(e) Other matters related to the conduct of the audit which are to be communicated to the independent directors under generally accepted auditing standards. (c) Any changes required in planned scope of their audit plan.
Appendix A
Audit Review Responsibilities List
Responsibility 1. The independent directors will meet with the external auditor bi-annually. 2. Provide an open avenue of communication between the independent auditor and finance management. Report independent director actions to the Board with such recommendations as the independent directors may deem appropriate. 3. Provide oversight of the independent auditor and resolve any disagreements between management and the independent auditor about financial reporting. 4. Confirm annually the independence of the independent auditor, and review the firm's non-audit services and related fees. 5. Inquire of management and the independent auditor about significant risks or exposures and assess the steps management has taken to minimize such risk to the Company. 6. Review with the independent auditor and finance management the audit scope and plan, and coordination of audit efforts to assure completeness of coverage, reduction of redundant efforts, the effective use of audit resources, and the use of independent accountants other than the appointed auditors of the Company. 7. Consider and review with finance management and the independent auditor: (a) The Company's annual assessment of the effectiveness of its internal controls and the independent auditor's attestation and report about the Company's assessment. (Effective beginning fiscal year 2004). (b) The adequacy of the Company's internal controls including computerized information system controls and security. (c) Any related significant findings and recommendations of the independent accountants with management's responses thereto. 8. Review with finance management any significant changes to financial policies or standards. 9. Review with management and the independent auditor at the completion of the annual audit: (a) The Company's annual financial statements and related footnotes.(b) The independent auditor's audit of the financial statements and its report thereon.(c) Any significant changes required in the independent auditor's audit plan.(d) Any serious difficulties or disputes with management encountered during the course of the audit. 10. Review with finance management and the independent auditor at least annually the Company's critical accounting policies. 11. Review policies and procedures with respect to transactions between the Company and officers and directors, or affiliates of officers or directors, or transactions that are not a normal part of the Company's business. 12. Consider and review with management and the independent auditor: (a) Significant findings during the year and management's responses thereto.(b) Any difficulties encountered in the course of their audits, including any restrictions on the scope of their work or access to required information. 13. The independent directors will participate in a meeting with finance management and the independent auditor prior to earnings release.
-
An audit report is a document created by a professional auditor at the conclusion of the auditing process. It provides a detailed summery of each of her findings. Audits are conducted for a variety of reasons, including for the purposes of acquiring monetary capital and maintaining government compliance. The four types of audit reports, also called opinions, are accepted as standard by the American accounting community: unqualified, qualified, adverse and disclaimer of opinion. Regardless of type, each audit report is written in the format of a formal business letter.
Title and Introduction
-
Give it a title, such as “2010 XYZ Company Independent Financial Auditor’s Report.” The title of the document should be simple and straight forward. In addition, it must include the word “independent,” for this informs all readers that the report was created by an unbiased third party.
Immediately following the title, the introduction of an audit report is a concise one-paragraph statement. Included is the name of the firm being apprised, as well as the dates that the audit covers. In most instances, this dates encompass the company’s fiscal year.
Responsibilities of Directors And Auditors
-
Spell out the responsibilities of the directors of the firm being audited, as well as those of the auditor. This section indicates that the duty to the company’s management team is to create and provide all financial documentation required for the audit to be successfully completed. In addition, that data must be, to the best of their knowledge, accurate. This paragraph also indicates that the auditor’s role is to review all financial statements provided by the firm. Based upon that information, he must form and present an opinion of the financial status of the organization.
Basis of Opinion
-
Write the basis of opinion. This portion opens with the auditor’s opinion, delivered as plainly as possible. It goes on to explain that the audit was conducted in a manner compliant with the U.S. Generally Accepted Audit Standards. After describing the entire audit process, the auditor must include all pertinent resources that support her opinion. Although this section may be longer than one paragraph, it should be written as succinctly as possible.
Want some tips on how to write an audit report? We have some insider tips on what to include in your report, how long it should be, and how to write your findings.
In this article, we’re going to specifically focus on the final written report (not the verbal report given in the closing meeting – more on that later), and some tips on how to write an audit report that add value to the organisation, and actually be used to help with continual improvement.
In many cases the audit report template that you have to use is predetermined, so you are governed by that to a large degree. But even then, you should still have a fair amount of flexibility in what you write.
What to include in an audit report
Let’s start with what must be included. There are a few mandatory items: the objective, the scope, and the criteria. These should clearly explain the purpose and the boundaries of the audit. You can combine these and call them something different, but they should still be included. The objective is why the audit is being done; the scope is the boundaries of the audit; and the criteria is what you’re checking against.
You also must state where you went, so include the name of the business or business unit, and its address. Also include the name of your contact person. Often report templates require you to include the names of everyone you had contact with. I personally don’t see the point of this and it’s a good place to make a mistake. It’s very easy to spell someone’s name wrong or miss someone completely. It’s better just to state the main contact’s name, and the names of those who attended the closing meeting –, and certainly make sure you spell their names correctly.
There are also a few other mandatory items, like the disclaimer, which are normally included in your template.
The next thing you need is a clear executive summary. The emphasis here is on clear. Think about who will read this and what they need to know. Essentially there are three things they want to know:
- Did the organization pass the audit?
- What nonconformances/noncompliances are there and how many? You don’t need the full details in this summary, but you do need to say how many, and maybe in what areas they are.
- What needs to happen next? Are you coming back? And state how and when the organization needs to respond.
We are now into the bulk of the report and need to include information about what you saw. Keep it factual, and I don’t use words such as: good, very good or excellent. For example,
If I reviewed three reports and all were fine and compliant, I would write…
The following three reports were reviewed:
- Report number ….
- Report number ….
- Report number ….
What I would not write is…
Three random reports were reviewed and these were all very well written and contained some excellent information.
The reason for this is when you or someone else comes back next year and possibly finds an issue with a report, the auditee’s reply could well be: “But last year you said they were excellent?”
How to structure an audit report
How should you lay out the body of your report? The body text should be in logical groups that align with how the business operates, and ideally you should write around their business processes. If the business is not structured that way, then write around business functions or departments, or possibly locations if it is a multi-site business.
Do not write your report around the criteria you’ve audited against. I have written about this previously in another blog: Why Certification or Regulatory Auditors should not use a checklist?. One of the main problems with this approach is you are given a report template to use, and the template defines how to structure the report. In these cases you’re a bit stuck, so do the best you can.
How much to write in an audit report?
How much do you write about what you saw? Personally, I don’t write too much. I write enough that demonstrates that I was actually there, and did review evidence, but I’m not writing a story – and since the primary people who will read the report work at the business, they should know most of it anyway.
Audit findings
Now let’s talk about the findings – the things that you found that weren’t as they should be. The official name for these are nonconformances or if we’re legally speaking, noncompliances. But they are often called something different, normally because people want to put a positive spin on them: Corrective Action Request or CAR, Opportunity For Improvement or OFI, Let’s fix it, Let’s fix it together, Potential Improvement Note or PIN, Corrective Action Preventive Action or CAPA, and Area of concern. There are many – I wonder what term you use?
For the purpose of this article, we’re going to use nonconformance just to keep it simple. Nonconformances also are graded or classified. The normal gradings are: Critical, Major and Minor, and can be described as:
The organization has demonstrated a direct impact on public health due to a loss of process control or a breach of legislation. Note: This is only relevant to certain types of audits such as: Food Safety or other high risk audits.
The organization has no process in place which meets a major component of a requirement, or the outcome is not effective.
The organization does not fully meet the components of a requirement, or the outcome is only partly effective.
Writing nonconformances
The writing of nonconformances is, in my opinion, the most important part of the audit report. Why? Simply it’s what people need to act on; so it needs to be clear, it needs to be understood, and it needs to be correct.
I have written about writing nonconformances in two previous blogs: How to write nonconformances and Why recording evidence drives the wrong behaviour? But in a nutshell, you write the relevant part of the criteria and state the evidence you have to show that it does not comply. What you don’t do is tell the organization what they have to do; the fix or the containment and the corrective action.
You may also want to include recommendations… what they could do better, and improve on. But be careful here; there are traps for new players.
If you’re conducting a certification audit or an audit on behalf of the government, then it is a definite ‘no no’ to provide recommendations, give advice or consult.
To clarify this, ISO 17021-1:2015, section 5.2.5 states:
The certification body and any part of the same legal entity and any entity under the organizational control of the certification body shall not offer or provide management system consultancy. This also applies to that part of government identified as the certification body.
Further, section 9.4.8.1 states:
The audit team may identify opportunities for improvement but shall not recommend specific solutions.
So you can find things wrong, as long as you have evidence to back up your findings, but you are not allowed to advise the organization as to how to correct them. You can identify opportunities for improvement, but again you can’t tell the organization what to do. You can only identify the issue.
An example of an opportunity for improvement could be:
The document control processes may benefit from reduced complexity.
You can’t write:
You should reduce the complexity of your document control.
Not being able to tell the organization what to do can be frustrating for you both. However, it is their system of management, not yours. If you tell them what to do, what are the implications for you if they follow your advice and something goes wrong?
I have often heard of auditees saying: “But we do it like that because that’s what the last auditor wanted”. Don’t fall into the trap of advising – if you want to do that, become a consultant.
How big should the audit report be?
And how long should your report be? How much do you need to write? Should it be a massive report that passes the drop test, takes three months to produce and is reviewed by a team of thousands? The International Accreditation Forum’s Mandatory Document IAF MD5:2015 gives us some guidance here:
2.1.1 The audit time for all types of audits includes the total time on-site at a client’s location (physical or virtual) and time spent off-site carrying out planning, document review, interacting with client personnel and report writing.
4.1 Determination of audit time of management systems involved in combined offsite activities should not reduce the total on-site duration of management systems audits to less than 80% of the audit time calculated.
So this means that you shouldn’t spend an enormous amount of time writing the report. For an audit with a total duration of six days, by the time you take out a bit of planning and preparation time, allow 80% of the time on site which is the best part of five days (actually 4.8), you’re left with about a day to write the report.
How many words can you write in a day? Well, this is what some famous authors can write:
| Arthur Conan Doyle | 3000 |
| Carol Shields | 600 |
| Holly Black | 1000 |
| Ian McEwan | 600 |
| Lee Child | 1800 |
| Sarah Waters | 1000 |
Source: //writerswrite.co.za/the-daily-word-counts-of-39-famous-authors-1/
An average page has in the region of 500 words, so if you write as quick as Sir Arthur Conan Doyle you could bang out a six-page report; but if you write like Carol Shields or Ian McEwan, you’re going to manage just over a page.
When should you write the audit report?
And when should you write this report? Straightaway – and if you don’t understand that, I’ll tell you again – straightaway! I always had my report to the auditee within five days. Most auditing bodies seem to have a specified time of between five and 28 days. I think the quicker the better, while the audit is still fresh in everyone’s minds. Receiving a report three months after the audit is waste of everyone’s time; people have forgotten what happened, some people have moved on, processes may have changed, and you, the auditor, look useless.
Why does it take so long to get the audit report written? Two reasons: firstly you prioritise other tasks to be more important; secondly the report has to be reviewed by someone else and it sits in their inbox for too long. And, of course, if something needs correcting, then it’s back and forth we go.
What is the solution to this?
- Write the report immediately while the audit is still fresh; don’t write too much (fewer mistakes);
- employ competent auditors (again, fewer mistakes); and
- If the report must be reviewed by someone else, make sure they do it promptly.
At the start I said this article would be about the written audit report and not the closing meeting. However I will say this about the closing meeting: what you tell people in this meeting and what you write in your audit report need to be the same. Don’t fall into the trap of finding new nonconformities when you are back at your desk. Don’t be a keyboard warrior!
In summary…
When you’re writing your audit report, keep it simple, remember your audience, stay factual, avoid terms like excellent, don’t consult or advise, and do it promptly. There are two secrets to this:
- Have a good template, and
- Practice – reports become easier and quicker the more you do.
Now, go and enjoy your auditing.
Related Articles
Practical Tips for Continual Improvement
Why Certification or Regulatory Auditors should not use a checklist
Performance Auditing – increasing audit value and driving improvement