Internal audit and review reports29 Jan 2003 Internal auditors, external auditors, and consultants who perform internal audit and review engagements provide reports to management interna
Trang 1Internal audit and review reports
29 Jan 2003
Internal auditors, external auditors, and consultants who perform internal audit and review engagements provide reports to management (internal audit
reports) These reports are important because they provide documentary evidence of the work performed, the conclusions reached and the
recommendations made The quality and presentation of such reports makes a substantial difference to the value added by internal audit and those
performing similar functions
Internal audit reports are different to statutory auditors’ reports produced by external auditors because statutory reports are governed by legislation and either national auditing standards, or International Standards on Auditing Statutory auditors’ reports are highly codified, and usually fairly brief by
comparison with internal audit reports, and they are often available for public inspection Statutory auditors’ reports are produced for the benefit of
shareholders and other stakeholders whereas internal audit reports are
produced for the benefit of management; they are generally private
documents and are not normally available for public inspection
On the other hand, internal audit reports are similar, in some respects, to reports to management on the design and implementation of controls provided
by external auditors to management during the course of, and at the end of, statutory audits The method of production of such reports is similar, for
example Both internal and external auditors draft these sorts of reports on the basis of the findings of their work and there will usually be a split between significant and insignificant matters, and a summary or overall evaluation of the more important matters Draft reports will often be discussed with
management to confirm the findings and to establish management’s likely response Responses are often incorporated into the report Reports will often
be redrafted several times, particularly in large organisations, after which the report will be issued If management have not commented at an earlier stage,
a formal response may be expected later It is normal to follow up on
recommendations or agreed action points in order to establish how the issues have been dealt with
External auditor reports to management deal in substance with, inter alia, issues relating to the design and implementation of internal controls that have come to the external auditors’ attention during the course of the statutory audit They generally deal with weaknesses in systems, the potential
consequences and provide recommendations to management Whilst internal audit reports may appear to be similar, they are different in substance
Internal audit engagements are usually undertaken as part of a pre-planned program of work with a variety of objectives as part of an entity’s overall
corporate governance arrangements These objectives can relate to the risks faced by the business, internally and externally, and / or they can deal with the enhancement of performance
Whilst there are common elements to the two types of reporting, risk-based
Trang 2reporting tends to look at the current position and internal issues, whereas enhancement of performance tend to be more outward and forward-looking Risk-based reports might include establishing whether existing systems are properly aligned with the overall objectives of the entity For example, internal auditors may be requested to establish whether human resources systems are capable of, and are actually delivering, the development and retention of the best staff in an entity’s particular market Where it is believed that systems are not properly aligned, internal audit may be requested to make
recommendations in relation to changing the existing systems, or
implementing new systems, in order to achieve corporate objectives Reports relating to the enhancement of performance may involve a review of the
market, and management’s business strategies and overall risk management systems at a higher level Whatever the assignment, there will almost always
be a formal report which should be clear, balanced and constructive,
consistent in style and concise
Internal audit reports will usually contain a header page giving a title (the subject matter of the report), a distribution list, the date of production of the report, the identity of the authors and some sort of reference number They will usually include an executive summary providing the background to the project (an introduction), summary terms of reference, the major outcomes of the work, the key risks identified and key action points or recommendations, and a summary of any further work required The main body of the report includes detailed findings, action points or recommendations and will often include alternative recommendations It gives details of responsibility for
actioning the points, the costs involved with the various recommendations, and time-scales for implementation Appendices will often contain the full terms of reference, tables or questionnaires used, flowcharts and systems diagrams, timetables, details of tests performed, and any other relevant
information