Internal audits can provide a range of benefits to companies, such as identifying areas or processes that need to be changed, finding new risks and preparing the organization for external audits.
That is why upper management must understand the discoveries and results of audits, making all of the effort of planning and executing internal audits worthwhile. This is where the internal audit report comes in.
Let’s look at how it works.
What is an internal audit report?
An internal audit report is a document with the formal results of an audit. It is used by the internal auditor to show what was examined, highlighting positives, negatives and conclusions, so that the company’s management knows what is going well and what needs to be improved.
The report should be carefully prepared. Yet it is at this point that many internal auditors fail.
The text needs to be clear, objective and impartial in order to ensure that the audit’s results are useful and the organization can use them as a guide to set the direction of actions.
What needs to be done when preparing the report?
Reiterating what was discussed above, one of the benefits of performing internal audits is to find opportunities for improvement. Based on this, the auditor should therefore focus when producing the report. The auditor should avoid:
- Finding guilty parties or specifying that a particular person made a mistake;
- Seeing problems universally;
- Producing an evasive report;
- Applying unnecessary technical terms;
- Lauding their own work. The report should have a natural and straightforward tone.
How is an internal audit report prepared?
1. Make a cover
Have you ever heard the saying that the first impression is the one that lasts?
The auditor’s work should make a good impression, which is why starting with a quality cover is fundamental. It will be upper management’s first point of contact with the audit results, which is why it is important to present information such as:
- Report title
- Name of auditor responsible
- Audit end date
- Name of company or business unit audited.
2. Draft an introduction
The auditor should use this section to provide an overview, with information on the area and processes audited, which standards are providing support to carry out the audit (E.g.: ISO 9001, ISO 14001), in addition to telling the reader about any historical information that may be required before reading the full report. That way, anyone who reads the report will be able to understand the reasons that led to the audit to be executed.
Example: The report may cover the emergence of new legislation that impacts the company’s operations. The introduction can describe the laws that had been applicable to that point along with their shortcomings and how the new law aims to deal with these matters.
3. Create an executive summary
The executive summary should contain a compact discussion of the conclusions of the work done. It should be structured as follows:
- A brief description of what was audited, objectives, scope and start and end dates.
- Discuss the auditor’s conclusions.
Example: State that the main goal of the audit was to evaluate the organization’s processes in order to identify the level of adherence/gaps in relation to the new law. At the end, it can say that one of the main conclusions is that the company needs to adapt its facilities.
4. Introduce Terminology used
The next section should show the terms used in drafting the report, so that everyone can understand the information presented.
Example: If there are any references to ISO, it is important to clarify that this refers to the International Organization for Standardization.
5. Discuss the Audit Plan
The audit plan should name the lead auditor and list their qualifications, along with other auditors on the team. This section should also describe the documents evaluated and name the people interviewed.
The auditor should describe the stages followed during the audit (a tool for mapping processes can help) and which criteria were used to select documents evaluated and people interviewed.
6. Describe facts found
When something is not compliant with established standards, the auditor should take note, describing the facts and evidence found.
7. Discuss recommendations
Finally, the auditor should conclude the report with a section on “Recommendations” for the organization’s improvement. At this stage, the auditor should consider the following aspects:
- Be positive: The auditor should focus on what is going on right now and on how the company’s positive aspects can be applied to inefficient areas or processes.
- Be specific: The auditor should be very clear and specific on which aspects are not in compliance with established standards and which actions should be implemented to guarantee compliance. It should be clear who needs to act.
- Be concise: The auditor should make brief recommendations and only include the information and details that are really necessary.
As you can see, certain steps must be taken when preparing a high-impact internal audit report.
Members of upper management are busy people with full schedules. Auditors are becoming aware that they need to submit clear and objective audit reports so that executives can understand the situation and work so that there is continual improvement. This is possible through an internal audit report.
We hope that this article has helped you to better understand what an internal audit report is, why it is important and how to prepare a high-impact report.
Are you interested in learning more about auditing after reading this article? If so, please take a look at more content that we have already covered here in the blog!