XXX Audit Report

Audit Ref: XX/YYYY/Entity

Audit Title: Name
Business Unit: Entity / Function / Sub-function
Business Owner: CXO, EVP
Issue Date: MM DD, YYYY

See section 3.4 for Report Distribution and Audit Team

Overall Process Assessment

Green Satisfactory

Amber Needs Significant Improvements

Yellow Needs Minor Improvements

Red Unsatisfactory

Internal Audit Department

Audit of (Name)

Contents

Page no.

1 Executive Summary 3

2 Detailed Findings and Recommendations 4

3 Report Discussion and Distribution 5

4 Appendices 6

2
 Audit of (Name)
1. Executive Summary
1.4 Number of observations
1.1 Background
Risk rating Action
Provide a background to the audit. Background should contains No of
for the Assessment plans
information that is valuable to the reader and provides a context to findings
findings agreed
the audit.
Severe 0 0

1.2 Objective and Scope Major 0 0

Description of the scope of the audit should be documented here. Moderate 0 0
This should be in line with the scope as documented and agreed with
Minor 0 0
management in the TOR.
TOTAL 0 0

1.5 Conclusion
Overall conclusion should be documented here. This should include any
key themes and issues noted that have led to the rating.

Management actions agreed should also be summarized here.

1.3 Limitation of Scope

Any limitations to he scope of our audit should be recorded here.
 Audit of (Name)
2. Detailed Findings and Recommendations
Finding / Risk
1. Statement of Condition (What is the issue? / What
was wrong?)
Statement of Condition:
What was wrong
Criteria:
“By what standards was it judged”. Criteria could be accuracy,
materiality, consistency or compliance with applicable
accounting principles and legal & regulatory requirements.
Cause:
“Why did it happen?”
If the condition has persisted for a long period of time or it is
intensifying, the contributing causes for these characteristics of
the condition should also be described.
Identification of the cause of an unsatisfactory condition or
finding is a prerequisite to making meaningful
recommendations for corrective action.
Risk
The real or potential impact of the condition and answers the
question: “What effect did it have?” The significance of a
condition is usually judged by its effect.
Risk
Recommendations/ Management Action Plan Owner / Timing
Rating
Recommendations
“What should be done?”
The relationship between audit recommendation and
the underlying cause of the condition should be clear
and logical. If a relationship exists, the
recommended action will most likely be feasible and
appropriately directed. Make recommendations,
action plans, and responses S M A R T.
S pecific – identify (1) who is responsible and (2)
what control must be implemented or reinforced.
M easurable – Provide an auditable
recommendation or action plan. You need to be able
to “inspect what you expect.”
Owner
A chievable – Make the recommendation or action
practical, reasonable, and worth implementing,
Timing
considering the risk.
R eliable – Resolve the issue and risk (often with
frequency); prevent or minimize the issue and risk
from recurring.
T ime-bound – include a target implementation
date.
Management Action Plan
Agreed Management Actions in line with audit
recommendations.
4
Audit of (Name)

3. Report Discussion and Distribution

3.1 People interviewed during the audit 3.4 Reporting Distribution

An initial meeting with XXXX was held to discuss scope of the audit and
initial information request. To : Business Owner

During the course of the audit, the following people were interviewed:
Cc : Name – Job Title
• Mr. XXXX

3.2 Report discussion

• The findings in the report were discussed with Mr. XXXX at the closing
meeting.
• Our draft report was issued to Mr. XXXX on DD MM YYYY.
• Final management action plan was received on DD MM YYYY.

3.3 Period of Audit Fieldwork

From MMM YYYY to MMM YYYY.

3.4 Audit Team

The Audit team consisted of the following individuals:

• Mr. XXXX
• Mr. YYYY
4. Appendices
4.1 Individual Findings Rating Criteria
Action Plan Guidelines
Risk Rating Risk Summary Rating Explanation – Criteria Escalation

Critical Control A key control does not exist, is poorly designed or is not operating
Weaknesses as intended and the financial, operational and /or reputation risk is MD/ CEO Action plan to be
more than inconsequential. The process objective to which the
Severe Executive implemented as a matter of
control relates in unlikely to be achieved. Corrective action is
Immediate corrective Committee urgency.
needed to ensure controls are cost effective and/or process
action required
objectives are achieved.

Significant Control There is a significant weakness in controls. Resolution would help Department
Weakness avoid a potentially material impact on the company's assets, Director Action plan to be
financial information, or ability to comply with important laws, implemented as a matter of
Major policies, or procedures. Department priority. Expected to be
Timely corrective Managers implemented in no later than
Strategic and/or operational impact on the process to which the 3 months.
action required
control relates is less than severe.

Potentially serious A key control does not exist, is poorly designed or in not operating Department
control weakness as intended and the financial and /or reputation risk is more than Action plan to be implanted.
Director
Moderate inconsequential. However, a compensating control exists. Expected to be implemented
Timely corrective Corrective action is needed to avoid sole reliance on compensating Department in no later than 6 months.
action required controls and/or ensure controls are cost effective. Managers

No Major control
weakness A weakness in the design and/or operation of a non-key process Action plan to be agree and, if
Section
control. Ability to achieve process objectives is unlikely to be Managers applicable, implemented
Minor
impacted. Corrective action is suggested to ensure controls are within a reasonable timeframe
Improve control
cost effective. (next 6 – 9 months).
environment

6
4. Appendices
4.2 Overall Risk Rating of the Process
Risk Rating of the
Risk Summary
Process
Severe / Critical deficiencies
noted in the System of Internal
Unsatisfactory
Controls. Immediate corrective
action required
Significant deficiencies noted in
Needs Significant
the System of Internal Control.
Improvements
Timely corrective action required.
Adequate System of Internal
Control Subject to Reservation.
Needs Minor One or more moderate risk
Improvements observations noted.
Satisfactory System of Internal
Satisfactory
Control
Rating Explanation – Criteria
Controls evaluated are not adequate, appropriate, or effective to provide
reasonable assurance that risks are being managed and objectives are met.
Resolution of the weakness(s) would help avoid a potentially critical negative
impact involving loss of material assets, customers’ relationship, reputation,
critical financial information, or ability to comply with the most important laws,
policies, or procedures.
A High residual risk exists in a major scope or risk area. The controls
evaluated are unlikely to provide reasonable assurance that risks are being
managed and objectives met.
Generally, controls evaluated are adequate, appropriate, and effective to
provide reasonable assurance that risks are being managed and objectives
should be met. One or more moderate risk observations noted, with no major
impact on the overall system of internal controls. Recommended control
enhancements would improve the reliability of controls to support achievement of
management's business objectives.
Controls are operating effectively and can reliably support achievement of
management's business objectives.