AUDIT REPORT

The Engagement Process (based on the IIA Standard)

Engagement Planning (2200)

Objectives – 2210

Scope – 2220

Resource Allocation – 2230

Audit Program – 2240

Performing the Engagement (2300)

Identifying Information – 2310

Analysis and Evaluation – 2320

Recording – 2330

Supervision – 2340

Communicating Results (2400)

Criteria – 2410

Quality – 2420

Disseminating Results – 2440

Monitoring Progress (2500)

QUALITY OF AUDIT COMMUNICATION
1.) Accurate – communication must be free from errors and distortions
and are faithful to the underlying facts.
2.) Objective – communications are fair, impartial, and unbiased, and are
the result of a fair-minded and balanced assessment of all relevant facts and
circumstances.

3.) Clear – communications are easily understood and logical.

4.) Concise – communications are to the point and avoid unnecessary
elaboration.

5.) Constructive – communications are helpful to the audit client and the
organization and lead to the improvements where needed.

6.) Complete – communications are lacking nothing that is essential to the

target audience and include all significant and relevant information and
observations to support recommendations and conclusion.

7.) Timely – communications are well-timed, opportune, and expedient for

careful consideration by those who may act on the recommendations.

COMPOSITION OF THE REPORT

1.) The engagement’s objective and scope
- Sufficient background information on the audit entity should be
provided to understand the context and significance of the audit report. Scope
is the area of process subject to the engagement and its corresponding business
objectives, related risks, and control activities. Under Practice Advisory 2410,
scope statements should identify the audited activities.

2.) Applicable conclusions, opinion, or audit findings or observation

- Conclusions and opinions are the internal auditor’s evaluation of

the effects of the observation and recommendations on the activities reviewed.
They usually put the observations and recommendations in perspective based
upon the overall implications. Audit opinion or conclusion must be supported by
sufficient, reliable, relevant and useful information otherwise known as sufficient
and appropriate evidence. An opinion should clearly express the following:
 • The evaluation criteria
• The scope
• Who has the responsibility for the establishment and maintenance
of internal control
• The specific type of opinion being expressed

BASIS OF AUDIT OBSERVATIONS

A. Criteria – these are the standards, measures, or expectations

used in making an evaluation and/or verification. Auditors should have a
means of measuring or judging the results and impact of matters
identified on an audit. Suitable criteria are factors that are relevant and
appropriate to the particular characteristics of the audited organization
and against which actual outcomes can be objectively assessed. In
financial statement audit in the Philippines, the Philippine Financial
Reporting Standards serve as the suitable criteria.

B. Condition – the factual evidence that the internal auditor found

in the course of the examination.

C. Cause – the reason for the difference between the expected

and actual conditions.

D. Effect – the risk or exposure the organization and others

encounter because the condition is not consistent with the criteria.

TYPES OF AUDIT OPINION ON INTERNAL CONTROLS

A.) Positive Assurance (Reasonable Assurance)

- Positive assurance is one of the strongest types of audit opinions. In

providing positive assurance (reasonable assurance), the auditor is taking a
definite position on the strength of internal controls. Consequently, a positive
assurance opinion requires the highest level of evidence. It also implies that
sufficient evidence was gathered to be reasonably certain that evidence to the
contrary, if it exists, would have been identified.
 Varieties of positive assurance:
- Binary – internal controls are appropriate or not appropriate. For
example, internal controls are satisfactory or unsatisfactory, effective or
ineffective, etc.

- Graded – the effectiveness of internal controls is rated using a grading

system. For example, rated on a scale of 1 to 5.
- Directional – provides additional information about the direction of the
opinion since a previous report. For example, controls are satisfactory but
diminished since last year.

B.) Negative Assurance (Limited Assurance)

- Negative assurance is a statement that nothing came to the
auditor’s attention that would indicate inadequate internal controls. The auditor
takes no responsibility for the sufficiency of the audit scope and procedures to
find all concerns or issues. Such opinion is less valuable than a positive assurance
as it only provides limited assurance that sufficient evidence was gathered to
determine whether internal controls were adequate. A negative assurance
merely states that the internal auditor ‘has not seen problems’ based on the
work performed.

C.) Qualified Opinion

- An opinion can be qualified with specific findings that contradict
the overall opinion. Qualified opinions can be useful in the situation where there
is an exception to the general opinion. For example, the opinion may indicate
that “controls were satisfactory with the exception of accounts payable
controls, which require significant improvement.”

D.) Disclaimer of Opinion

- A statement made by an auditor that no opinion is being given

regarding the internal controls of a client. This disclaimer may be given for
several reasons. For example, the auditor may not have been allowed or been
able to complete all planned audit procedures.
 3.) Recommendation
- The recommendation in an internal audit report are designed to
help the organization to achieve its goals “adding value to the organization”,
which may relate operations, financial reporting or regulatory compliance.
Recommendations may suggest approaches to correcting or enhancing
performance as a guide for management in achieving desired results.
Recommendations may be general or specific.

4.) Action plans for corrective action

- This portion of the report should present what should management
do about the findings. What have they agreed to do and when to do it are
some of the matters included in this portion.

DISSEMINATING RESULTS
- The chief audit executive must communicate results to the appropriate
parties. The chief audit executive is responsible for communicating the final
results to parties who can ensure that the results are given due consideration.
- If it Is determined that a final audit communication contains an error,
chief audit executive should consider the need to issue an amended report
identifying the information being corrected.

MONITORING
- The chief audit executive must establish and maintain a system to
monitor the disposition of results communicated to the management. The chief
audit executive must establish a follow-up process to monitor and ensure that
management actions have been effectively implemented or that senior
management has accepted the risk of not taking any action.

-End-