Writing Audit Reports

This presentation is based on the course "How to Write an Audit Report" offered by the Institute of Internal Auditors (theIIA.org). This course is no longer available to people who are outside (not members of) the IIA.

 
This course is available for free as a Kindle book, intended to attract people's attention to this site.
(Frankly I prefer the formatting on this page, that I cannot render in Kindle.)
 

Table of Contents

1. Purpose of an Audit Report
2. The Role of Communication in Internal Auditing
3. Structure of an Effective Audit Report
4. Writing Effective Audit Findings
5. Writing Style and Clarity
6. Ratings, Opinions, and Conclusions
7. Management Action Plans (MAP)
8. Fact Sheet Reports
9. Common Mistakes in Audit Reports
10. Best Practices for Effective Audit Reports
11. Conclusion
12. Case Study

Purpose of an Audit Report

An internal audit report is the formal communication of audit results to management, senior leadership, and the board. Its purpose is not merely to document work performed but to communicate risks, control weaknesses, and recommended improvements so the organization can strengthen governance, risk management, and internal control processes. An effective audit report translates detailed audit work into clear, actionable information that decision-makers can quickly understand and act upon. When written well, the report serves as the primary mechanism through which the internal audit function delivers value to the organization.

The course emphasizes that audit reports must meet several key characteristics:

• Clear – easy to read and free of unnecessary jargon
• Concise – focused on significant issues rather than excessive detail
• Accurate – supported by evidence gathered during the audit
• Objective – unbiased and professionally written
• Actionable – includes recommendations and management responses

A poorly written report can weaken the impact of an otherwise well-executed audit. Therefore, strong writing skills are essential for auditors.

The Role of Communication in Internal Auditing

Internal auditing is often described as a communication process as much as an assurance activity. Auditors gather evidence, evaluate controls, and analyze risk, but their work only creates value when the results are effectively communicated to stakeholders.

1. Audit Planning
2. Audit Fieldwork (Data collection and testing)
3. Evaluation of Controls and Risks
4. Audit Report (Communication of results)
5. Management Action & Improvements

The audit report therefore acts as the bridge between audit analysis and organizational improvement. Without clear communication, management may misunderstand the issues or fail to act on them. For this reason, the course emphasizes tailoring reports to multiple audiences, including operational managers, executives, and the audit committee. Each group may require different levels of detail or emphasis.

Structure of an Effective Audit Report

Most internal audit reports follow a standard structure that allows readers to quickly understand the audit results. While formats vary across organizations, the course emphasizes several core components.

1. Title Page
   • Identifies which audit that the report is about
   • Who prepared it, and when
   • Optionally the classification – it might be marked “Confidential” or “Proprietary”.
2. Executive Summary
   • The executive summary is the most important section of the report because many senior leaders read only this portion. You want to make this section count!
     It provides a concise overview of:
   • Audit objectives
   • Scope
   • Key findings
   • Overall conclusion
   • Major recommendations
   • The summary should highlight the most significant risks or control weaknesses discovered during the audit. It should also present the overall assessment of the audited area.
3. Background
   • The background section explains the context of the audit.
     It typically includes:
   • Description of the process or system audited
   • Organizational objectives related to the area
   • Relevant policies or regulatory requirements
   • Reasons the audit was conducted
   • Level of risk
   • Selection of areas under scrutiny (top 10 risks)
   • This section helps readers understand why the audit matters.
4. Objectives and Scope
   • The report clearly states what the audit intended to evaluate and what areas were included - or excluded.
     Examples include:
   • Evaluation of internal controls
   • Compliance with policies
   • Assessment of risk management practices
   • This section prevents misunderstandings about the boundaries of the audit work.
5. Methodology
   • The methodology briefly describes how the audit was conducted, including:
   • Interviews
   • Document reviews
   • Control testing
   • Data analysis
   • The goal is not to provide technical detail but to demonstrate that the audit was conducted systematically and professionally. Cite audit standards to bolster “assurance”, which the degree of confidence that controls are designed well and operating effectively.
6. Audit Findings
   • The findings section is the core of the audit report. It presents the issues identified during the audit in a clear, structured manner.
   • Each finding typically includes 5 C’s; see Writing Effective Audit Findings below.
     Well-written findings:
   • Focus on facts, not opinions
   • Clearly link issues to risks and business impact
   • Are prioritized (e.g., high, medium, low risk)
   • Avoid overly technical language where possible
   • This section should enable readers to quickly understand what is wrong and why it matters.
7. Recommendations
   • The recommendations section provides practical actions to address the findings.
     Effective recommendations:
   • Are clear, actionable, and feasible
   • Address the root cause, not just the symptom
   • Are aligned with the organization’s risk tolerance
   • Balance cost vs. benefit
   • Rather than prescribing exact solutions, auditors often:
   • Suggest directional improvements
   • Allow management flexibility in implementation
   • The goal is to help management reduce risk and strengthen controls, not to dictate operations.
8. Management Responses
   • This section captures management’s reaction to each finding and recommendation.
     It typically includes:
   • Agreement or disagreement with the finding
   • Planned corrective actions
   • Responsible owner(s)
   • Target completion date
   • Well-developed responses:
   • Demonstrate accountability
   • Show commitment to remediation
   • Clarify how risks will be addressed
   • This section is important because it reflects management ownership of risk, not just the auditor’s perspective.
9. Conclusion or Overall Opinion
   • The conclusion provides a high-level assessment of the audited area.
     It may include:
   • An overall audit rating (e.g., effective, needs improvement, ineffective)
   • A summary of the control environment
   • A statement on whether objectives are being met
   • The conclusion should:
   • Be consistent with the findings
   • Clearly communicate the overall level of risk
   • Reinforce key messages from the report
   • This is often the section that, along with the executive summary, shapes senior leadership’s final impression.

Writing Effective Audit Findings

The most critical section of an audit report is the audit findings. Each finding explains a problem discovered during the audit and provides evidence to support it.

Most internal auditors use a structured format known as the Five Elements of a Finding, or referred to as the 5 C’s, as shown in this illustration.

As you can see, there is a bridge from the actual conditions on the left, to the management recommendations on the right side. There are five spans in the bridge.

Span 1. Criteria: The "should be." This defines the benchmark, such as company policies, standard operating procedures (SOPs), laws, regulations, or industry best practices, against which the subject matter is measured.

Criteria represent the expected standard or requirement against which the condition is evaluated. Examples include:

• Organizational policies
• Regulatory requirements
• Industry standards
• Internal control frameworks

Span 2. Condition: The "what is." This is the factual, evidence-based observation of the current situation. It describes exactly what the auditor found, highlighting the discrepancy between actual practice and the established criteria.

The condition describes what the auditor observed during the audit. This is the factual statement of the issue.
Example:

• Access rights were not reviewed regularly for terminated employees.

Span 3. Cause: The "why." This identifies the root reason why the condition does not meet the criteria. It addresses the underlying issue—such as process design flaws, lack of training, or insufficient monitoring—rather than just the symptom.

The cause explains why the problem occurred. Common causes include:

• Lack of procedures
• Inadequate training
• Poor system configuration
• Insufficient management oversight

Identifying the root cause helps ensure that recommendations address the underlying problem rather than just the symptoms.

Span 4. Consequence / Effect: The "so what." This explains the risk, impact, or exposure resulting from the condition. It details what could go wrong or has already gone wrong, covering financial, operational, reputational, or compliance-related consequences.

The effect describes the risk or impact of the issue, such as:

• Financial loss
• Compliance violations
• Operational inefficiencies
• Security vulnerabilities

Span 5. Correction / Recommendation: The "what now." This outlines the recommendations or management's agreed-upon steps to resolve the identified issue and prevent it from recurring.

The recommendation provides a practical solution to the problem. Effective recommendations should be realistic, achievable, and aligned with the organization’s risk tolerance.

 
These 5 C’s are widely recognized in internal auditing, and are used to structure persuasive and actionable audit reports. Remember to include all five spans in the bridge so that your recommendations land with senior management.

Writing Style and Clarity

The course places strong emphasis on writing style. Internal audit reports should be written in clear, professional language that is easily understood by business leaders. The goal is to communicate clearly with non-auditors.

Key writing principles include:

1. Use Plain Language
   • Avoid technical jargon or excessive auditing terminology.
     Example:
   • Poor wording: Control deficiencies were identified within the user provisioning process.
   • Better wording: User access was granted without proper approval.
2. Be Concise
   • Reports should focus on significant issues, not minor observations that distract from the main message.
   • Minor observations can be reported in a separate Management Letter, rather than cluttering the Audit Report.
3. Focus on Risk
   • Audit reports should emphasize business risk and impact, not simply control failures.
   • Executives are more likely to respond when the report clearly explains why the issue matters to the organization.

Ratings, Opinions, and Conclusions

The overall conclusion should reflect the combined significance of the audit findings and the effectiveness of existing controls.

In the overall audit assessment, summarize:

• Individual Findings
• Severity Assessment
• Combined Risk Evaluation
• Overall Audit Opinion

Many organizations include an overall audit rating or opinion summarizing the condition of the audited area. Examples include:

• Effective
• Needs Improvement
• Unsatisfactory

This conclusion helps executives quickly understand the overall level of risk.

Management Action Plans

Audit reports are not complete until management provides responses to the findings.

Each finding should include the Management Action Plan (MAP):

• Management’s response (agree or disagree) – any disagreements should be resolved before the Fieldwork phase ends and before the Reporting phase begins.
  Fact Sheets are recommended to be created by the lead auditor and reviewed by the auditee as soon as the finding or weakness is discovered. This means that management is not surprised when the findings are raised in the audit report. Refer to Fact Sheet Reports below.
• Corrective action plan (remediation)
• Responsible person
• Target completion date

This ensures the report leads to real improvements rather than simply documenting problems.

Follow-Up Process

• Audit final report issued, including Management Action Plan (MAP) generated after Audit draft report was submitted
• Implementation of remediation activities (new or revised controls per MAP)
• Audit follow-up review

Internal Auditors typically perform follow-up procedures to confirm that corrective actions have been implemented, and to verify the concerns of all the findings have been met.

Fact Sheet Reports

These reports are not a required step in most audit frameworks, but in my experience Fact Sheets work well to alert the auditee about potential findings or weaknesses. I recommend that the lead auditor create them as soon as the finding or weakness is discovered, so that the auditee may review them on a timely basis. The auditee may point out flaws in the fieldwork or may be able to point to compensating controls beyond those found in the System Description. The audit team has time to return to the recent fieldwork and re-examine the design and effectiveness of the controls. Issuing the Fact Sheets also means that management is not surprised when the findings are raised in the audit report.

After reviewing the description below, you may return to Management Responses above.

Fact Sheets should be sent during the Fieldwork phase to confirm the weaknesses and be certain all controls have been identified and included in the tests. Management can agree with the fact sheets, or invite further discussion. All fact sheets should be issued and management responses received before the Fieldwork phase ends. Fact sheets show the auditees the progress of the audit fieldwork, and invite them to follow along and correct any misunderstandings. It also gives the auditees a chance to issue temporary fixes for important or critical issues.

Be sure to number each Fact Sheet so that you can tie it back to the Working Papers. You should also provide boxes at the top to record the date the Fact Sheet was generated, by which auditor, and the date it was discussed with the auditee(s), and which auditee(s) attended the meeting.

In many ways the Fact Sheet resembles the audit finding. Remember the bridge from the actual conditions on the left, to the management recommendations on the right side. There are five spans in the bridge.

• Span 1. Criteria: The "should be" that represents the expected standard or requirement against which the condition is evaluated.
• Span 2. Condition: The "what is" that describes exactly what the auditor found, highlighting the discrepancy between the established criteria and actual practice.
• Span 3. Cause Optional: The "why" that identifies the root reason why the condition does not meet the criteria. You may or may not not have time to investigate the root reason before you issue the Fact Sheet. Be aware that the easiest reason to attribute to the cause may in fact not be the root reason.
• Span 4. Consequence / Effect: The "so what" that describes the impact of the discrepancy.
• Span 5. Correction / Recommendation: Not included in the Fact Sheet.

The purpose of the Fact Sheet is to engender discussion with the auditee, so include the last section but leave it blank:

• Management Response: Leave room for the auditee to Agree or Disagree with the facts. If they disagree, before sure to record on the Fact Sheet what went wrong, and whether they presented new evidence (controls or countermeasures) not included in the System Description.
• If the discrepancy is a major concern to the auditee, they may initiate action to remediate it straight away, before the audit report is submitted. Be sure to note this on the Fact Sheet, including what action was taken, by whom, and when.

 
Give the Fact Sheet to the auditee as soon as possible (within one or two business days) after the audit team has completed their tests of the gathered evidence. Ask for a quick response. This ensures the audit team has time to go back and re-examine the design and effectiveness of the controls, before they get involved in the next step of the fieldwork, and before the Fieldwork phase ends.

Common Mistakes in Audit Reports

The course also highlights common weaknesses that reduce the effectiveness of audit reports.

• Excessive technical detail
• Long narrative sections
• Lack of clear recommendations
• Weak explanation of risk or impact
• Failure to prioritize issues

Another common mistake is focusing too much on process descriptions rather than key risks and findings. Audit planning phase should include System Description document to be sent to management for their review and comments before the Fieldwork starts.

Best Practices for Effective Audit Reports

To produce high-quality audit reports, internal auditors should adopt these five best practices:

1. Focus on the reader. Write for the audience, especially executives and the board.
2. Highlight key risks early. Important issues should appear in the executive summary. See Fact Sheet Reports below.
3. Use structured findings. The criteria-condition-cause-consequence-correction format improves clarity.
4. Emphasize impact. Explain why each issue matters to the organization.
5. Collaborate with management. Discuss findings during the audit to reduce surprises when the audit report is submitted for management review, and to improve the MAP recommendations.

Conclusion

The IIA course "How to Write an Audit Report" emphasizes that audit reporting is a critical professional skill for internal auditors.

While audits involve detailed analysis and testing, the true value of the audit function lies in communicating insights that improve governance, risk management, and internal controls.

An effective audit report:

• clearly explains the audit objectives and scope,
• communicates findings using a structured format,
• highlights risks and impacts, and
• provides actionable recommendations supported by management responses.

When written well, the audit report becomes a powerful tool that transforms audit evidence into organizational improvement and better risk management.

Case Study

When I started as an auditor, I had been an IT Security consultant for a number of years. I considered my first audit report to be adequate to alert management that there was a problem. The Chief Audit Executive (CAE) rejected my report. The CAE strongly recommended that I take the course from the IIA. After taking the course, the CAE invited me to re-write my report. You can see the differences below. These are not the actual reports that I submitted, because those are proprietary documents that belong to the company where I worked.

Looking at these reports side by side, the difference is almost philosophical: one is trying to fix the system, the other is trying to change management’s behavior.

Report 1: IT Security Consultant (Action-Oriented, Remediation-Focused)

Subject: Immediate Remediation Plan – Identity and Access Management Weaknesses

A review of Active Directory (AD) indicates material control gaps in identity and access management that present an elevated risk of unauthorized access and potential compromise.

The organization has 1,234 users but maintains 1,754 AD accounts, indicating a significant number of duplicate or unnecessary accounts. A sample review of 200 accounts identified that 27% (54 accounts) lacked documented management authorization, and 30.5% (61 accounts) retained their initial password. Additionally, there is limited assurance that user access aligns with role-based requirements. The use of a consistently renamed local administrator account (“geddy”) further reduces security through predictability.

From a security operations perspective, the environment should be treated as potentially overexposed.

Immediate Actions (Next 24–72 Hours)

1. Disable Duplicate Accounts
   • Identify users with multiple accounts and disable all but one.
   • Re-enable accounts only after user verification through the help desk.
   • This will quickly reduce the attack surface.
   • Force Password Reset
   • Require password changes for all users at next login.
   • Immediately reset accounts identified with unchanged initial passwords.
2. Secure Administrator Accounts
   • Randomize and standardize naming conventions for local admin accounts.
   • Implement unique credentials and, if possible, privileged access management (PAM).
3. Access Review (Targeted)
   • Focus first on high-risk groups (administrators, finance, HR).
   • Remove clearly excessive privileges.

Short-Term Stabilization (Next 30 Days)

• Implement enforced manager approval workflow for all new accounts.
• Introduce automated provisioning controls (no account without approval).
• Establish a centralized identity inventory (single source of truth).
• Begin quarterly access certification, starting with critical systems.

Observations
The proposed approach by the auditee — to disable duplicate accounts and rely on user calls to restore access — is directionally correct for rapid containment, but should be tightly controlled to avoid operational disruption and social engineering risks.

Closing View
The priority is to regain control of identities quickly, reduce exposure, and then stabilize governance. Speed matters here; precision can follow once the environment is under control.

Report 2: Audit Report (Structured, Persuasive, Management-Focused)

Subject: Audit of Identity and Access Management Controls

Objective and Scope

To assess whether user account management controls ensure that access is appropriately authorized, provisioned, and maintained in alignment with organizational policies.

Finding 1: Inadequate User Account Authorization and Control

Criteria

• User accounts should be created only with documented management authorization.
• Access should be unique per user and aligned with job responsibilities.
• Initial passwords must be changed upon first use.
• Periodic reviews should validate user access and account validity.

Condition

• The organization maintains 1,754 AD accounts for 1,234 users, indicating duplicate or unnecessary accounts.
• In a sample of 200 accounts:
  • 54 (27%) lacked evidence of management authorization.
  • 61 (30.5%) retained their initial password.
  • There is limited assurance that access permissions align with user roles.
  • A predictable naming convention is used for local administrator accounts.

Cause

• Lack of enforced provisioning controls requiring documented approval.
• Absence of automated or centralized identity governance processes.
• Insufficient monitoring and periodic review of user accounts.
• Weak enforcement of password and administrative account standards.

Consequence (Risk/Impact)

• Increased risk of unauthorized access and privilege misuse.
• Elevated likelihood of account compromise due to unchanged passwords.
• Potential for privilege escalation through duplicate or unmanaged accounts.
• Reduced ability to demonstrate compliance with security and regulatory requirements.
• Predictable administrator account naming increases susceptibility to targeted attacks.

Recommendation (Correction)

Management should implement a strengthened identity and access management control framework, including:

1. Account Provisioning Controls
   • Enforce mandatory, documented management approval for all new accounts.
   • Implement automated workflows to prevent account creation without approval.
2. Account Rationalization
   • Identify and remove or disable duplicate and unnecessary accounts.
   • Establish a single unique account per user unless formally justified.
3. Password and Authentication Controls
4. Enforce mandatory password change at first login.
5. Periodically validate compliance with password policies.
6. Privileged Access Controls
   • Eliminate predictable administrator account naming conventions.
   • Implement stronger controls for administrative accounts (e.g., separate credentials, monitoring).
7. Periodic Access Reviews
   • Require quarterly access certification by managers.
   • Ensure timely removal of inappropriate or excessive access.

Management Response (Summary)

Management agrees with the findings and has proposed:

• Disabling duplicate accounts and re-enabling access upon user request.
• Implementing improved authorization processes for account creation.
• Initiating quarterly access reviews conducted by managers.

Conclusion / Overall Opinion

The current state of identity and access management controls is not operating effectively. While management has acknowledged the issues and proposed corrective actions, timely and disciplined implementation will be critical to reducing the organization’s exposure to unauthorized access and control failures.