Responsible companies need to maintain the critical attributes of accountability, consistency and transparency to uphold the confidence of investors, regulators, clients and the public. Accounting and risk professionals know that the best way to ensure these qualities is through a continuous, comprehensive audit program.
Most auditors are committed to conducting thorough, high-quality audits and have high standards for the actual inspection. However, the audit report produced after the examination is itself a vital part of the process. In short, quality audit reporting procedures should be a high priority.
Audit Reporting Tips
Audit reporting best practices demand an honest and straightforward accounting of the results of an exam. This is especially true when auditing financial statements, but it applies to all business segments and all departments that are subject to internal audit.
Remember the Five “Cs”
Any audit finding or observation that is significant enough to be included in the final report needs to be backed up and documented. The Institute of Internal Auditors recommends using “The Five Cs” of audit reporting:
- Criteria
- Conditions
- Cause
- Consequence
- Corrective Action
Let’s take a quick look at each of the five Cs individually.
- Criteria. Criteria refer back to the original reasons why a particular item was audited. The specific section of the company’s audit reporting policies that called for the examination should be noted or, if applicable, the other reason the audit was performed (such as a specific request by management). Including criteria gives much-needed context to the findings.
- Conditions. In audit reporting risk management, the conditions surrounding an observation provide valuable context and background to the findings. Accountants should keep in mind that some people reading the audit report will be unfamiliar with the mechanics of one or another part of the business. Including conditions in the report simply means explaining why a finding is included.
- Cause. If an auditor can determine the root cause of a finding, that cause should be included in the report. This is true even if disclosing a “cause” means assessing “blame.” Fixing a problem must begin with finding the cause. This can be the most difficult “C” of all five “Cs,” but it’s important if you want to avoid audit reporting risks.
- Consequence. The word consequence here refers to potential consequences as well as actual consequences that may have already happened. The auditor’s job is to bluntly state what did happen as a result of the finding or what could happen if the finding isn’t corrected. To get management’s attention, it’s helpful to state consequences in dollars and cents.
- Corrective Action. Accounting, risk and audit professionals are not necessarily “hands-on managers” that can set company policy or direct the actions of employees. That said, their experience and knowledge give them valuable insight into how to fix problems. All findings should include suggestions on resolving the issue at hand and suggest steps to ensure that it doesn’t happen again.
Issue the Audit Report ASAP
Time is of the essence in the audit reporting procedure. Management will want to see the results as quickly as possible after an examination is concluded. In some cases (as for public companies), federal and state regulations demand timely reporting.
If problems are found, any delay in reporting means a delay in implementing a solution. In the meantime, money is being wasted, and profits are being lost. It is a best practice to be writing a "preliminary" audit report while the audit is ongoing so it can be issued as soon as possible.
Be Concise
Writing an audit report takes skill and tact. The trick is to include enough accurate, important and relevant information to demonstrate the magnitude and importance of a finding without bogging down the reader (who may not be familiar with technicalities). In general, short should be the rule. If officers, directors or regulators need more information, it can be provided in subsequent reports that can be produced on request.
Prioritize Observations by Rating Findings
It is a foundational accounting best practice that all internal audits include a final, written report. This should come as no surprise to the seasoned risk and audit pros. It is (or should be) a best practice to rate (prioritize) all findings an audit produced and to rate the overall effectiveness and efficiency of the audit itself.
The reason we believe findings should be rated is to provide officers, directors and managers with the information they need to prioritize the corporate response and corrective actions. Obviously, the most pressing problems with the costliest consequences should be dealt with first. The audit report should highlight items the accounting team thinks are the most treacherous to the bottom line and the company’s reputation.
In our Audit Report Rating Memo, we recommend that each finding be placed into one of the following categories.
- High Risk
- Control Weakness
- Process Enhancement
We would note, however, that different companies use different rating systems. Many organizations use a letter-based rating system based on the grading system used in the schools that we all grew up in. An “A” might correspond to what we call “high risk,” while a “C” might be equivalent to our Process Enhancement category. That’s why our Audit Report Rating Memo (along with all our tools, audits, checklists and training) is fully customizable and adapts easily to our client’s needs.
Regardless of how you choose to denote the ratings, the important thing is that findings and observations are rated. High-priority items must be pointed to key decision-makers.
High Risk
To be considered a high-risk finding, an item should meet several (but not necessarily all) of the following criteria:
- Potential for significant losses and/or misappropriation
- Repeat findings that have not been addressed
- Error in financial reporting
- Improper or lack of segregation of duties
- Lack of management oversight and/or authority
- Potential for serious legal jeopardy
- Representative of a pattern of policy violations
- A significant or particularly egregious policy violation
Control Weakness
The category “control weakness” is the place for moderate risk items. They might include the situations below:
- A weakness in internal controls that is compensated for (by duplication) in other controls
- A problem that has the potential for creating loss or misappropriation in the future
- Segregation of duties issued that cause inefficiency but not an immediate danger
- Policy violations of a lesser significance
- Items that might hinder accurate financial reporting
- Lack of clear or comprehensive policy directives
- Minor misappropriations
Process Enhancement
This category is for low-risk items that, nonetheless, should receive attention.
- Failure to reach objectives
- Suboptimal segregation of duties
- Lack of or inefficient (slow) approval authority
- Internal controls that need improvement
- Suggestions for better decision making
- Controls that need updating or re-engineering
Rating the Audit
Rating the overall efficiency and effectiveness of the audit itself has become so popular in mid to large-sized companies that it is now considered an audit report best practice by many accounting departments. Individual findings should be rated and dealt with individually. The overall audit rating should be a broad-based assessment of the health of the department being audited. Our tool calls for a four-tier audit rating scale.
- Strong
- Objective achieved
- Good compliance with policies and procedures
- Sound internal controls
- Adequate segregation of duties
- Adequate supervision
- Very few (if any) high-risk findings
- Satisfactory
- Most (not all) objectives achieved
- Sufficient internal controls
- Sufficient management oversight
- Findings are easily addressed
- Needs Improvement
- A concerning number of objectives not achieved
- A concerning lack of management oversight
- Follow-up action will be necessary
- Unsatisfactory
- Failure to achieve objectives
- Lack of compliance with policies and procedures
- Poor segregation of duties
- Severe lack of management oversight
- Internal controls not being adhered to
- Immediate follow-up recommended
- Substantial risk of near-term financial losses
Use the Tools Available to You
Proper audit reporting can seem like an overwhelming task, but it doesn’t have to be. Finishing the audit process by completing a high-quality, professional report is made much easier by utilizing the tools, memos, checklists, informative articles and training that are available to subscribers to KnowledgeLeader.
We encourage you to visit our website and contact us with questions. We’re experts in risk, audit and accounting and have the tools and documents you need to do your job more effectively.