The 5 C's of Audit Finding Communication
The IIA's standards require that audit results be communicated accurately, objectively, clearly, concisely, constructively, completely, and timely. In practice, audit findings are most effectively structured using the 5 C's framework:
| The C | Question Answered | Example |
|---|---|---|
| Condition | What did we find? | "Of 50 vendor payments reviewed, 12 (24%) were made to vendors whose bank account details did not match the onboarding documentation." |
| Criteria | What should exist? | "The Vendor Management Policy requires that payment bank account details be verified against onboarding documentation before each payment run." |
| Cause | Why does the gap exist? | "The accounts payable system does not enforce bank account verification at the point of payment processing, and no manual verification step is performed." |
| Consequence | Why does it matter? | "Unverified vendor bank accounts expose the organization to ghost vendor fraud and misdirected payments. Based on current payment volumes, the maximum exposure is approximately ₦180 million annually." |
| Corrective Action | What should be done? | "Management should configure the payment system to block processing of payments to bank accounts that have not been independently verified, and implement a quarterly vendor bank account confirmation process." |
Finding Rating Systems
Findings must be rated to help management prioritize their response. A consistent, clearly defined rating system is essential:
| Rating | Definition | Response Expectation |
|---|---|---|
| Critical | Immediate significant risk to the organization; potential for material loss, regulatory breach, or fraud | Immediate management action; board/AC notification |
| High | Significant control weakness that could result in material adverse outcome if not addressed | Remediation within 30 days; senior management ownership |
| Medium | Control weakness that increases risk but with limited immediate impact | Remediation within 60–90 days |
| Low | Best practice improvement opportunity; minimal risk impact | Remediation within 6 months; management discretion on priority |
Report Structure
- Executive Summary: Highest-priority findings, overall assurance opinion, and key messages for board/AC — maximum 2 pages
- Overall Assurance Rating: A consolidated opinion on the adequacy and effectiveness of the control environment reviewed
- Scope and Objectives: What was audited, what was not, and the time period covered
- Detailed Findings: Each finding presented using the 5 C's format, rated, and with a management response and agreed remediation timeline
- Status of Prior Findings: Update on implementation of recommendations from previous audits of this area
Management Response — An Essential Element
Every finding must include a documented management response — whether they accept the finding, disagree with it, or have already taken remediation steps. Management responses without a specific remediation date and named owner are not acceptable. The audit committee must be informed of any finding where management has not provided a response or has declined to remediate.
Audit Finding Follow-Up
Issuing the report is not the end of the audit engagement. A formal follow-up programme must confirm that agreed actions have been implemented by the agreed date. Unimplemented recommendations must be escalated to the audit committee — not carried forward indefinitely on a tracker.
Key Takeaway
Audit reporting is where the value of internal audit becomes visible to the organization. A report written with clarity, structured around the 5 C's, rated consistently, and followed up rigorously transforms audit findings from observations into governance outcomes. The board's confidence in internal audit is built not on the volume of work produced, but on the quality and impact of the reports delivered.
Read: Continuous Monitoring →