The audit report should serve the fundamental purpose of informing, persuading, & getting the desired improvements implemented.
◆ Inform the audience with required background, evidence, and conclusions of the issues. ◆ Persuade the audience on the impact of risks & concerns on the business in case adequate mitigation / control measures are not implemented. ◆ Obtain feedback from the management in the form of agreed corrective action plan with target dates & person responsible.
Defined the objectives of your audit:
Tell your audience; what were the audit objectives, which include assurance of control effectiveness, mitigation of risks, achievement of business objectives, operation efficiency, cost effectiveness, etc.
At this point you can also highlight specific concerns raised by management for the area being audited.
Define the audit scope:
Summarize the scope of the audit in bullet points & the testing plan. List the bullets in order of process flow & criticality. It is advisable here to specify things that were not covered by the scope to make things pretty clear.
Findings:
Summarize all internal audit findings along with the reasons & root causes that lead to the issue. Also specify the risks resulting out of the finding & control weaknesses & its likely impact on the business operations.
Rate the findings based on the criticality of the risks such as serious / high / medium / low & arrange the most critical findings first & the least critical last in your report. This also ensures that reasonable amount of discussion time is contributed to critical issues.
Recommendations:
Present recommendations in sync with the business objectives of the organization audited. Also mention the corrective action plan set out by the management based on the findings & recommendations.
Follow-up:
Conduct a follow-up review based on the agreed corrective action. Report an appropriate opinion based