Internal Audit

Audit Reporting: How to Communicate Findings That Drive Action

An audit report is not a documentation exercise — it is a communication tool designed to drive action. The quality of an audit report determines whether findings are taken seriously, recommendations are implemented, and the audit function is respected as a strategic governance asset or dismissed as a compliance overhead.

"An audit report that management puts in a drawer has achieved nothing. Write for action, not for filing."
Internal audit reporting is the final and most visible output of the audit process. It is the mechanism through which the audit function communicates value to the board, the audit committee, and management. A well-crafted audit report is accurate, objective, constructive, and clear — producing recommendations that management can and does implement, and providing the board with the assurance information it needs to fulfill its governance responsibilities.

The 5 C's of Audit Finding Communication

The IIA's standards require that audit results be communicated accurately, objectively, clearly, concisely, constructively, completely, and timely. In practice, audit findings are most effectively structured using the 5 C's framework:

The CQuestion AnsweredExample
ConditionWhat did we find?"Of 50 vendor payments reviewed, 12 (24%) were made to vendors whose bank account details did not match the onboarding documentation."
CriteriaWhat should exist?"The Vendor Management Policy requires that payment bank account details be verified against onboarding documentation before each payment run."
CauseWhy does the gap exist?"The accounts payable system does not enforce bank account verification at the point of payment processing, and no manual verification step is performed."
ConsequenceWhy does it matter?"Unverified vendor bank accounts expose the organization to ghost vendor fraud and misdirected payments. Based on current payment volumes, the maximum exposure is approximately ₦180 million annually."
Corrective ActionWhat should be done?"Management should configure the payment system to block processing of payments to bank accounts that have not been independently verified, and implement a quarterly vendor bank account confirmation process."

Finding Rating Systems

Findings must be rated to help management prioritize their response. A consistent, clearly defined rating system is essential:

RatingDefinitionResponse Expectation
CriticalImmediate significant risk to the organization; potential for material loss, regulatory breach, or fraudImmediate management action; board/AC notification
HighSignificant control weakness that could result in material adverse outcome if not addressedRemediation within 30 days; senior management ownership
MediumControl weakness that increases risk but with limited immediate impactRemediation within 60–90 days
LowBest practice improvement opportunity; minimal risk impactRemediation within 6 months; management discretion on priority

Report Structure

  • Executive Summary: Highest-priority findings, overall assurance opinion, and key messages for board/AC — maximum 2 pages
  • Overall Assurance Rating: A consolidated opinion on the adequacy and effectiveness of the control environment reviewed
  • Scope and Objectives: What was audited, what was not, and the time period covered
  • Detailed Findings: Each finding presented using the 5 C's format, rated, and with a management response and agreed remediation timeline
  • Status of Prior Findings: Update on implementation of recommendations from previous audits of this area

Management Response — An Essential Element

Every finding must include a documented management response — whether they accept the finding, disagree with it, or have already taken remediation steps. Management responses without a specific remediation date and named owner are not acceptable. The audit committee must be informed of any finding where management has not provided a response or has declined to remediate.

Audit Finding Follow-Up

Issuing the report is not the end of the audit engagement. A formal follow-up programme must confirm that agreed actions have been implemented by the agreed date. Unimplemented recommendations must be escalated to the audit committee — not carried forward indefinitely on a tracker.

Key Takeaway

Audit reporting is where the value of internal audit becomes visible to the organization. A report written with clarity, structured around the 5 C's, rated consistently, and followed up rigorously transforms audit findings from observations into governance outcomes. The board's confidence in internal audit is built not on the volume of work produced, but on the quality and impact of the reports delivered.

Read: Continuous Monitoring →