Want to learn how to write a good audit report that is digestible and effective at motivating stakeholder action? Elevate your next audit report with our reporting resources package, with proven tactics to boost clarity and business impact.
What Is Considered a Good Audit Report?
A good internal audit report is one that clearly communicates the objectives, scope, and findings of an audit engagement, and in doing so, motivates its readers to take internal audit’s recommended actions.
What Should Be in an Audit Report?
Content matters when learning how to write a good audit report. Our understanding of audit report contents is based on The IIA Standard 2410 - Criteria for Communications. In the internal auditing standards, we are told what the report must and should contain. Since we are all working from the same auditing standards, audit reports have a basic structure that most internal auditors follow. The audit report generally includes the following elements:
- Scope and objectives (must).
- Results (must).
- Recommendations and action plans (must).
- Conclusions (must).
- Opinion (should).
- Acknowledgment of satisfactory performance (encouraged).
The report typically starts with a description of the scope and objectives. This section of the report establishes what the audit was about, why the audit risk areas mattered to management, and what the team included in the audit.
Next, the report details the issues that were found in the results section. For most audit departments, the issues, recommendations, and action plans are combined for each of the issues noted.
The conclusions section of the report allows the audit team a chance to make comments that extend beyond the individual issues in the results section. The conclusion section is also where most reports include the internal auditor’s opinion. The end of the report is a good opportunity to include a positive note acknowledging areas where management did well.
How Do You Write a Good Audit Report?
A good internal audit report conveys a clear message to the reader. Looking back at The IIA Standard 2410, the guidance is written about communication, not reporting. If we are writing a report as a communication tool, then the report should be free of judgment, written in a tone that appeals to the reader instead of making accusations. Audit reports should be brief and to the point. Norman Marks once said, “The length of the audit report, if one is even needed, should be just enough to tell the consumers of the report what they need to know – and no more.” The report should also steer clear of any jargon since the report may go to external parties. As long as the focus remains on communicating with management about the risks and control environment in the area that was audited, you will write a good report.
We’ve collected four of our top resources on how to write a good audit report from our Audit Management Playbook, including Tips for Writing an Effective Executive Summary, 10 Best Practices for Writing a Digestible Audit Report, and the Audit Reporting Checklist — and you can download the full Audit Management Playbook below.
4 Tips for Writing an Effective Executive Summary
The first step to writing a great audit report is ensuring its contributors understand the desired outcome of the report. For an audit report to make an impact on the business, it must motivate leadership to act upon internal audit’s recommendations.
1. Know Your Readers
Understand who will receive the report. The executive summary should give an overview of the detailed report that resonates with every executive officer who reads it, so it is important to understand your organization’s culture. Some organizations may be more cross-functionally collaborative, while others will be more compliance-oriented. Not every stakeholder will be a technical subject matter expert. For example, if your report is going to the CFO and you have IT audit findings, make sure that you don’t have to be an IT expert to understand what the issue is.
2. Cut the Fluff
The executive summary should be 1-2 pages. Aim for brevity as much as possible. Consider the best way to summarize each point, as there will be more takeaways in the detailed report. Wherever possible, use numbers and percentages to help drive points home. Eliminate any unnecessary descriptive adjectives and adverbs.
3. Explain It to the Company
Whether the audit report is presented to members from operations or IT, the executive summary should be written so that every individual can easily understand the terminology and sophistication level of the writing. A good rule of thumb is to try to explain every point in a way that all levels of experience and expertise at your company would understand.
4. Make It Digestible
For any key point, whether it is a big, scary finding or a positive one, bring the reader’s attention to the information as concisely as possible. Decide on your most important takeaways or messages, then leverage visual formatting to draw your audience’s eyes to each message.
Writing the Detailed Report
Depending on the audit, the expectations set during the opening meeting, and the findings, the contents of the detailed report may vary. If there were more findings and complexity in the audit than anticipated, you might need to include more detail.
The contents of the detailed report are as follows:
- Background or Overview of the Audit Area Reviewed.
- Scope Approach (what we looked at).
- Audit Period (what period was included).
- Findings Summary (positive findings; issues or problems).
- Detailed Observations (include the 5C’s: Criteria, Condition, Cause, Consequence, and Corrective Action Plans/Recommendations)
10 Best Practices for Writing a Digestible Audit Report
1. Reference Everything.
Avoid unverifiable claims and make sure to bridge any gaps of information by referencing where you obtained key facts and figures.
2. Include a Reference Section.
Use indices, appendices, and tables in this section is very helpful.
3. Use Figures, Visuals, and Text Stylization.
If you can put a number behind a fact or use a percentage to describe it, do so. Circle or highlight the key points you want to convey, as well as bold, underline, italicize, or use color to draw attention to key facts and figures. Use tables or graphs to summarize and draw attention to key trends or important data, wherever possible.
4. Note Key Statistics about the Entity Audited.
Noting key statistics about the entity audited in the Background/ Overview, if applicable, puts things in perspective and gives context and relevance to your audit findings.
5. Make a “Findings Sandwich.”
Layer a positive finding, followed by an issue, followed by a positive, and so on. Try to end the Findings Summary on a positive note.
6. Ensure Every Issue Includes the 5 C’s of Observations.
Criteria, Condition, Cause, Consequence, and Corrective Action Plans/ Recommendations.
7. Include Detailed Observations.
Detailed Observations are also a good place to include any additional facts and figures
8. Always Perform a Quality Assurance Check.
Seek someone who does not have a direct connection to the audit so they can provide fresh eyes. If possible, ask someone from the department or function audited to review the report as well.
9. Avoid Blame – State the Facts.
Aim to preserve the relationship with audit clients by being as objective as possible and avoiding blame. Simply state issues and recommended actions.
10. Be as Direct as Possible.
Avoid soft statements when making recommendations (such as “Management should consider…”) and opt for solid recommendations and calls to action instead.
Audit Reporting Checklist
To elevate your next audit report, follow our audit checklist on how to write a good audit report to ensure that it clearly communicates the objectives, scope, and findings of an audit engagement, and in doing so, motivates its readers to take internal audit’s recommended actions.
Looking for more resources to take your internal audit team to the next level? Download the full in-depth Audit Management Playbook below and get more best practices, checklists, and tools for each stage of the audit lifecycle — planning, fieldwork, reporting, issue management, and scaling audit practices.