Writing a good audit report makes the difference in whether it communicates the message the audit team wanted to convey — and whether or not stakeholders read the report at all. People, including auditors and company management, are overloaded with information and content on a daily basis. Everything wants our time, our eyes; wants us to read and take action — and an audit report needs to be well-crafted to make an impact above competing demands on attention.
An ineptly written audit report can miscommunicate the results of the audit. Imagine if an audit committee got the wrong picture of a company’s financial statements due to an ineptly written auditor’s report; or if a poorly reviewed report disclosed a material misstatement instead of a material weakness and that made it uncorrected to the Securities and Exchange Commission! These examples are perhaps hyperbolic, but meant to illustrate the importance of producing a good audit report that clearly states the purpose of the audit, the type of report, who performed the audit, and the audit opinion, among other key attributes.
A quality audit report that is written with the audience in mind, and that takes a human-centered approach produces more value for readers and motivates stakeholder action. It saves time across the board by being simple, digestible, and actionable. It’s the sign and core deliverable of a mature audit program. Elevate your next audit report using our tips and tricks on how to boost clarity and deepen impact.
A good audit report, whether it’s an external or internal audit report, doesn’t have to be thirty pages or more to be effective and drive outcomes — in fact, a one-page audit report can be the perfect format for certain initiatives. The level of detail included in an audit report should be enough for the audience to understand the context of the report, determine if the objective of the audit was met (or not), and prompt action on any recommendations or improvement opportunities from there. Executives may want less detail and a short, sweet summary of takeaways, while managers and process owners directly affected by the audit process may need and want to review results and recommendations in detail.
What Is Considered a Good Audit Report?
Different types of reports may need to follow designated templates provided by regulators, or used as a common best practice in the industry. Financial audits and audits of ICFR (internal control over financial reporting) each fiscal year, for example, must be completed and documented by independent auditors for SOX compliance in accordance with Generally Accepted Accounting Principles (GAAP), and contain specific information and data points dictated by the legislation and the associated regulating bodies. Healthcare audits performed to evaluate compliance with HIPAA will incorporate the citations from the legislation and focus on protected health information (PHI). A good internal audit report should be one that clearly communicates the objectives, scope, and findings of an audit engagement, and in doing so, motivates its readers to take internal audit’s recommended actions. To an extent, what good looks like for audit reports will change depending on the type of report being produced. Still, there are some common themes that contribute to writing a great audit report that we’ll cover in this article.
How Do You Write a Good Audit Report?
A good audit report conveys a clear message to the reader, whether that’s an unqualified opinion or a list of expenditures that can be eliminated. Audit reports should be brief and to the point. Simplicity and specificity go the distance in business writing.The report should also steer clear of any jargon or confidential information, just in case it goes to external parties. Keeping the focus on the audience, and the report centered on the risks and control environment in the area that was audited will help you write a sophisticated audit report.
We’ve included one of our top resources on how to write a good audit report from our Audit Management Playbook, 10 Best Practices for Writing a Digestible Audit Report, and you can download the full Audit Management Playbook below.
10 Best Practices for Writing a Digestible Audit Report
Our Audit Management Playbook recommends 10 Best Practices for Writing a Digestible Audit Report, including:
- Reference everything.
- Include a reference section.
- Use figures, visuals, and text stylization.
- Contextualize the audit.
- Include positive and negative findings.
- Ensure every issue incorporates the five C’s of observations.
- Include detailed observations.
- Always perform a quality assurance check.
- Avoid blame and state the facts.
- Be as direct as possible.
In good writing, there always comes a good time to break the rules. If your audience needs a shorter report and you can’t incorporate all of these into your deliverable, don’t worry! As long as you’ve made an effort to tailor the report to your audience and have your detailed findings in your back pocket to support that report — you should be able to present your findings with confidence.
1. Reference Everything.
Citations are important! Avoid unverifiable claims and make sure to bridge any gaps of information by referencing where you obtained key facts and figures. Give your stakeholders the tools and opportunity to research and look into your findings themselves. Show that you know what you’re talking about in the compliance realm by referencing authoritative documents, calling out audit evidence, and providing insightful data.
2. Include a Reference Section.
To keep your report from getting too congested with references and citations from standards that may detract from the ultimate message, whether those standards are from the local government, an official .gov publication, or another organization, include a reference section in your report and use appendices to your advantage. Even the report for a single audit can benefit from a well-structured references section.
3. Use Figures, Visuals, and Text Stylization.
Use visuals to better convey your message — reports don’t have to be boring and drab. Circle or highlight the key points you want to convey, and employ font styling and color to draw attention to key facts and figures. Use tables or graphs to summarize key trends or important data wherever possible.
4. Contextualize the Audit
Report key statistics and contextual details as part of your audit report to give relevance to audit findings and keep stakeholders invested in the content. Presenting financial information, like the company’s liabilities balance, in a vacuum, means very little. Providing context around that value and illustrating how it relates to the company’s overall financial position gives considerably more value. From there, stakeholders might have a better idea of whether they need to reduce liabilities or have room to take on more debt.
5. Share Positives and Negatives
Audits and auditors get a bad rap for only ever bringing bad news to the table. Break the stereotype and give stakeholders something to smile about by including positive findings, as well as issues and gaps. It may seem trite, but highlighting the positives will encourage those habits, processes, and teams to continue doing the good work.
6. Ensure Every Issue Includes the 5 C’s of Observations.
Since issues and accompanying recommendations do make up some of the meat of an audit report, it is important to include sufficient detail when documenting and reporting on findings, gaps, or control deficiencies. As a guide for what details to include in the audit report, use the five “C’s” of recording observations: criteria, condition, cause, consequence, and corrective action plans (or recommendations).
7. Include Detailed Observations.
Although writing a good audit report involves keeping it short, sweet, and on target, there are circumstances that call for “zooming in” on specific observations or findings. Not every finding needs this treatment in the report, but you may find that some observations are complex, require additional resources to remedy, or need to be called out for some other reason. Having a section in the report for Detailed Observations that dive into a subset of issues and includes additional facts and figures is a great way of drawing readers’ attention to higher-priority items.
8. Always Perform a Quality Assurance Check.
Multiple reviews of an audit report that will be seen by management are recommended. Seek someone who does not have a direct connection to the audit so they can provide fresh eyes. If possible, ask someone from the department or function audited to review the report and provide feedback as well. Audit reports should only be finalized and delivered once the last level of review has been completed and any open comments are addressed.
9. Avoid Blame – State the Facts.
Aim to preserve the relationship with audit clients, especially if you are performing an independent audit as part of a CPA firm, by being as objective as possible and avoiding blame. Simply state issues, opinions, and recommended actions.
10. Be as Direct as Possible.
Avoid soft and indirect statements when making recommendations and opt for solid recommendations and calls to action instead. The reader will appreciate it.
What Should Be in an Audit Report?
Content matters when learning how to write a good audit report. One way of looking at audit report contents is based on IIA Standard 2410 – Criteria for Communications. In these internal auditing standards, we are told what the report must and should contain. Since we are all working from the same or similar auditing standards, audit reports have a basic structure most internal auditors follow. An audit report generally includes the following elements:
- Scope and objectives.
- Results, Recommendations, and Action Plans.
- Audit opinion (if applicable).
Any audit report typically starts with a description of the scope and objectives of the audit initiative. This section of the report establishes what the audit was about, why the audit risk areas mattered to management, and what the team included as part of the audit.
Next, the report details issues found in the results section and provides recommendations, and action plans for each of the issues noted.
The conclusion section of the report allows the audit team a chance to make comments that extend beyond the individual issues in the results section. The conclusion section is also where most reports include the internal auditor’s opinion. The end of the report is a good opportunity to include a positive note acknowledging areas where management did well.
Types of Audit Opinions
While not all audit reports involve the issuance of an audit opinion, several do require independent auditors to provide an opinion, such as financial statements and annual reports. There are four possible ways an auditor can opinion on these types of audits.
Image: Types of Audit Opinions
- Unqualified Opinion – Results in an unqualified report, meaning that the auditor concludes that the company’s statements are represented fairly (in all material respects). This is the best outcome for an audit that requires an opinion.
- Qualified Opinion – Results in a qualified report, meaning that the auditor has identified some areas where they cannot conclude that statements were represented fairly, and calls those areas out. This is a step down from an unqualified opinion, but preferable to the next two.
- Adverse Opinion – Results in an adverse report, meaning that the auditor has detected a material misstatement and is issuing a negative opinion.
- Disclaimer of Opinion – In these cases, the auditors are unable to obtain sufficient evidence to form a conclusion, and do not express an opinion whatsoever.
Audit Reporting Checklist
To elevate your next audit report, follow our audit checklist on how to write a good audit report to make sure it clearly communicates the objectives, scope, and findings of an audit engagement — and in doing so, motivates its readers to take internal audit’s recommended actions.
If your team is ready to make the move to a technology solution for managing risk and compliance, issuing high-quality audit reports backed by reliable data, and collaborating with teammates around the world, AuditBoard is the platform for you. Elevate your audit programs with OpsAudit and start saving your organization time and overhead today.
Looking for more resources to take your internal audit team to the next level? Download the full in-depth Audit Management Playbook below and get more best practices, checklists, and tools for each stage of the audit lifecycle — planning, fieldwork, reporting, issue management, and scaling audit practices.
Fill out the form below to get your free guide.
Frequently Asked Questions About Audit Reports
What is considered a good audit report?
A good audit report, is clear, only as long as it needs to be, digestible, actionable, and targeted to the audience.
What are the 4 types of audit reports?
The four types of audit report opinions that can be issued are: unqualified, qualified, adverse, and a disclaimer of opinion.
What are the components of a complete audit report?
The components of a complete audit report are: the audit opinion (if applicable), scope, objectives, results and recommendations, and audit conclusions.
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.