means of measuring or judging the results and impact of matters identified on an audit. This can be achieved through the development of a criteria framework. Suitable criteria are factors that are relevant and appropriate to the particular characteristics of the audited organization and against which actual outcomes can be objectively assessed. They focus on the results expected to be achieved by systems of internal controls and ideally, are established before the execution of the overall audit plan.

BASIS OF AUDIT OBSERVATIONS: a) CriteriaThese criteria should be relevant reliable, neutral, understandable, and complete.In the absence of such principles, it is recommended that internal auditing should not render an opinion, since there is no frame of reference to objectively support the internal auditors conclusion.BASIS OF AUDIT OBSERVATIONS: a) CriteriaIn establishing suitable criteria, it is important for the IAA to determine whether the organization has established basic principles as to what constitutes appropriate governance, risk management and control practices. This would include: A clear articulation of the definition of control adopted or used by the organizationfor example, has the organization adopted the COSO or CoCo model? Managements understanding of what would constitute a satisfactory level of control. For example, satisfactory could mean that 90% (or another acceptable percentage) of transactions within one control objective are conducted in accordance with established control procedures; alternatively, it could also mean that 85% (or another acceptable percentage) of overall controls are working as intended. A clear articulation by management of its risk tolerances (Refer to Chapter 5) or appetite, including materiality thresholds.

BASIS OF AUDIT OBSERVATIONSb) ConditionThe factual evidence that the internal auditor found in the course of the examination (what does exist). c) CauseThe reason for the difference between the expected and actual conditions (why the difference exists). d) EffectThe risk or exposure the organization and/or others encounter because the condition is not consistent with the criteria (the impact of the difference) in determining the degree of risk or exposure, internal auditors should consider the effect their audit observations recommendations may have on the organizations operations and financial statements.

BASIS OF AUDIT OBSERVATIONSEach observation contains a statement of the condition (the situation supported by audit evidence), the criterion, the cause, the effect and a recommendation. Persuasive evidence is presented in support of each audit observation. The impact of negative observations is quantified where possible but otherwise presented in a compelling argument including an analysis of potential risks. Positive observations and conclusions are provided where warranted.

BASIS OF AUDIT OBSERVATIONSAudit client accomplishments (satisfactory performance), in terms of improvements since the last audit or the establishment of a well-controlled operation, may be included the audit final communications. This information may be necessary to present the existing conditions and to provide a proper perspective and appropriate balance to the audit final communications.

Interim Reports Communication of audit result occurs on an ongoing basis as the engagement progresses. Consequently, interim reporting in internal audit is allowed. Interim reports may be written or oral and may be formal or informal. Interim reporting may be used to communicate information that requires immediate attention, to communicate a change in audit scope for the activity, undo review, or to keep management informed of audit progress when audits extend over a long period.The use of interim reports does not diminish or eliminate the need for a final report. The form and contents of interim report will vary depending upon the nature of the engagement and the needs of the client.TYPES OF AUDIT OPINIONThe IIA Practice Guide identifies the types of internal audit opinion as follows: 1. Positive opinion 2. Negative opinion 3. Qualified opinion 4. Disclaimer of opinion

POSITIVE ASSURANCE (Reasonable Assurance) Positive assurance is one of the strongest types of audit opinions. In providing positive assurance, the auditor is taking a definite position on the strength of the internal controls. Consequently, a positive assurance opinion requires the highest level of evidence. It implies not only whether controls/risk mitigation processes are adequate and effective, but also -that sufficient evidence was gathered to be reasonably certain that evidence to the contrary, if it exists, would have been identified. The auditor takes full responsibility for the sufficiency of the audit procedures to find what should have been reasonably found by a prudent auditor

Positive assurance opinions provide the reader a high level of confidence (but not absolute) and comfort in the reliability of the underlying information. As such, internal audit activities are often requested to provide such positive assurance opinions.Varieties of a positive assuranceBinary internal controls are or are not appropriate in the situationfor example: internal controls are satisfactory or unsatisfactory, effective or ineffective, etc. Gradedthe effectiveness of internal controls is rated using a grading systemfor example: red-yellow-green, 1-2-3-4-5, etc. Directional provides additional information about the direction of the opinion since a previous reportfor example Satisfactory, but diminished since last year. NEGATIVE ASSURANCE (Limited Assurance)Negative assurance is a statement that nothing came to the auditors attention that would indicate inadequate internal controls. Negative assurance opinionmerely states that the internal auditor has not seen problems based on the work performed. The auditor takes no responsibility for the sufficiency of the audit scope and procedures to find all concerns or issues. Such an opinion is less valuable than a positive assurance opinion as it provides limited assurance that sufficient evidence was gathered to determine whether internal controls were inadequate.

NEGATIVE ASSURANCE (Limited Assurance)Situations where a negative assurance opinion may be appropriate include: Work is being performed on a rotation basis across many audit units with the scope of the work performed based on work in multiple audit units. In this case, a negative assurance opinion may be appropriate on the individual units. However, the combination of the evidence from all the units may be sufficient to express a positive assurance opinion on the group of units. Resources devoted to the audit were limited such that the amount of audit evidence required to support a positive assurance opinion was not obtained. In this case, the negative assurance opinion should clearly state the extent of work performed.

QUALIFIED OPINIONAn opinion can be qualified with specific findings that contradict the overall opinion.Qualified opinions can be useful in situations where there is an exception to the general opinion. For example, the opinion may indicate that controls were, satisfactory, with the exception of accounts payable controls, which require significant improvement3. Recommendations The recommendations in an internal audit report are designed to help the organization achieve its goals (Adding Value to the organization), which may relate to operations, financial reporting or legal/regulatory compliance may suggest approaches to correcting or enhancing performance as a guide for management in achieving desired results. Recommendations may be general or specific.

3. Recommendations Audit findings and recommendations may relate to effectiveness (La, whether goals were met or compliance with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs). particular assertions about transactionssuch as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.

4. Action plans or corrective action. This portion of the report should present what should management do about the findings. What have they agreed to do and when?Recommendations flow logically from observations and causes, are specific and cost- effective, and are directed to specific positions or individuals with the authority to act upon them.

DISSEMINATING RESULTS (IIA STANDARD 2440) CAEmust communicate results to the appropriate parties. is responsible for communicating the final results to parties who can ensure that the results are given due consideration. If not otherwise mandated by legal, statutory, or regulatory requirements, prior to releasing results to parties outside the organization , the CAE must Assess the potential risk to the organization; Consult with senior management and/or Legal counsel as appropriate; and Control dissemination by restricting the use of the results.

DISSEMINATING RESULTS (IIA STANDARD 2440) When releasing engagement results to parties outside the organization, the communication must include limitations on distribution and use of the results. If a final communication contains a significant error or omission, the CAE must communicate corrected information to all parties who received the original communication. DISSEMINATING RESULTS: Errors and Omissions If it is determined that a final audit communication contains an error, CAE should consider the need to issue an amended report identifying the information being corrected. The amended audit communications should be distributed to all individuals who received the audit communications being corrected (IIA Standard 2421). An error is defined as an unintentional misstatement or omission of significant information in a final audit communication.Sufficient background information on the audit entityis provided to understand the context and significance of the audit report. The audit Objectives and the related criteria used to arrive at observations and conclusions are stated. The audit scope states what was and was not included in the examination and specifies the period of time represented by the activities examined. The timing of the audit the methodology employed, and the professional standards followed are described. If appropriate, disclosure is made if any parts of the engagement were affected by non-compliance with professional standards. CHECKLIST FOR REVIEWING AUDIT REPORTS: The Substance of the Report (body of the report)Detailed audit observations relate to the stated objectives and criteria and logically support overall opinions and conclusions. Each observation contains a statement of the condition (the situation supported by audit evidence), the criterion, the cause, the effect and a recommendation. Convincing or persuasive evidence is presented in support of each audit observation. The impact of negative observations is quantified where possible but otherwise presented in a compelling argument including an analysis of potential risks.

CHECKLIST FOR REVIEWING AUDIT REPORTS: The Substance of the Report (body of the report)Recommendations flow logically from observations and causes, are specific and cost-effective, and are directed to specific positions or individuals with the authority to act upon them. A conclusion, or a statement of inability to conclude, is provided for each audit objective and is supported by convincing evidence and analysis. As appropriate, a statement of assurance is provided. Positive observations and conclusions are provided where warranted. Appendices included in the report add value in understanding the engagement results. CHECKLIST FOR REVIEWING AUDIT REPORTS: The Substance of the Report (body of the report)The executive summaryprovides a brief overview of the audit entity, reiterates the audit purpose, objective, and scope, references the audit criteria and methodology, and repeats the opinions or conclusions with respect to each objective and with respect to the overall engagement if provided. The statement of assurance is referenced or reiterated, as appropriate.

CHECKLIST FOR REVIEWING AUDIT REPORTS: The executive summaryThe table of contents establishes the layout and structure of the report and correctly represents headings and page numbers in the body of the report. Headings and text styles (e.g. italics, boldface, font size) are used effectively and consistently to draw the readers attention, e.g. topic or lead sentences, highlighted recommendations. Charts and other exhibits are referenced in the report and appropriately labeled. Paragraph and sentence structure support understanding, e.g. single topic or issue, concise, logical Initialisms and acronyms are explained or defined upon their first use. CHECKLIST FOR REVIEWING AUDIT REPORTS: The Style of the Report Language usage and terminology is appropriate to the intended audience(s), e.g. the active voice is used and jargon and overly technical terminology are avoided or ?A balanced tone is maintained. Grammar and spelling are correct. Appendices are presented in a uniform format and are referenced in the body of the report. Overall, the report is clear and concise - the important findings, recommendations, and conclusions are evident. CHECKLIST FOR REVIEWING AUDIT REPORTS: The Style of the Report DISCLOSURE OF NONCONFORMANCE (IIA STANDARD 2431)When, nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the: Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved; Reason(s) for nonconformance; and Impact of nonconformance on the engagement and the communicated engagement results. DISCLOSURE OF NONCONFORMANCE (IIA STANDARD 2431)When, nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts a specific engagement, communication of the results must disclose the: Principle or rule of conduct of the Code of Ethics or Standard(s) with which full conformance was not achieved; Reason(s) for nonconformance; and Impact of nonconformance on the engagement and the communicated engagement results.

MONITORINGCAEmust establish and maintain a system to monitor the disposition of results communicated to management. must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. IAAmust monitor the disposition of results of consulting engagements to the extent agreed upon with the client.

MONITORINGExternal Service Provider and Organizational Responsibility for Internal Auditing When an external service provider serves as the IAA, the provider must make the organization aware that the organization has the responsibility for maintaining an effective IAA. This responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

Summary


Arny chap07

Arny chap07

Education
Lesson1 Blockbuster

Lesson1 Blockbuster

Documents
Acc102 chap07 publisher_power_point

Acc102 chap07 publisher_power_point

Education
Chap07 Project Cost Management

Chap07 Project Cost Management

Documents
Heat Chap07-073.doc

Heat Chap07-073.doc

Documents
Appraising And Managing Performance -Chap07

Appraising And Managing Performance -Chap07

Documents
Chap07 interval estimation

Chap07 interval estimation

Technology
Thermo 7e SM Chap07-1

Thermo 7e SM Chap07-1

Documents
Heat Chap07-099.doc

Heat Chap07-099.doc

Documents
SAD Chap07 Last

SAD Chap07 Last

Documents
Uc14 chap07

Uc14 chap07

Education
Heat Chap07 035

Heat Chap07 035

Documents
Plant Lesson1

Plant Lesson1

Documents
Lesson1 Contestada

Lesson1 Contestada

Education
Chap07 Fundamental Economic Concepts

Chap07 Fundamental Economic Concepts

Education
Heat Chap07-001.doc

Heat Chap07-001.doc

Documents
Chap07 Maximal Flow

Chap07 Maximal Flow

Documents
Chap07 LifeCycle Methode

Chap07 LifeCycle Methode

Documents
Thermo 5th Chap07 P184

Thermo 5th Chap07 P184

Documents
Hrm10e Chap07

Hrm10e Chap07

Documents
Chap07 Respiratory

Chap07 Respiratory

Documents
Heat Chap07 052

Heat Chap07 052

Documents
Heat Chap07 073

Heat Chap07 073

Documents
Heat Chap07 001

Heat Chap07 001

Documents
Hoch Lesson1

Hoch Lesson1

Documents
Lesson1 Introduction

Lesson1 Introduction

Documents
Trans Sys Chap07

Trans Sys Chap07

Documents
Heat 4e SM Chap07

Heat 4e SM Chap07

Documents
981 Chap07 Biz (Final)

981 Chap07 Biz (Final)

Documents
Heat Chap07-052.doc

Heat Chap07-052.doc

Documents