College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082) 300-5456 loc 137
Big Picture
Week 17-18: Unit Learning Outcomes (ULO): At the end of the unit, you are
expected to:
e. Explain audit report, its functions, objectives and parts.
f. Prepare an operations audit report.
Big Picture in Focus: ULOa. Explain audit report, its functions, objectives and
parts.
ULOb. Prepare an operations audit report.
Metalanguage
The most essential terms below are operationally defined for you to have a better
understanding of this section in the course.
6. Communication – refers to the reporting of findings, observations, and best
practices noted during the review, and developing recommendations for corrective
action.
7. Findings - refers to the documentation of deviations from what was expected; and will
form part of the bases for the audit report.
8. Audit report – refers to the fundamental end product of any audit and the auditor’s
opportunity to get management’s undivided attention.
9. Design – pertains to deficiencies in the design of the program or process. If the
design is not conducive to the achievement of the organization’s objectives and the
enhancement of stakeholder’s value, then there is a design deficiency.
10. Operating – pertains to the deficiencies related to controls that are performing poorly
and or not acting as designed.
Essential Knowledge
Communication of results is often referred to as reporting. It consists of communicating
findings, observations, and best practices noted during the review, and developing
recommendations for corrective action.
Findings are the documentation of deviations from what was expected and form the
basis for the audit report. The term “finding” is in disuse by an increasing number of auditors
who have found that their clients resent the label and prefer a term that is less controversial.
As such, many auditors are calling these items “observations.” Other auditors reserve the term
“finding” for the more serious reportable conditions and refer to lower risk items as
“observations.”
216
� College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082) 300-5456 loc 137
The AUDIT REPORT is the fundamental
end product of any audit and the
AUDIT
auditor’s opportunity to get
REPORT
management’s undivided attention.
FUNCTIONS OF AUDIT REPORT
To alert them to areas where there are defined risk exposures
To support action plans prepared by management
To advise on steps necessary to improve risk management strategies
To assure management that business risks are well-controlled
OBJECTIVES
To recommend change
To provide an insight for management into risk and control issues
To secure action in response to audit advice
To bring problems to management’s attention
To ensure that the results of audit work are clearly documented
To provide assurance to management on their activities
To show managers how their problems may be solved
To provide information about risk management practices
To protect the auditor
ATTRIBUTES OF AN EFFECTIVE AUDIT FINDING
As much as possible, internal auditors should quantify their findings by including
amounts, values, time since when the condition has been occurring, how many individuals or
organizations are affected, the age of assets involved, and so on. It also helps to quantify the
effect or consequence of the finding in terms of monetary value or other relevant factors
217
� College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082) 300-5456 loc 137
related to the finding. To the extent that the auditor documents the criteria, condition, cause,
effect, and recommendation (CCCER) items, it will make it more persuasive and the reader
will be more likely to be convinced that the problem requires correction.
There are two types of deficiencies:
◾Design. These pertain to deficiencies in the design of the program or process. It means that
the process or program is poorly structured and mechanisms to avoid problems from occurring
are missing or found to be deficient. Recall that one of management’s main responsibilities is
to design the structures, processes, reporting relationships, and accountability frameworks
governing the organization’s operations. With this in mind, if the design is not conducive to the
achievement of the organization’s objectives and the enhancement of stakeholder value, then
there is a design deficiency.
◾Operating. These deficiencies are related to controls that are performing poorly and not
acting as designed. Auditor testing procedures form the basis to determine if the control is
working or not.
Findings should be discussed with the process owners and other relevant stakeholders
before being included in the report. I have found process owners typically appreciate the
courtesy afforded in this procedure, because it gives them an opportunity to discuss the facts
and their implications. It also gives them an opportunity to prepare their response before their
boss finds out about the problem. The third benefit of this practice is that it provides an
opportunity to engage the process owner to discuss possible corrective actions for the issue.
While the CCCER model includes R for recommendation, this doesn’t mean that the
auditor has to formulate every recommendation every time. Auditors may ask from their clients
for possible actions because by not doing so, these two problems will arise:
1. Dependency. When told every time what to do, process owners don’t develop the ability to
think for themselves and identify some possible alternatives to correct the problem. Instead,
they let the auditor do all the work, from problem identification to identification of alternatives,
to the selection of the corrective action. Process owners should evaluate the conditions in their
unit and formulate solutions to the problems presented.
2. Lack of ownership. I’ve encountered many instances over the years where after asking why
certain practices are in place, the response is “the auditor told me to do it.” Recall that
management owns the programs, processes, their objectives, related risks, and controls. All
activities performed should exist because they help achieve the program or processes’
objectives. The auditor’s role is to verify that the design and performance are conducive to the
achievement of those goals. So, saying that the auditor told me to do it takes responsibility
away from the process owner and presents the auditor as the de facto owner who has now
instructed operators what to do. A recommendation is a suggestion or proposal and it is up to
the recipient to accept it or not.
It is important to note that this discussion pertains to operational audits, because in the
case of financial or compliance audits, the auditee seldom has the ability to reject a finding
and the related instructions on the corrective action.
218
� College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082) 300-5456 loc 137
Findings and recommendations will be persuasive to the extent that they convince the
reader that there is a real problem requires correction. This can be achieved through a number
of actions:
1. Quantity as much as possible.
2. Make sure findings are significant.
3. Consider the cost-benefit involved.
4. Use appropriate language.
This can be accomplished by limiting the use of excessively technical language,
including full names rather than acronyms, including footnotes and end notes, adding a
glossary, and using terminology that is often used within the business and more likely to be
familiar in the audit report readers:
1. Use a readable report format.
2. Order of importance. More significant findings should be presented first and
the remaining issues in descending order.
3. Compressing findings.
4. Too lengthy. Findings should be succinct without losing any necessary details.
Internal auditors should be careful not to elaborate excessively on the issue,
or provide unnecessary details.
5. Proper tone. Some internal auditors forget that the purpose of most internal
audit reports is to convince the reader to take action, not to be accusatory or
demeaning to those whose actions failed to meet performance expectations.
Follow-Up
After findings are reported, it is incumbent on both management and auditors
to verify that the corrective actions are in fact applied and the problems fixed as
expected. It does not serve the interest of the organization and its stakeholders for
internal audit findings to be ignored after they are published in audit reports. Since
findings should be significant enough to report them to senior management and the
board, it is incumbent on the organization to take prompt corrective action.
The timeline for when the follow-up should occur depends on the risk
associated with the finding. Normally, follow-ups are made within six to 12 months
after making the findings. For some risks, management should take immediate action
and auditors should check immediately as well. For example, if the organization’s
firewall is inoperative, the extreme risk that this represents warrants immediate
corrective action. Similarly, if there is imminent risk to the safety of employees or the
public, immediate corrective action is required. For most findings, however, the typical
turnover time to implement remedial action and for the auditors to verify the effective
implementation is several months to a year.
A follow-up review means that the auditor is checking to make sure the
corrective action was performed, so it consists of checking what management did to
address the issue reported. In cases where the severity of the observation was low,
and the corrective action was administrative in nature (e.g., preparing or updating
procedures documentation), a review of the item may suffice to close the observation
219
� College of Accounting Education
3F, Business & Engineering Building
Matina, Davao City
Phone No.: (082) 300-5456 loc 137
in the findings database. If the finding is of medium or high severity, it may require a
site visit, selecting a sample of records to test them, or analyzing 100% of the
transactions to verify that a deficiency is no longer present.
Success for internal auditors consists of confirming, upon performing a follow-
up review that the issue has disappeared. While this positive outcome cannot be
guaranteed, it is the goal that all auditors should pursue as it demonstrates that internal
audit not only identified a problem, but also identified the root cause of the problem,
and the agreed upon corrective action corrected the deficiency. Recurring findings
indicate any of the following troublesome situations:
1. The reported finding was a symptom of something else. So, when corrective
actions were applied, this addressed a symptom or only the affected
records/files, but not the root cause.
2. The corrective action was only temporary and over time, behaviors and
activities returned to their original state. This is caused by poor change
management procedures.
3. There was no commitment to correct the issue and management failed to act
on the observation.
Sources:
Murdock, Hernan (2017). Operational Auditing. Principles and Techniques for a Changing
World. CRC Press.
Tan, J. (2015). Internal Audit: Concepts, Theories and Applications. 1 st Edition
Self-Help: You can also refer to the sources below to help you further
understand the lesson:
*Audit Report Guide. https://www.iia.org.uk/resources/delivering-internal-
audit/delivering-internal-audit-findings?downloadPdf=true
*Audit Report Sample 1.
https://www.erawa.com.au/cproot/13983/2/Synergy%20gas%20Performance%20Au
dit%20report.pdf
*Audit Report Sample 2. file:///Users/jadesolana/Downloads/2019_068_pd.pdf
*Audit Report Sample 3. https://www.portseattle.org/sites/default/files/2018-
03/2017_Bell_Harbor%20_WTC.PDF
*Murdock, Hernan (2017). Operational Auditing. Principles and Techniques for a Changing
World. CRC Press.
* Tan, J. (2015). Internal Audit: Concepts, Theories and Applications. 1 st Edition
220
