how to write an audit report conclusion

• Assessment Management
• Compliance Audits
• Enterprise Risk Management
• Fraud Risk Management
• IT Risk Management
• Operational Audits
• Operational Risk Management
• Security Compliance Management
• SOX Compliance
• SOX Readiness
• Vendor Risk Management
• Business Services
• Education, Government, and Non-Profit
• Energy, Materials, and Utilities
• Financial Services
• Manufacturing
• Media and Telecom
• Real Estate and Construction
• Travel and Transportation
• Technology & Security
• Resource Library
• AuditBoard TV
• Events & Webinars
• On-Demand Webinars

Compiling a Useful Audit Report: Best Practices

… Writing a good audit report makes the difference in whether it communicates the message the audit team wanted to convey — and whether or not stakeholders read the report at all.  People, including auditors and company management, are overloaded with information and content on a daily basis. Everything wants our time, our eyes; wants us to read and take action — and an audit report needs to be well-crafted to make an impact above competing demands on attention. 

An ineptly written audit report can miscommunicate the results of the audit. Imagine if an audit committee got the wrong picture of a company’s financial statements due to an ineptly written auditor’s report; or if a poorly reviewed report disclosed a material misstatement instead of a material weakness, and that made it uncorrected to the Securities and Exchange Commission! These examples are perhaps hyperbolic, but meant to illustrate the importance of producing a good audit report that clearly states the purpose of the audit, the type of report, who performed the audit, and the audit opinion, among other key attributes.

A quality audit report that is written with the audience in mind, and that takes a human-centered approach produces more value for readers and motivates stakeholder action. It saves time across the board by being simple, digestible, and actionable. It’s the sign and core deliverable of a mature audit program. Elevate your next audit report using our tips and tricks on how to boost clarity and deepen impact.

What Is Considered a Good Audit Report? 

A good audit report, whether it’s an external or internal audit report, doesn’t have to be thirty pages or more to be effective and drive outcomes — in fact, a one-page audit report can be the perfect format for certain initiatives. The level of detail included in an audit report should be enough for the audience to understand the context of the report, determine if the objective of the audit was met (or not), and prompt action on any recommendations or improvement opportunities from there. Executives may want less detail and a short, sweet summary of takeaways, while managers and process owners directly affected by the audit process may need and want to review results and recommendations in detail.

​​​​​​Different types of reports may need to follow designated templates provided by regulators, or used as a common best practice in the industry. Financial audits and audits of ICFR ( internal control over financial reporting) each fiscal year, for example, must be completed and documented by independent auditors for SOX compliance in accordance with Generally Accepted Accounting Principles (GAAP), and contain specific information and data points dictated by the legislation and the associated regulating bodies. Healthcare audits performed to evaluate compliance with HIPAA will incorporate the citations from the legislation and focus on protected health information (PHI). A good internal audit report should be one that clearly communicates the objectives, scope, and findings of an audit engagement, and in doing so, motivates its readers to take internal audit’s recommended actions. To an extent, what good looks like for audit reports will change depending on the type of report being produced. Still, there are some common themes that contribute to writing a great audit report that we’ll cover in this article.

How Do You Write a Good Audit Report? 

A good audit report conveys a clear message to the reader, whether that’s an unqualified opinion or a list of expenditures that can be eliminated. Audit reports should be brief and to the point. Simplicity and specificity go the distance in business writing.The report should also steer clear of any jargon or confidential information, just in case it goes to external parties. Keeping the focus on the audience, and the report centered on the risks and control environment in the area that was audited will help you write a sophisticated audit report. 

We’ve included one of our top resources on how to write a good audit report from our  Audit Management Playbook , 10 Best Practices for Writing a Digestible Audit Report,  and you can download the full Audit Management Playbook below. 

10 Best Practices for Writing a Digestible Audit Report

​​​​​​Our Audit Management Playbook recommends 10 Best Practices for Writing a Digestible Audit Report, including:

• Reference everything.
• Include a reference section.
• Use figures, visuals, and text stylization.
• Contextualize the audit.
• Include positive and negative findings.
• Ensure every issue incorporates the five C’s of observations.
• Include detailed observations.
• Always perform a quality assurance check.
• Avoid blame and state the facts.
• Be as direct as possible.

In good writing, there always comes a good time to break the rules. If your audience needs a shorter report and you can’t incorporate all of these into your deliverable, don’t worry! As long as you’ve made an effort to tailor the report to your audience and have your detailed findings in your back pocket to support that report — you should be able to present your findings with confidence.

1. Reference Everything. 

Citations are important! Avoid unverifiable claims and make sure to bridge any gaps of information by referencing where you obtained key facts and figures. Give your stakeholders the tools and opportunity to research and look into your findings themselves. Show that you know what you’re talking about in the compliance realm by referencing authoritative documents, calling out audit evidence, and providing insightful data.

2. Include a Reference Section. 

To keep your report from getting too congested with references and citations from standards that may detract from the ultimate message, whether those standards are from the local government, an official .gov publication, or another organization, include a reference section in your report and use appendices to your advantage. Even the report for a single audit can benefit from a well-structured references section.

3. Use Figures, Visuals, and Text Stylization. 

Use visuals to better convey your message — reports don’t have to be boring and drab. Circle or highlight the key points you want to convey, and employ font styling and color to draw attention to key facts and figures. Use tables or graphs to summarize key trends or important data wherever possible. 

4. Contextualize the Audit

Report key statistics and contextual details as part of your audit report to give relevance to audit findings and keep stakeholders invested in the content. Presenting financial information, like the company’s liabilities balance, in a vacuum, means very little. Providing context around that value and illustrating how it relates to the company’s overall financial position gives considerably more value. From there, stakeholders might have a better idea of whether they need to reduce liabilities or have room to take on more debt.

5. Share Positives and Negatives

Audits and auditors get a bad rap for only ever bringing bad news to the table. Break the stereotype and give stakeholders something to smile about by including positive findings, as well as issues and gaps. It may seem trite, but highlighting the positives will encourage those habits, processes, and teams to continue doing the good work.

6. Ensure Every Issue Includes the 5 C’s of Observations. 

Since issues and accompanying recommendations do make up some of the meat of an audit report, it is important to include sufficient detail when documenting and reporting on findings, gaps, or control deficiencies. As a guide for what details to include in the audit report, use the five “C’s” of recording observations: criteria, condition, cause, consequence, and corrective action plans (or recommendations).

7. Include Detailed Observations. 

Although writing a good audit report involves keeping it short, sweet, and on target, there are circumstances that call for “zooming in” on specific observations or findings. Not every finding needs this treatment in the report, but you may find that some observations are complex, require additional resources to remedy, or need to be called out for some other reason. Having a section in the report for Detailed Observations that dive into a subset of issues and includes additional facts and figures is a great way of drawing readers’ attention to higher-priority items.

8. Always Perform a Quality Assurance Check. 

Multiple reviews of an audit report that will be seen by management are recommended. Seek someone who does not have a direct connection to the audit so they can provide fresh eyes. If possible, ask someone from the department or function audited to review the report and provide feedback as well. Audit reports should only be finalized and delivered once the last level of review has been completed and any open comments are addressed.

9. Avoid Blame – State the Facts.

Aim to preserve the relationship with audit clients, especially if you are performing an independent audit as part of a CPA firm, by being as objective as possible and avoiding blame. Simply state issues, opinions, and recommended actions.

10. Be as Direct as Possible.

Avoid soft and indirect statements when making recommendations and opt for solid recommendations and calls to action instead. The reader will appreciate it.

​​​​​​What Should Be in an Audit Report? 

Content matters when learning how to write a good audit report. One way of looking at audit report contents is based on IIA Standard 2410 - Criteria for Communications. In these internal auditing standards, we are told what the report must and should contain. Since we are all working from the same or similar auditing standards, audit reports have a basic structure most internal auditors follow. An audit report generally includes the following elements:

• Scope and objectives.
• Results, Recommendations, and Action Plans.
• Conclusions.
• Audit opinion (if applicable).

Any audit report typically starts with a description of the scope and objectives of the audit initiative. This section of the report establishes what the audit was about, why the  audit risk areas mattered to management, and what the team included as part of the audit. 

Next, the report details issues found in the results section and provides recommendations, and action plans for each of the issues noted. 

The conclusion section of the report allows the audit team a chance to make comments that extend beyond the individual issues in the results section. The conclusion section is also where most reports include the internal auditor’s opinion. The end of the report is a good opportunity to include a positive note acknowledging areas where management did well.

Types of Audit Opinions

While not all audit reports involve the issuance of an audit opinion, several do require independent auditors to provide an opinion, such as financial statements and annual reports. There are four possible ways an auditor can opinion on these types of audits.

Image: Types of Audit Opinions

• Unqualified Opinion - Results in an unqualified report, meaning that the auditor concludes that the company’s statements are represented fairly (in all material respects). This is the best outcome for an audit that requires an opinion.
• Qualified Opinion - Results in a qualified report, meaning that the auditor has identified some areas where they cannot conclude that statements were represented fairly, and calls those areas out. This is a step down from an unqualified opinion, but preferable to the next two.
• Adverse Opinion - Results in an adverse report, meaning that the auditor has detected a material misstatement and is issuing a negative opinion. 
• Disclaimer of Opinion - In these cases, the auditors are unable to obtain sufficient evidence to form a conclusion, and do not express an opinion whatsoever.

Audit Reporting Checklist

To elevate your next audit report, follow our  audit checklist on how to write a good audit report to make sure it clearly communicates the objectives, scope, and findings of an audit engagement — and in doing so,  motivates its readers to take internal audit’s recommended actions.

If your team is ready to make the move to a technology solution for managing risk and compliance, issuing high-quality audit reports backed by reliable data, and collaborating with teammates around the world, AuditBoard is the platform for you. Elevate your audit programs with OpsAudit  and start saving your organization time and overhead today.

Looking for more resources to take your internal audit team to the next level? Download the full in-depth Audit Management Playbook below and get more best practices, checklists, and tools for each stage of the audit lifecycle — planning, fieldwork, reporting, issue management , and scaling audit practices.

Fill out the form below to get your free guide.

Frequently Asked Questions About Audit Reports

What is considered a good audit report.

A good audit report, is clear, only as long as it needs to be, digestible, actionable, and targeted to the audience.

What are the 4 types of audit reports?

The four types of audit report opinions that can be issued are: unqualified, qualified, adverse, and a disclaimer of opinion.

What are the components of a complete audit report?

The components of a complete audit report are: the audit opinion (if applicable), scope, objectives, results and recommendations, and audit conclusions.

Related Articles

Ready to Get Started?

• Skip to main content
• Skip to "About this site"
• Skip to section menu

Language selection

• Search and menus

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

7040 Audit Conclusion Jul-2020 Last Reviewed : 03-Oct-2017 -->

This section presents the requirements pertaining to the audit conclusion. It provides guidance on the four types of conclusion that are possible to reach as well as guidance on what to consider when forming a conclusion. There is also a specific reference to how to form a special examination opinion, including the concept of significant deficiency.

CSAE 3001 Requirements

21. If an objective in this CSAE or a relevant subject-matter-specific CSAE cannot be achieved, the practitioner shall evaluate whether this requires the practitioner to modify the practitioner’s conclusion or withdraw from the engagement (where withdrawal is possible under applicable law or regulation). Failure to achieve an objective in a relevant CSAE represents a significant matter requiring documentation in accordance with paragraph 82 of this CSAE.

28. If the engaging party imposes a limitation on the scope of the practitioner’s work in the terms of a proposed direct engagement such that the practitioner believes the limitation will result in the practitioner disclaiming a conclusion on the underlying subject matter, the practitioner shall not accept such an engagement as an assurance engagement, unless required by law or regulation to do so. (Ref: Para. A156(c))

34. In some cases, law or regulation of the relevant jurisdiction prescribe the layout or wording of the assurance report. In these circumstances, the practitioner shall evaluate:

(a) Whether intended users might misunderstand the assurance conclusion; and

(b) If so, whether additional explanation in the assurance report can mitigate possible misunderstanding.

If the practitioner concludes that additional explanation in the assurance report cannot mitigate possible misunderstanding, the practitioner shall not accept the engagement, unless required by law or regulation to do so. An engagement conducted in accordance with such law or regulation does not comply with CSAEs. Accordingly, the practitioner shall not include any reference within the assurance report to the engagement having been conducted in accordance with this CSAE or any other CSAE(s) (see also paragraph 75).

48. If it is discovered after the engagement has been accepted that some or all of the underlying subject matter is not appropriate for an assurance engagement, the practitioner shall consider withdrawing from the engagement, if withdrawal is possible under applicable law or regulation. If the practitioner continues with the engagement, the practitioner shall express a qualified conclusion or disclaimer of conclusion, as appropriate in the circumstances. (Ref: Para. A89)

49. The practitioner shall consider significance when: (Ref: Para. A90-A98)

(b) Evaluating whether the underlying subject matter is free from significant deviation.

56. The practitioner shall consider whether individual deviations identified during the engagement (other than those that are clearly trivial) have characteristics, for example a root cause or a problematic pattern, that indicate the aggregate effect of individual deviations is likely to be significant. (Ref: Para A120)

65. If one or more of the requested written representations are not provided or the practitioner concludes that there is sufficient doubt about the competence, integrity, ethical values, or diligence of those providing the written representations, or that the written representations are otherwise not reliable, the practitioner shall: (Ref: Para. A140)

(a) Discuss the matter with the appropriate party(ies);

(b) Reevaluate the integrity of those from whom the representations were requested or received and evaluate the effect that this may have on the reliability of representations (oral or written) and evidence in general; and

(c) Take appropriate actions, including determining the possible effect on the conclusion in the assurance report.

68. The practitioner shall evaluate the sufficiency and appropriateness of the evidence obtained in the context of the engagement and, if necessary in the circumstances, attempt to obtain further evidence. The practitioner shall consider all relevant evidence, regardless of whether it appears to corroborate or to contradict the measurement or evaluation of the underlying subject matter against the applicable criteria. If the practitioner is unable to obtain necessary further evidence, the practitioner shall consider the implications for the practitioner’s conclusion in paragraph 69. (Ref: Para. A147-A153)

69. The practitioner shall form a conclusion about whether the underlying subject matter is free from significant deviation. In forming that conclusion, the practitioner shall consider the practitioner’s conclusion in paragraph 68 regarding the sufficiency and appropriateness of evidence obtained and an evaluation of whether identified deviations are significant, individually or in the aggregate. (Ref: Para. A5, A120 and A154-A155)

70. If the practitioner is unable to obtain sufficient appropriate evidence, a scope limitation exists and the practitioner shall express a qualified conclusion, disclaim a conclusion, or withdraw from the engagement, where withdrawal is possible under applicable law or regulation, as appropriate. (Ref: Para. A156-A158)

71. The assurance report shall be in writing and shall contain a clear expression of the practitioner’s conclusion about the underlying subject matter. (Ref: Para. A4, A159-A161)

72. The practitioner’s conclusion shall be clearly separated from information or explanations that are not intended to affect the practitioner’s conclusion, including any findings related to particular aspects of the engagements, recommendations or additional information included in the assurance report. The wording used shall make it clear that findings, recommendations or additional information is not intended to detract from the practitioner’s conclusion. (Ref: Para. A159-A161)

73. The assurance report shall include at a minimum the following basic elements:

(l) The practitioner's conclusion on the objective of the engagement: (Ref: Para. A2-A4, A176-A181)

(i) When appropriate, the conclusion shall inform the intended users of the context in which the practitioner's conclusion is to be read. (Ref: Para. A178)

(ii) In a reasonable assurance engagement, the conclusion shall be expressed in a positive form. (Ref: Para. A177)

(iv) The conclusion in (ii) or (iii) shall be phrased using appropriate words for the underlying subject matter and applicable criteria given the engagement circumstances.

(v) When the practitioner expresses a modified conclusion, the report shall contain:

a. A section that provides a description of the matter(s) giving rise to the modification; and

b. A section that contains the practitioner's modified conclusion. (Ref: Para. A181)

75. If the practitioner is required by law or regulation to use a specific layout or wording of the assurance report, the assurance report shall refer to this or other CSAEs only if the assurance report includes, at a minimum, each of the elements identified in paragraph 73.

76. The practitioner shall express an unmodified conclusion when the practitioner concludes:

(a) In the case of a reasonable assurance engagement, that the underlying subject matter complies, in all significant respects, with the applicable criteria; or

77. If the practitioner considers it necessary to communicate a matter other than those specifically related to the underlying the subject matter that, in the practitioner’s judgment, is relevant to intended users’ understanding of the engagement, the practitioner’s responsibilities or the assurance report, and this is not prohibited by law or regulation, the practitioner shall do so in a paragraph in the assurance report, with an appropriate heading, that clearly indicates the practitioner’s conclusion is not modified in respect of the matter.

78. The practitioner shall express a modified conclusion in the following circumstances:

(a) When, in the practitioner’s professional judgment, a scope limitation exists and the effect of the matter could be significant (see paragraph 70). In such cases, the practitioner shall express a qualified conclusion or a disclaimer of conclusion.

(b) When, in the practitioner’s professional judgment, there is a significant deviation in the underlying subject matter. In such cases, the practitioner shall express a qualified conclusion or adverse conclusion. (Ref: Para. A190)

79. The practitioner shall express a qualified conclusion when, in the practitioner’s professional judgment, the effects, or possible effects, of a matter are not so significant and pervasive as to require an adverse conclusion or a disclaimer of conclusion. A qualified conclusion shall be phrased to inform the intended users of the effects, or possible effects, of the matter to which the qualification relates. (Ref: Para. A187-A190)

80. If the practitioner expresses a modified conclusion because of a scope limitation but is also aware of a matter(s) that causes a significant deviation in the underlying subject matter, the practitioner shall include in the assurance report a clear description of both the scope limitation and the matter(s) that causes the significant deviation.

CSAE 3001 Application Material

A2. The practitioner in a performance audit describes in the report the objective of the engagement and the underlying subject matter so that the reader can understand and properly interpret the results. The wording of the objective would be determined by the circumstances of the engagement. For example, the objective for a performance audit may be to conclude whether the entity being audited has adequately managed a program so that the entity’s key responsibilities under that program have been met. The practitioner’s conclusion relates to the objective and scope of the engagement and follows logically from the description of the criteria and findings. If the engagement has more than one objective, the assurance report provides a conclusion on each objective.

A4. Where the underlying subject matter is made up of a number of aspects, separate conclusions may be provided on each aspect. All such separate conclusions do not need to relate to the same level of assurance. Rather, each conclusion is expressed in the form that is appropriate to either a reasonable assurance engagement or a limited assurance engagement. References in this CSAE to the conclusion in the assurance report include each conclusion when separate conclusions are provided.

A98. Concluding on the significance of the deviations identified as a result of the procedures performed requires professional judgment. For example:

• The applicable criteria for a performance audit for a hospital’s emergency department may include the speed of the services provided, the quality of the services, the number of patients treated during a shift, and benchmarking the cost of the services against other similar hospitals. If three of these applicable criteria are satisfied but one applicable criterion is not satisfied by a small margin, then professional judgment is needed to conclude whether the hospital’s emergency department represents value for money as a whole.
• In a compliance engagement, the entity may have complied with nine provisions of the relevant law or regulation, but did not comply with one provision. Professional judgment is needed to conclude whether the entity complied with the relevant law or regulation as a whole. For example, the practitioner may consider the importance of the provision with which the entity did not comply, as well as the relationship of that provision to the remaining provisions of the relevant law or regulation.

A120. “Clearly trivial” is not another expression for “not significant.” Matters that are clearly trivial will be of a wholly different (smaller) order of importance than significance determined in accordance with paragraph 49, and will be matters that are clearly inconsequential, whether taken individually or in aggregate and whether judged by any criteria of size, nature or circumstances. When there is any uncertainty about whether one or more items are clearly trivial, the matter is considered not to be clearly trivial.

A152. Whether sufficient appropriate evidence has been obtained on which to base the practitioner’s conclusion is a matter of professional judgment.

A155. The practitioner’s professional judgment as to what constitutes sufficient appropriate evidence is influenced by such factors as the following:

• Importance of a potential deviation and the likelihood of its having a significant effect, individually or when aggregated with other potential deviations, on the practitioner’s report.
• Effectiveness of the appropriate party(ies)’s responses to address the known risk of significant deviation.
• Experience gained during previous assurance engagements with respect to similar potential deviations.
• Results of procedures performed, including whether such procedures identified specific deviations.
• Source and reliability of the available information.
• Persuasiveness of the evidence.
• Understanding of the appropriate party(ies) and its environment.

A156. A scope limitation may arise from:

(a) Circumstances beyond the control of the appropriate party(ies). For example, documentation the practitioner considers to be necessary to inspect may have been accidentally destroyed;

(b) Circumstances relating to the nature or timing of the practitioner’s work. For example, a physical process the practitioner considers to be necessary to observe may have occurred before the practitioner’s engagement; or

(c) Limitations imposed by the responsible party or the engaging party on the practitioner that, for example, may prevent the practitioner from performing a procedure the practitioner considers to be necessary in the circumstances. Limitations of this kind may have other implications for the engagement, such as for the practitioner’s consideration of engagement risk and engagement acceptance and continuance.

A157. An inability to perform a specific procedure does not constitute a scope limitation if the practitioner is able to obtain sufficient appropriate evidence by performing alternative procedures.

A177. An example of a conclusion expressed in a form appropriate for a reasonable assurance engagement is: “In our opinion, the entity has complied, in all significant respects, with XYZ law.”

A178. It may be appropriate to inform the intended users of the context in which the practitioner’s conclusion is to be read when the assurance report includes an explanation of particular characteristics of the underlying subject matter of which the intended users should be aware. The practitioner’s conclusion may, for example, include wording such as: “This conclusion has been formed on the basis of the matters outlined elsewhere in this independent assurance report.”

A180. Forms of expression which may be useful for underlying subject matters include, for example, “in compliance with” or “in accordance with.”

A181. Inclusion of a heading above paragraphs containing modified conclusions, and the matter(s) giving rise to the modification, aids the understandability of the practitioner’s report. Examples of appropriate heading include “Qualified Conclusion,” “Adverse Conclusion,” or “Disclaimer of Conclusion” and “Basis for Qualified Conclusion,” “Basis for Adverse Conclusion,” as appropriate.

A187. The words “except for” are commonly used to indicate the matter(s) to which a qualification relates. However, other wording may be used to clearly indicate those matter(s).

A188. The term “pervasive” describes the effects on the underlying subject matter of deviations or the possible effects on the underlying subject matter of deviations, if any, that are undetected due to an inability to obtain sufficient appropriate evidence. Pervasive effects on the underlying subject matter are those that, in the practitioner’s professional judgment:

(a) Are not confined to specific aspects of the underlying subject matter; or

(b) If so confined, represent or could represent a substantial proportion of the underlying subject matter.

A189. The nature of the matter, and the practitioner’s judgment about the pervasiveness of the effects or possible effects on the underlying subject matter, affects the type of conclusion to be expressed.

A190. Examples of qualified and adverse conclusions and a disclaimer of conclusion are:

• Qualified conclusion (an example for limited assurance engagements with a significant deviation) – “Based on the procedures performed and the evidence obtained, except for the effect of the matter described in the Basis for Qualified Conclusion section of our report, nothing has come to our attention that causes us to believe that the entity has not complied, in all significant respects, with XYZ law.”
• Qualified conclusion (an example for reasonable assurance engagements with a significant deviation) – “We conclude that the entity increased the capacity of its facilities in a manner that meets its needs in the short term. However, the entity did not develop a long-term plan to ensure its capacity needs will be met in the future.”
• Adverse conclusion (an example for a significant and pervasive deviation for both reasonable assurance and limited assurance engagements) – “Because of the importance of the matter described in the Basis for Adverse Conclusion section of our report, the entity has not complied, in all significant respects, with XYZ law.”
• Disclaimer of conclusion (an example for a significant and pervasive limitation of scope for both reasonable assurance and limited assurance engagements) – “Because of the importance of the matter described in the Basis for Disclaimer of Conclusion section of our report, we have not been able to obtain sufficient appropriate evidence to form a conclusion on the on whether the entity has complied, in all significant respects, with XYZ law. Accordingly, we do not express a conclusion on such compliance.”

Financial Administration Act Requirements for Special Examinations

Section 139(1) An examiner shall, on completion of the special examination, submit a report on his findings to the board of directors of the corporation examined.

(2) The report of an examiner under subsection (1) shall include

(a) a statement whether in the examiner’s opinion, with respect to the criteria established pursuant to subsection 138(3), there is reasonable assurance that there are no significant deficiencies in the systems and practices examined; and

(b) a statement of the extent to which the examiner relied on internal audits.

Audits shall have a clear conclusion against the audit objective. [Nov-2016]

OAG Guidance

What the csae 3001 means for the audit conclusion.

The standard requires that the audit concludes against the audit objective and that the conclusion is clearly indicated in the audit report.

The standard also requires that the engagement leader supports the audit conclusion with sufficient appropriate evidence, and that he/she forms a conclusion about whether the subject matter is free from significant deviation (see OAG Audit 2020 Significance).

If the evidence shows that one or more of the audit criteria have not been met, then the engagement leader must use professional judgment to decide whether to express a “reservation” in the form of a qualified or an adverse conclusion, and explain the reason for the reservation in the audit report.

If the team has been unable to obtain sufficient appropriate evidence regarding an entity’s conformity with any of the audit criteria, we have a scope limitation. The standards require that the engagement leader expresses a qualified conclusion, disclaims a conclusion, or withdraws from the audit. A disclaimer of conclusion rarely occurs in the OAG’s performance audits and could not occur in special examinations.

The following diagram illustrate the steps set out in CSAE 3001 in forming the conclusion, with relevant paragraph numbers referenced.

How to form a conclusion

In forming conclusions, using their professional judgment, the auditors evaluate the sufficiency and appropriateness of the evidence obtained (see OAG Audit 7021 Evaluate sufficiency and appropriateness of audit evidence, and OAG Audit 1051 Sufficient appropriate audit evidence). They also assess the significance (see OAG Audit 2020 Significance) of the findings in relation to the audit objective. The conclusion should not be a summary of findings, but rather be a clear conclusion against the audit objective.

The conclusion has to be expressed using a positive form; for example, “The entity has complied, in all significant respects, with xyz . . .”

There are essentially four different types of conclusions that can be used in direct engagements:

• unmodified (clean) conclusion (“yes”);
• qualified conclusion (“yes, but” or “no, but”);
• adverse conclusion (“no”); and
• disclaimer of conclusion (when the audit team is unable to conclude due to lack of sufficient appropriate evidence).

Audit team members need to clearly communicate the type of conclusion in the audit report. They also need to use professional judgment in forming a conclusion ( OAG Audit 1042 Applying professional judgment). For example, the team may decide to qualify the conclusion when some parts of an entity’s performance are satisfactory while others are unsatisfactory. The conclusion can then contain an "except for" statement to disclose the deviations from satisfactory performance.

If it is an unmodified (clean) conclusion (“yes”) or an adverse conclusion (“no”), the audit team should echo the words of the audit objective(s) in the conclusion. In an adverse conclusion, the audit team should also ensure to have a very clear “no.” An adverse conclusion is used when the significance and extent of the deviations from satisfactory performance are pervasive. When performance is fully satisfactory or highly unsatisfactory, concluding against the overall objective may be straightforward and the audit report will reflect a completely positive or adverse conclusion, as appropriate.

A qualified conclusion (“yes, but” / “no, but”) should contain the following essential elements: (1) clear announcement of the conclusion with specific reference to the audit objective, (2) clear “placement” (“yes, but / no, but”), and (3) reason for the (“yes, but / no, but”). For example:

(1) We conclude that the Department of Widget Affairs administered its Widget program in accordance with the Widgets Act, (2) with some improvement required in communications. (3) In particular , Widget status reports need to be communicated from headquarters to regional offices sooner so that Widget officers in the field have up-to-date lists of fees to be charged.

The core of a clear overall audit report conclusion is a single key paragraph with a clear overall conclusion. In straightforward cases, the entire conclusion may only be one paragraph. In more complex cases (multiple auditees, not a clean conclusion, etc.), further explanatory paragraphs can be added if the conclusion is not self-evident. The conclusion should be in a separate section of the written audit report in order to make it clear to the readers that this is the conclusion of the audit, not a finding on a specific aspect of the audit or a recommendation (see OAG Audit 7030 Drafting the audit report).

If, despite best efforts, an audit team is unable to obtain sufficient appropriate evidence, it may report the available evidence and its limitations, but it cannot draw findings and conclusions from the evidence. If the OAG decides to report the matter, it would state it as a qualification to the conclusion—that the auditors could not evaluate part of the subject matter because of lack of evidence (i.e. scope limitation). When the lack of evidence is significant, the audit report will express a “disclaimer of conclusion” due to incapacity to obtain sufficient appropriate audit evidence.

If the audit team determines there is a scope limitation (which occurs when the team is unable to obtain sufficient appropriate evidence), it would either explain it in the conclusion using a qualified conclusion or a disclaimer of conclusion (as explained above).

Special examinations

Special examination opinion statement and conclusion. Consistent with sub-paragraph 139(2)(a) of the Financial Administration Act (FAA), each special examination report must include a statement on whether in the examiner’s opinion and based on the established criteria, reasonable assurance exists that there are no significant deficiencies in the Crown corporation’s systems and practices examined.

The special examination opinion statement serves as a basis for the conclusion against the audit objective and is included in the conclusion paragraph in the audit report.

The special examination conclusion can take one of the following forms:

Unmodified (clean) conclusion. In our opinion, based on the criteria established, there was reasonable assurance there were no significant deficiencies in the Corporation’s systems and practices that we examined. We concluded that the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

Qualified conclusion (one significant deficiency). In our opinion, based on the criteria established, there was a significant deficiency in the Corporation’s [identify specific systems and practices named in report], but there was reasonable assurance there were no significant deficiencies in the other systems and practices that we examined. We concluded that, except for this significant deficiency, the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

Qualified conclusion (two significant deficiencies). In our opinion, based on the criteria established, there were significant deficiencies in the Corporation’s [identify the two systems and practices named in report], but there was reasonable assurance there were no significant deficiencies in the other systems and practices that we examined. We concluded that, except for these significant deficiencies, the Corporation maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

Adverse conclusion. In our opinion, based on the criteria established, there were significant deficiencies in the Corporation’s systems and practices that we examined for corporate management and management of operations. As a result of the pervasiveness of these significant deficiencies, we concluded that the Corporation had not maintained its systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

Because the FAA prescribes the need to provide a statement of opinion on the systems and practices selected for examination, a disclaimer of conclusion is not an option for special examinations . In the special examination practice, the ability to report on a significant deficiency replaces the need to disclaim a conclusion. If, for example, there was an inability to obtain sufficient appropriate evidence related to one of the areas selected for examination, the engagement team would either opine that there is a significant deficiency in the specific area (i.e. it would issue a qualified conclusion) or, where the inability affects multiple areas, that there is no reasonable assurance that the corporation’s systems and practices selected for examination achieved the statutory control objectives (i.e. the team would issue an adverse conclusion).

The special examination report template prescribes where the opinion should be located in the audit report as well as the exact wording of the statement/conclusion to be used in the possible scenarios (unmodified, qualified, or adverse) (see OAG Audit 7030 Drafting the audit report).

What is a significant deficiency? The FAA prescribes the use of the words “significant deficiency” to be used in the opinion, but does not define what it is. The OAG considers a significant deficiency to have occurred when there is a significant deviation from criteria. A significant deficiency is reported when the systems and practices examined did not meet the criteria established, resulting in a finding that the Corporation could be prevented from having reasonable assurance that its assets are safeguarded and controlled, its resources are managed economically and efficiently, and its operations are carried out effectively.

Significance is judged in relation to the reasonable prospect of a matter influencing the judgments or decisions of a user of a special examination report. For example, factors that may influence the engagement team’s judgment on what is significant in a particular circumstance might include the potential public, legislative, economic, or environmental impact.

Clearly, the definition of “significant” is a matter of judgment and depends on the circumstances. Ultimately, one of the major deciding factors is the identified or potential impact of a deficiency.

Factors considered to determine if a significant deficiency exists. The engagement team may take the following factors into account when determining whether a finding constitutes a significant deficiency:

Extent of deviation from criteria. A finding should be clearly linked to criteria and, for it to be significant, there should be substantial deviation from criteria. Where there are deviations, the engagement team needs to establish whether there are compensating systems or practices to help achieve the desired result.

Impact of the deficiency. To be significant, the deficiency’s impact on achieving the corporation’s statutory control objectives should be clear, serious, and consequential. When selecting key systems and practices and developing criteria, considering the corporation’s exposure to risk will help trace the impact of any deficiencies subsequently identified. The impact may be potential; that is, the consequences may not have materialized yet.

Relevance to the board, the Minister, Parliament, or other users of the report. The engagement team should consider what is of interest and relevance to report users. If a finding is of little or no consequence to users, it may not be significant. What is relevant to report users are a finding’s impact (what it will mean to them) and cause (why it happened). Of course, there may be a difference of opinion between what the engagement team believes is relevant to users and the corporation’s views on the issue, in which case the examiner would report the deficiency as significant if convinced of its consequence to users.

Practicality of the solution. If the likely cost of correcting the deficiency is greater than the benefit to be derived, the deficiency’s significance may be questionable.

Number of reported deficiencies. Minor deviations from several criteria may signal minor problems, or may be symptoms of a problem (or theme) of greater significance that should be reported as a significant deficiency.

• Planned corrective actions. If the corporation has action plans in place or even in process to correct deficiencies that have been classified as significant, these deficiencies should still be included in the report as significant because they existed during the examination period and because there is no assurance that the planned actions will correct the problem or that the actions will continue after the report date.

How is a significant deficiency formulated? A significant deficiency must have a clear evidentiary link to a criterion. Problems often occur when the wording used to describe the deficiency is too general; for example, if the significant deficiency does not discuss the impact(s).

In order to be clear and meaningful, a significant deficiency should identify the problem, its cause, and its effect.

All reasoning behind the decision on the significance of a given deficiency must be documented in the examination file.

Related Sections

OAG Audit 1042 Applying professional judgment OAG Audit 1051 Sufficient appropriate audit evidence OAG Audit 2020 Significance OAG Audit 4041 Audit objective OAG Audit 7021 Evaluate sufficiency and appropriateness of audit evidence OAG Audit 7030 Drafting the audit report

• EXPLORE Tech Help Pro About Us Random Article Quizzes Request a New Article Community Dashboard This Or That Game Popular Categories Arts and Entertainment Artwork Books Movies Computers and Electronics Computers Phone Skills Technology Hacks Health Men's Health Mental Health Women's Health Relationships Dating Love Relationship Issues Hobbies and Crafts Crafts Drawing Games Education & Communication Communication Skills Personal Development Studying Personal Care and Style Fashion Hair Care Personal Hygiene Youth Personal Care School Stuff Dating All Categories Arts and Entertainment Finance and Business Home and Garden Relationship Quizzes Cars & Other Vehicles Food and Entertaining Personal Care and Style Sports and Fitness Computers and Electronics Health Pets and Animals Travel Education & Communication Hobbies and Crafts Philosophy and Religion Work World Family Life Holidays and Traditions Relationships Youth
• EDIT Edit this Article
• PRO Courses Guides New Tech Help Pro Expert Videos About wikiHow Pro Upgrade Sign In
• Browse Articles
• Learn Something New
• Quizzes New
• This Or That Game New
• Train Your Brain
• Explore More
• Support wikiHow
• About wikiHow
• Log in / Sign up
• Finance and Business
• Business Skills
• Business Writing

How to Write an Audit Report

Last Updated: March 6, 2023 References Approved

This article was co-authored by Michael R. Lewis . Michael R. Lewis is a retired corporate executive, entrepreneur, and investment advisor in Texas. He has over 40 years of experience in business and finance, including as a Vice President for Blue Cross Blue Shield of Texas. He has a BBA in Industrial Management from the University of Texas at Austin. There are 9 references cited in this article, which can be found at the bottom of the page. wikiHow marks an article as reader-approved once it receives enough positive feedback. This article received 25 testimonials and 83% of readers who voted found it helpful, earning it our reader-approved status. This article has been viewed 449,663 times.

An audit report is the formal opinion of audit findings. The audit report is the end result of an audit and can be used by the recipient person or organization as a tool for financial reporting, investing, altering operations, enforcing accountability, or making decisions. An effective audit report is essential to making sure the results of your audit are presented in a way that is useful to the party receiving the audit.

Preparing to Write an Audit Report

• Illustrating non-conformities: The main goal of any audit report is to illustrate where the organization does not conform with whatever standard, rule, regulation or objective that it is supposed to. It is important to clearly identify the non-conformity, as well as the standard it does not conform to. It is then important to demonstrate which evidence you used to confirm the non-conformity. The goal is that each non-conformity will contain enough information so that the receivers of the audit report can change it. [1] X Research source
• Outlining positives: An audit report should not just include negatives. This is especially true for compliance reports, and operational audits. This allows the organization to focus on areas that are working and apply these to other areas. For example, if you are conducting a compliance audit to ensure an organization meets training requirements, you may say, "The audit reveals the current training program has exceeded requirements on-time and on-budget".
• Opportunities for improvement: Beyond indicating things that are not conforming to requirements (non-conformities), it is important to also indicate high-risk areas, or areas that may be in compliance but are at risk of eventually not complying, or could be improved. [2] X Research source

Tip: Make sure to define all the terms and abbreviations you use, as the standard forms of communication have potential to change.

• Financial Audit: This is the most commonly known form of audit and refers to the systematic review of a company's financial reporting to ensure all information is valid and conforms to GAAP standards.
• Operational Audit: An operational audit is a review of an organization's usage of resources to ensure those resources are being utilized as efficiently and effectively as possible to accomplish the mission and goals of the organization.
• Compliance Audit: A compliance audit is performed to determine if an organization or program is operating in according with laws, policies, regulations, and procedures.
• Investigative Audit: These are typically commissioned when there is an assumed violation of rules, regulations, or laws, and may involve a blend of all the previously mentioned types of audit.

• A clean opinion is used if an entity's financial statements are a clear representation of an entity's financial opinion.
• A qualified opinion is used when there were scope limitations on the auditor's work. Scope limitations are restrictions on the audit caused by the client or other events that do not allow the auditor to complete all aspects of his or her audit procedures.
• An adverse opinion is used if financial information was misstated.
• A disclaimer opinion can be triggered by several different situations. For example, the auditor may not be independent or there are concerns with the auditee. [4] X Research source

Beginning Your Report

• Provide perspective for the reader, giving a fair balance of the positive and negative results of the audit.
• Be precise, and avoid redundant phrasing and inexact terminology. In interest of clarity, opt for shorter sentences over longer ones. A limit of 15 to 18 words is recommended in business writing. Also, avoid intensifiers like clearly, special, key, and reasonable as these lack precision.
• Do not use passive voice. Passive voice can be difficult to read. Instead of saying "No irregularity of operation was found" say "The audit team found no evidence of irregularity."
• Use bullet points, which break up difficult information and make it clearer for the reader.
• Use gender neutral terms.
• Do not use audit buzzwords. Buzzwords are ambiguous, overused phrases like "generally improved," "significant risk," and "tighten controls."

• For example, if you are auditing the processes for a particular department of an organization, you may consider breaking the department up into several key sections and reporting findings that way.

• Why was the audit conducted?
• What was included and not included in the audit?
• What was the time period audited?
• What were the audit objectives? [6] X Research source

• A brief description of what was audited, objectives, scopes, and time periods.
• Statements of significant action plans.
• Overall statements of concerns and conclusions.
• Overall audit report rating. [8] X Research source

Writing Your Results and Recommendations

• Criteria is an explanation of management goals and the standards use to evaluate the program, function, or activity audited.
• Condition is how effectively department management is meeting goals and/or achieving standards. Goals can either be fully achieved, partially achieved, or not achieved.
• Cause is a statement on the reason things have gone well or poorly. Possibilities include inadequate procedures, procedures not being followed, poor supervision, or unqualified employees.
• Effect states the result of the conditions, in quantifiable terms. Is the effect increased risk or exposure? Is it monetary cost? Is it poor performance? This should be addressed when you cover effect. [10] X Research source

• Be positive. Focus on what is going right at the moment, and how the good aspects of the entity can be applied in ineffective areas.
• Be specific. Be very clear as to what specific aspects do not adhere to protocol, and to what concrete steps could be potentially implemented to ensure compliance.
• Identify who should act. Does the company need better employee performance or should management be picking up the pace? Make clear who needs to make changes.
• Keep recommendations brief. Be succinct - only include details that are necessary to your point. [11] X Research source

• Include a cover page. The cover page should be three or four lines, and outline the subject of the audit report and the type of audit.
• A memo should follow the cover page. The memo should be one or two short paragraphs overviewing who and what was audited, who has received or is receiving the report, and plans for future distribution.
• A table of contents follows the memo, and it contains a catalogue of chapters, page numbers, sections, and suggestions of the audit.
• The report should be written in plainly-worded, non-technical language and use proper grammar and paragraph organization.
• Reports are organized by chapters, each with a title, and by sections and subsections, each marked with a heading. Headings should go from general to more specific. [12] X Research source

Audit Report Template

Expert Q&A

Video . by using this service, some information may be shared with youtube..

You Might Also Like

• ↑ http://www.qualitydigest.com/june07/articles/05_article.shtml
• ↑ https://www.cmu.edu/finance/audit-services/internal/types-of-audits.html
• ↑ https://www.icaew.com/-/media/corporate/files/helpsheets/technical/aaf-guides/audit-report-disclaimer-of-opinion.ashx
• ↑ https://pcaobus.org/oversight/standards/auditing-standards/details/AS3101
• ↑ https://audit.mit.edu/guidance-resources/what-expect/what-are-audit-ratings
• ↑ https://financialcrimeacademy.org/reporting-recommendations-and-findings/
• ↑ https://www.iiafiji.org/resources/bbc5020b-a5ab-4388-b633-83813515c797.pdf
• ↑ https://www.anao.gov.au/work/performance-audit/implementation-audit-recommendations
• ↑ https://www.wallstreetmojo.com/audit-report-format/

About This Article

To begin an audit report, write an "Introduction" that gives background information. Then, add a "Purpose and Scope Methodology" section that outlines your goals and explains what you included and excluded from your report. After this section, add your disclaimer, the "Statement on Auditing Standards," and end with your "Executive Summary." This summary should explain your findings, ratings, and any action that will be taken. Throughout the report, use concise language and bullet points. For tips from our Financial reviewer on what to include in different types of audits, keep reading! Did this summary help you? Yes No

• Send fan mail to authors

Reader Success Stories

Apr 26, 2019

Did this article help you?

Zaitoon Akram

Jul 14, 2020

Shadreck Chitumbo

Jul 10, 2019

C. Reynolds-Relford

Jun 8, 2022

Goma Mosbah

May 17, 2019

Featured Articles

Trending Articles

Watch Articles

• Terms of Use
• Privacy Policy
• Do Not Sell or Share My Info
• Not Selling Info

Get all the best how-tos!

Sign up for wikiHow's weekly email newsletter

The Auditor

An exemplar global publication.

• Net Zero, Carbon Neutrality, and Global Standards
• SIPOC Diagrams VS Turtle Diagrams
• Risk Management - The 5 Essential Steps You Need to Know
• Profile: Ilse Olivier
• A New Reality – How to Build A Metaverse for All
• Artificial Intelligence: Rewards, Risks and Regulation
• NIST Drafts Major Update to Its Widely Used Cybersecurity Framework
• Bridging Business Gaps: From Curiosity to Conformance
• Looking Ahead at ISO 9001
• Profile: Abdur Rahman Farooq

Writing A Great Audit Report

by Richard A. Vincins

Preparing for and conducting an audit are the initial components of the audit process; writing a good audit report is the final step. However, auditors are often frustrated when their audit reports are not taken seriously or used effectively because they do not provide meaningful information. This article will discuss how to write a great audit report so that whether it’s used internally or externally, the audit report conveys the proper information. We will discuss some of the best practices for audit report writing to ensure that the content of an audit report is not merely sufficient. This article will also cover writing audit reports for both internal audits and external audits, such as supplier audits or compliance audits. It will conclude with another important aspect of writing a great audit report: timely distribution so the results of the audit are kept fresh and current.

Know your audience

One of the more difficult aspects of writing an audit report is understanding your intended audience. This may seem like common sense, but many audit reports are confusing to the recipient or not at the right level. This is particularly true for compliance audits where the findings are written in regulatory jargon so that the meaning of the finding is not clear. Writing a great audit report requires that you put yourself in your audience’s perspective to make sure the content is understandable and what the audience expects. Internal audit reports are typically sent to the process owner or department manager. They will expect to see a list of specific findings. Generally, internal audit reports can be written with more technical terms because the reader will understand the relation to the processes at the company. This may not be true when writing external audit reports.

When sending external audit reports to a recipient such as supplier or contract manufacturer, he or she will want to see more of a narrative of the issues that were found during the audit. In fact, the audit findings may need to be written in plain terms that may come close to sounding like recommendations so that the external party knows what actions must be taken. The audience of the audit report may not have adequate knowledge of regulations or standards referenced in the report. If the report contains technical terms or regulatory terms from a standard that the auditee may not be familiar with, then the audit report will be confusing to him or her. Writing the report with the auditee’s experience in mind will ensure that it is not disregarded because the recipient does not understand it.

Use a standard templates for your audit report

Another way of writing great audit reports is to standardize them, which can be accomplished through using templates. Developing a standardized report template for audits will also ensure that multiple auditors are conveying similar information. Typically, organizations already have an internal audit report for their quality systems. However, many organizations do not utilize the same report for external audits or allow different departments to publish their own external audit report. This results in suppliers or contract manufacturers not receiving consistent information or receiving inadequate information from the auditors.

A standard template allows the company to convey to external parties the proper information of the audit criteria, audit findings, and what is expected from the organization in the future. This may include a clear delineation of audit findings that require corrective action. By having a standard template for internal audits and external audits the organization conveys the correct and complete information to the recipient.

Generate a clear and concise list of findings

The list of findings in the audit report needs to be generated at the appropriate level for the recipient and provide enough detail that the finding is understood. An audit report might be reviewed by the auditee weeks later and he or she may have already forgotten what was covered during the audit. If the finding in the audit report does not convey the deficiency appropriately, the auditee may not apply the corrective action needed to resolve the issue. Audit findings are not easily applied to different situations, so an audit finding statement may not be able to be “reused” in the audit report. However, it may be possible to utilize an audit checklist that will help the organization keep consistency between audits performed at different times.

Internal audit reports typically include more technical information than all personnel at the company would understand. When writing an audit report for an external audit, this may require more simplistic phrases or the audit findings written in plain context. The external parties may not have the expertise to understand how an audit finding relates to their overall business because they may not have a quality management system (QMS) implemented. The following two statements show a comparison between an audit finding written for an internal audit report and the same finding written for an external audit report. This example shows that the same audit finding can be interpreted or read differently by the audience depending on their knowledge and experience with quality systems.

• Internal audit report: There is no evidence of employee training as there was no training record completed for the quality system procedures. According to the training chart, form 6.2-1-2, the employees must be trained on required procedures according to their job description. Specifically, two employees’ training records were reviewed with no evidence of completed training records to the required quality system procedures because the form 6.2-1-1 was not completed.
• External audit report: There is no record that employees have been trained on their specific job functions. Without a record to show that employees are properly trained, the quality of the product cannot be fully assured. The training must be completed to support that the products of Company X are made consistently to specification.

Another method to be applied for writing a great audit report is to not use “wishy-washy” words or “gobbledygook” (long phrases with no meaning). Make the audit finding statements clear and concise. Write the findings without emotion or feeling words so that the audit report is fact-based. Don’t confuse the recipient of the audit report by writing around the issue or trying to soften its message. Doing so makes it less likely the appropriate corrective action will be applied or the auditee may even choose not to do anything because he or she doesn’t understand the report. The audit finding must be written concisely with clear statements that relate back to the observation because the audit report may be reviewed weeks later.

Timely distribution of the audit report

Although it may not be directly related to the writing of an audit report, the timely distribution of the audit report is still an important aspect of the audit process. The audit report could be the best audit report ever produced, but if it’s sent to the auditee a month after the audit, the report loses much of its relevance. A great audit report is one that is sent in a timely manner to the auditee whether it is an internal or external audit report. A good rule of thumb is to send the audit report within five to 10 working days. Beyond 10 working days the recipient may not take the audit report seriously. In fact, audit reports that are not sent to external parties in a timely manner lose much credibility for the organization. When a great audit report has been written, make sure this is also sent promptly to have the most benefit.

Audit report–Conclusion

To write a good audit report takes practice. To write a great audit report takes much more practice. Hopefully the discussion presented in this article will help bridge that gap to present much better audit reports, be they for internal or external audits. Before you begin writing the audit report think about your intended audience. Don’t write to yourself, as you are writing think about saying the statement to your intended audience. Use standard templates for the audit report to stay consistent while providing the correct information to the auditee each time. Ensure that the audit findings are clear and concise to convey the appropriate level of detail. Then make sure that the audit report is sent in a timely manner so the audit does not lose its priority.

About the author

Richard A. Vincins, CQA, CBA, RAC(US, EU) is the vice president of quality assurance with Emergo Group, a global medical device consulting firm with headquarters in Austin, Texas. He is responsible for the implementation of quality systems, conducting quality system audits, training on quality system tools, and providing regulatory expertise in national and international regulations. Vincins has more than 20 years of experience in the medical industry, including worldwide regulatory compliance efforts for in-vitro device, medical device, and pharmaceutical companies. 

Leave a Reply Cancel Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Skip to primary navigation
• Skip to main content
• Skip to footer

Yellowbook-CPE.com

CPAs and Auditors - Continuing Professional Education

Why Should the Conclusion in an Audit Report Mirror the Objective?

February 4, 2022

In this episode of THE SAMPLE, Leita Hart-Fanta, CPA covers the concept of mirroring the objective in the internal audit report conclusion.

Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO , IIA and AICPA literature to bolster our conversations. Let’s get started.

In this episode I answer the question, “Why should the internal audit report conclusion mirror the objective?” The conclusion and objective should sound like each other, just in reverse. The conclusion, of course, answers the objective.

Consider this paragraph that performance auditors put into their audit reports if they’re following Yellow Book standards. The second sentence. Those standards require that we plan to perform the audit to obtain evidence as a basis for our findings and conclusions based on our objectives . So we have two deliverables at the end of an audit: the conclusion against our objective and findings.

Now what I see out there in practice when I’m working with various audit teams, is I see that some auditors somehow got the idea that their main goal in doing an audit was to generate findings. That’s not really what you’re after. You’re after the answer to your objective. You’re after that conclusion, which some people call audit opinions.

As you’re after, as you’re pursuing, the answer to that objective, you see things along the way that you need to report to those in charge of governance. And those are called findings. So findings are secondary. The conclusion is primary. And because of that, I recommend that you put the conclusion to your audit as the first line in your audit report because that’s what you’re really going after, and that’s where you should focus the reader’s attention, the user’s attention, on that.

For instance, look at this audit report. I love how they put the internal audit report conclusion on the very front page against their own objective. That is very cool. See, here’s their objective, but they put the conclusion right on the front page. Yeah! Nice.

Let’s look at a few objectives and let’s ask ourselves, “Could we conclude against that objective?” Alright. So for this one, I’m going to say, “Yeah, we could conclude.” See how that mirrors and looks and sounds pretty much exactly the same? Nice. Okay.

Would you be comfortable concluding on this one? Personally, I would not, because I do not like the words economical and effective. However, if it says that they were following IT purchasing regulations issued by the state, I’d feel more comfortable if I just left out these braggy words here of economical and effective.

How about this one? Would you feel comfortable concluding on this? Too much squishiness, vagueness, and general words in this one. I don’t like it.

How about this number three? I’m not crazy about that either because I don’t know what asset you’re talking about, or which component or principle of internal control you’re focusing on. This is too broad for me still.

This one, the last one, is something I feel like I could conclude on. I’m kind of digging it. Although medical equipment is a little bit of a broad term. Maybe we need to get more specific about the controls in place, maybe some criteria . But I feel like I could conclude, “The cancer clinic is not protecting medical equipment from theft.”

So, of course, this is a super short video. If you want to learn more about why those objectives weren’t so great, I recommend a short video that’s available on my website called How To Tackle a Challenging Audit Objective.

That wraps it up for another episode of The Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me leita@yellowbook-cpe.com and I’ll do my best to fill in the blanks. Thanks for playing.

For More Info:

Tackling a Challenging Audit Objective – Video Course

Subscribe to Updates

Sign up here to have the lastest from Yellowbook-CPE.com delivered to your inbox.

Welcome! Yellowbook-CPE.com is where government auditors get their CPE! Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a high quality sponsor of continuing professional education courses.

Forgot your password?

Lost your password? Please enter your email address. You will receive mail with link to set new password.

Back to login

Sign up here to have the lastest from Yellowbook-CPE.com delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

If you opt in above we will not share or otherwise distribute your information.

Steps in Writing an Audit Report

• Small Business
• Accounting & Bookkeeping
• Audit Reports
• ')" data-event="social share" data-info="Pinterest" aria-label="Share on Pinterest">
• ')" data-event="social share" data-info="Reddit" aria-label="Share on Reddit">
• ')" data-event="social share" data-info="Flipboard" aria-label="Share on Flipboard">

Who in an Accounting Firm Should Sign an Audit Engagement Letter?

How to write an accounting service proposal, auditing a c corporation.

• Checklist for an Accounting Audit
• Audit Steps for a Title Company

An audit report is a document created by a professional auditor at the conclusion of the auditing process. It provides a detailed summery of each of her findings. Audits are conducted for a variety of reasons, including for the purposes of acquiring monetary capital and maintaining government compliance. The four types of audit reports, also called opinions, are accepted as standard by the American accounting community: unqualified, qualified, adverse and disclaimer of opinion. Regardless of type, each audit report is written in the format of a formal business letter.

Title and Introduction

Give it a title, such as “2010 XYZ Company Independent Financial Auditor’s Report.” The title of the document should be simple and straight forward. In addition, it must include the word “independent,” for this informs all readers that the report was created by an unbiased third party.

Immediately following the title, the introduction of an audit report is a concise one-paragraph statement. Included is the name of the firm being apprised, as well as the dates that the audit covers. In most instances, this dates encompass the company’s fiscal year.

Responsibilities of Directors And Auditors

Spell out the responsibilities of the directors of the firm being audited, as well as those of the auditor. This section indicates that the duty to the company’s management team is to create and provide all financial documentation required for the audit to be successfully completed. In addition, that data must be, to the best of their knowledge, accurate. This paragraph also indicates that the auditor’s role is to review all financial statements provided by the firm. Based upon that information, he must form and present an opinion of the financial status of the organization.

Basis of Opinion

Write the basis of opinion. This portion opens with the auditor’s opinion, delivered as plainly as possible. It goes on to explain that the audit was conducted in a manner compliant with the U.S. Generally Accepted Audit Standards. After describing the entire audit process, the auditor must include all pertinent resources that support her opinion. Although this section may be longer than one paragraph, it should be written as succinctly as possible.

• BNet: Audit Report
• Urlaub Accounting: Types of Audit Opinions
• Bizcovering: Preparing a Financial Audit Report

KJ Henderson has more than a decade of HR and talent acquisition experience. He has held roles at a Fortune 100 investment bank, a media conglomerate and at one of NYC's largest executive staffing firms. He currently heads recruitment sourcing at a major movie studio. He read literature at Oxford.

Related Articles

What are the 4 types of audit reports, how to read a financial audit report, the difference between a qualified & unqualified audit report, tax audit procedures, responsibility of a financial controller, special-purpose government audit vs. a corporation audit, accounting operations and compliance job description, what is a comprehensive audit, types of audit opinion letters, most popular.

• 1 What Are the 4 Types of Audit Reports?
• 2 How to Read a Financial Audit Report
• 3 The Difference Between a Qualified & Unqualified Audit Report
• 4 Tax Audit Procedures

• Accessibility

Information Systems Audit Report – Database Security

• Media Statement

Give your feedback

Audit Conclusion and Key Findings

Audit conclusion.

The seven sampled agencies have not adequately protected information from attackers to prevent unauthorised access and data loss. Sensitive and confidential information is at risk and agencies may not know if or the extent to which data is compromised.

We identified 115 findings with failures in all seven key areas. Most concerning was a lack of some basic controls over passwords, patching and setting of user privileges. Our findings also revealed copies of sensitive information across systems and poorly configured databases. We rated these types of weaknesses as extreme or high given how easily an attacker can exploit them to gain the level of access needed to view or modify data.

Key findings

We have structured our findings in line with the seven key areas we tested.

The first four areas; attack surface, account security, system hardening and version/patching represent the greatest risk to databases and the information they contain. It is concerning then, that these four areas make up 64 per cent (73) of the total findings, with 47 per cent (54 of the total 115 findings) rated extreme or high.

Each agency had at least three findings that we rated as extreme or high. Figure 1 shows the number and severity of the findings per agency database.

Attack surface

The greater the attack surface of a system the more likely it is to be compromised. This part of the health check gauges the attack surface by checking what applications and services are installed and accessible.

We found that agencies have increased the risk of unauthorised access and loss of information by increasing the number of opportunities for exploitation. This type of weakness made up 25 (22 per cent) of the total findings of which 18 were rated as extreme or high risk.

We found several agencies did not separate their production, test and development environments. These environments replicated information from production (live) databases across all environments. This increases the attack surface by making the data more freely available to a wider pool of staff and contractors without the same level of security afforded to the production database.

Settings in the database that are disabled by default when installed were enabled without reason. For example, we found settings enabled to allow the execution of operating system commands that permit the extraction of information from the database or to run unsolicited programs. These functions can allow an attacker or a well-crafted piece of malware to perform unauthorised activity leading to the compromise of the server and the data it contains. Alternatively they may be able to use the compromised server as a stage to perform other unauthorised activity across the entire network.

The ‘PUBLIC’ role in a database gives all users its assigned privileges. We found many databases that have allocated Read/Write privileges to PUBLIC, thereby providing all users with highly privileged access and creating information security risks. We also found instances where this account was allocated access to network folders, which creates additional vulnerabilities and introduces data integrity risks.

We found database links accessible by PUBLIC in a small number of databases. This allows access from one database to other connected databases so anyone with access to one may access the other. This includes the execution of programs to compromise information held in the databases within the local network or from other external networks and the Internet.

Databases contained unused schemas and automatic procedures, which can lead to a full compromise of the server. Schemas are the ‘blue print’ for how information is structured in a database, thereby increasing the exposure of information to attackers. These types of weaknesses also increase the likelihood of security vulnerabilities in the databases further increasing the risk of information being exploited.

We found a number of database servers that have multiple unrelated application databases. This increases the connections and activity on the database server and the likelihood of unauthorised access or cyber threats in general. It is better practice for each production database, if critical to the operations of the agency, to have its own dedicated server when the information it contains is sensitive.

There were no firewalls segregating databases and servers from the rest of the network or other agency networks. Users that access the network can compromise services running on the database or the server itself. This increases the risk of someone attempting to gain unauthorised access to the database or its server due to the increased number of people that have access to the server or use the same network.

Account security

Account security examines if database user accounts have default or easy to guess passwords. Exploiting weak passwords are one of the first actions an attacker will try in order to gain system access. Strong account security is therefore one of the most important steps to take to secure a database server.

The security of database users and system accounts could be improved across all systems we audited. We found a large number of accounts with high level privileges to data and system settings that had weak password controls. Account security made up 22 (19 per cent) of the findings of which 12 were rated as extreme or high risk and 10 as low.

We found many instances of database administrator accounts where the default usernames and passwords were still in use. These default user settings are widely known and often the first accounts someone would try to exploit. We also identified accounts with exceptionally easy to guess passwords. Examples include passwords that were the same as the username, passwords that were the same name as the application and passwords such as ‘test’, ‘password1’, ‘sqladmin’.

There were also many three-character passwords; in particular, one Database Administrator Account (DBA) had a password of ‘DBA’. There were several instances where the ‘SYS’ password was too easy to guess. The ‘SYS’ account carries DBA privileges and cannot be locked out. This provides an attacker with unlimited attempts to brute force the password. We also found instances where weak passwords had never changed or had been the same for 6-12 years. The risk of a password being compromised through brute force attacks, disclosed by trusted users or extracted from hacked systems increases with its age. Periodic password changes mitigate these risks.

We examined various properties in databases and found that password aging had not been enforced across many of them. We found several agencies had not changed administrator account passwords anywhere from three to over 10 years. In one database, we found 17 highly privileged accounts that had never had their passwords changed.

We also identified a large number of inactive user accounts, which had weak passwords or not had their passwords changed. While many accounts we identified on Oracle Databases were ‘locked’, flaws in the configuration of the database may allow attackers to unlock them. An attacker that has access to an existing account can exploit these flaws to unlock other accounts. These additional accounts might have higher levels of access than the attacker’s account, or allow the attacker to go undetected by occupying an unused account.

Several agencies were not logging accounts to determine activity within their database, meaning that they were not aware of when and what is accessed and if there was unauthorised activity occurring. Further detail is included under the Auditing and Monitoring section of this report.

System hardening

Locking down privileges and ensuring secure configurations are in place make systems more resilient to attackers and cyber threats.

We found default configurations and permissions at 10 out of 13 systems audited indicating that the databases were not properly hardened. Inadequate system hardening made up 17 (15 per cent) of the findings of which 15 were rated as extreme or high risk and two as medium.

Excessive privileges were granted to the PUBLIC role across most systems. This could allow an attacker to compromise the entire database. On these systems it is possible to execute procedures to allow anyone to grant themselves arbitrary java privileges with the ability to load and execute programs. This can lead to a full compromise of a database server.

We found several examples where the PUBLIC role had privileges on various database tables owned by highly privileged accounts such as ‘SYSTEM’ and ‘SYS’. If PUBLIC has high privileges on a table, it means that queries can be run to extract information from those database tables and even allow the creation of unauthorised accounts and permissions.

Database administrator accounts

Databases generally come with pre-configured administrator accounts and passwords that are listed in product documentation and widely available on the Internet. Because attackers will normally try the default user names and passwords, it is important to change these on installation.

In discussions with database administrators at the seven agencies, we found it common for their accounts to be used for general user activity and not solely for administrative tasks. This means that agencies cannot attribute actions to specific individuals or hold them accountable.

It is important to use database administrator accounts exclusively for administrative tasks with standard database accounts. Ensuring database administrators have unique and identifiable accounts will assist in auditing activities of databases. This is particularly helpful during investigations relating to an attempted, or successful intrusion. Furthermore, database administrator accounts should not be shared across different databases as this can increase the likelihood of a successful attack on multiple databases.

Version/patching

Attackers take advantage of security vulnerabilities to gain access to systems and escalate their privileges. As new vulnerabilities are discovered, it is important to keep software up to date by upgrading outdated software to the latest versions and regularly installing vendor supplied security patches.

Only four of the 13 systems reviewed were completely patched. The other nine were missing vendor patches, some dating back to 2010. Patching made up nine (8 per cent) of our findings with all of them rated either extreme or high risk.

We found one database that was never patched. This server was susceptible to numerous critical security vulnerabilities that an attacker with just a low access privilege could exploit to gain full control over the server.

We found several systems running a version of Oracle that ceased mainstream support in 2012. There are numerous known vulnerabilities in this version including many critical security flaws.

In one agency, all of its 150 databases stored large amounts of sensitive information without mainstream support from their respective vendor. Over half of these systems were so old the vendor gave no support at all. This significantly increases the risks to information stored in these databases.

We found two SQL servers that were over two years behind on patches and one three years behind. All three servers should have received numerous patches.

Many of the security vulnerabilities in the nine systems that were not fully patched have been well known in the industry since 2010. The Australian Signals Directorate (ASD) has identified patching of systems as one of the top four measures agencies can take to protect their information.

Data protection

Sensitive, confidential or secret data requires a secure database server. Databases can be further protected with the use of encryption, virtual private database and or data redaction.

None of the 13 systems were encrypting sensitive data stored within their databases or on backups stored on tapes and off site. We also found inadequate protection of production data found in development and test environments.

Data protection findings made up 13 of the 115 findings (11 per cent) with four rated as high and nine as medium.

Auditing and monitoring

Database auditing enables an administrator or security manager to detect in a timely manner the possible security breach of a database and to audit access made to the data. It means that the administrator can answer questions like, ‘has data been accessed by an unauthorised person, has data been changed, who changed it and when’.

Database object auditing was not active on any of the 13 databases we reviewed. While some actions such as failed logins were recorded in some cases, auditing was not active on sensitive data stored within the databases.

Auditing and monitoring weaknesses made up 27 (23 per cent) of our findings of which 26 were rated as low risk. However, these risk should not be underestimated because without adequate security monitoring, agencies will not know if, or to what extent, their information is compromised.

Backdoors/misconfiguration

Once an attacker has broken into a database, they may leave a backdoor in the system to allow access at a later date. These backdoors can take many forms and often look like misconfigurations. This section reviewed aspects that may be a backdoor but if not are more than likely an undesirable misconfiguration.

There are a number of ways to ‘backdoor’ a database server. Occasionally a misconfiguration can look like a backdoor and usually is the result of a mistake.

We only found instances at two agencies where misconfigurations existed. These had the PUBLIC role assigned membership to ‘other’ roles. Any privileges granted to these ‘other’ roles are therefore effectively granted to everyone on the database server via the PUBLIC role.

Both instances were not default settings of a database and therefore were deliberate actions. The reasons and real impact of these misconfigurations are not known so are considered to be high risk. We recommended to both agencies that they investigate these instances and correct as appropriate.

Give your feedback -

• Which category best describes you? * -- Please select -- Journalist Local Government Member of the Public MP, Politician or Political Researcher Other Policy Specialist/Researcher Private Sector State or Federal Government Student or Academic
• Why did you give this rating?

Back to Top

Audit Defense pp 59–70 Cite as

Audit Conclusion

• Ed Danter 5  
• First Online: 24 April 2022

245 Accesses

Part of the Palgrave Studies in Accounting and Finance Practice book series (PSAFP)

This chapter continues with writing the audit report that identifies what was reviewed and what the auditors identify as exposures along with their impact. The chapter discusses the recommendations that are in the report, the fact that they are the auditors’ recommendations that need to be responded to. After the report is written, there is the final audit meeting and the presentation of the report to executive audit client management, asking for their sign-off before distribution of the report.

This is a preview of subscription content, access via your institution .

Buying options

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info
• Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Author information

Authors and affiliations.

Kean University, Leonia, NJ, USA

You can also search for this author in PubMed   Google Scholar

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Cite this chapter.

Danter, E. (2022). Audit Conclusion. In: Audit Defense. Palgrave Studies in Accounting and Finance Practice. Palgrave Macmillan, Cham. https://doi.org/10.1007/978-3-030-92466-9_5

Download citation

DOI : https://doi.org/10.1007/978-3-030-92466-9_5

Published : 24 April 2022

Publisher Name : Palgrave Macmillan, Cham

Print ISBN : 978-3-030-92465-2

Online ISBN : 978-3-030-92466-9

eBook Packages : Economics and Finance Economics and Finance (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Find a journal
• Publish with us