how to write an effective internal audit report

  • Policy and research
  • Career Pathway
  • Training and events
  • Audit & Risk
  • Communities
  • Technical blog
  • Technical skills
  • Interpersonal skills
  • How to audit
  • Internal audit leadership
  • Risk management
  • Control and regulatory compliance
  • Sector-specific standards and guidance
  • Global insights
  • Ask the resources team

how to write an effective internal audit report

  • You are in:
  • Technical guidance
  • Delivering internal audit

Effective Report Writing

This brief guidance addresses internal audit functions that produce written reports. You may believe this is all of them – however, nowhere in the Standards does it say we must produce a final written report. Standard 2410 states that we must communicate an engagement’s objectives, scope and results, while 2440 refers to a ‘final engagement communication’. This can take any form that suits all parties. Most functions indeed produce written reports; others report in the body of an email, a presentation or even via video.

However you communicate the results of an engagement, keep Standard 2420 in mind: all communications – not just reports – ‘must be accurate, objective, clear, concise, constructive, complete and timely.’

The following advice will help you better understand what your readers need from reports. It also provides practical, measurable tips on how to produce clear, concise, meaningful writing – writing that readers can and want to read.

The foundations of good communication – and good reports

Structuring your report, what does good look like, further reading and resources.

The purpose of any communication, written or not, must be to persuade readers to take action, or to think differently. In internal audit, these two often go together – for readers to act, they must be convinced of the benefits.

However, this assumes you have a clear message to communicate. Solid audit engagement work is the foundation of all we do, and without it, there is nothing to report. After all, you cannot communicate unless you have something to communicate.

Make sure you are clear exactly what the results of your engagement are. This may seem obvious, but many internal audit reports fail to convey a single clear message because the report lacks one. The team may have worked hard and documented many findings, but unless these are material and lead to a concise, overarching ‘headline’ about the governance, risk or control framework under review, they are not useful.

Different teams use different techniques to explore and articulate their engagement results before committing them to a report. Storyboarding, mind-mapping, outlining – all are good ways to thrash all the elements of an engagement out in order to arrive at a clear, coherent conclusion. Remember – audit management software does many wonderful things, but it can’t do your thinking for you!

Consider too your readers – again, this may seem obvious. Cultural differences across a global organisation will obviously affect communication. However, even within a small or regional organisation, different divisions and teams will have their own cultures. Throughout the internal audit engagement, you should be communicating regularly with your client or the area being audited. As you do so, you will be building your understanding of others’ assumptions, values and even terminology. (Not everyone defines ‘risk’ in the same way, for instance.) This in turn should help you understand how best to communicate in a way that engages and persuades readers.

You may have a standard template that serves you well – but does it serve your readers? Signs that structure – as well as content – may be hindering understanding are if people ask you for information that’s already in the report. If your template is too long, with sections, sub-sections and sub-sub-sections, readers will quickly become confused, tired and possibly irritated.

Keep template content to the basics: executive summary, findings (with recommendations, if you make them), and an appendix if necessary. Most people don’t read beyond the executive summary, so readers will judge a report by it. This isn’t an invitation to include detailed findings – or even a condensed list of findings – in the executive summary. It’s an invitation to you to think about what those findings – those symptoms – tell you about the health of the risk and control framework you’ve just reviewed.

Findings come next, and many teams use the Five Cs approach:

  • Criterion (or criteria): What standards or controls are in place (or should be)?
  • Condition: This is your observation – what have you found to be the reality? It usually doesn’t match the criterion or criteria.
  • Consequence: What is/are the risk/s?
  • Cause: What is the root cause?
  • Corrective action: What are your recommendations, or senior management’s plans to fix things?

All these elements should be present in working papers, of course – if you’re not clear about the various criteria, how were you able to create a risk and control assessment? Can you defend your condition statement with reliable, relevant, sufficient evidence? Is the consequence linked to actual risks (rather than failed controls)? Have you discussed likely causes with the first line or client? You need to articulate it clearly in order to make recommendations for lasting improvements. Otherwise, you will see repeat findings in future engagements.

You could say that the most important elements of the Five Cs, however, are the three middle ones. Condition, consequence and cause require you to answer three simple questions:

  • What exactly is the problem? Who is not doing what, or what is not in place?
  • So what? Why should the reader care? (If you articulate risk in terms of financial, regulatory, reputational, or health and safety consequences, readers should immediately see why.)
  • What caused the problem in the first place?

If you can’t answer these three questions, you’re not ready to report.

Templates don’t only set structure, they establish layout – margin and font settings, for example. Look at your templates and see how easy on the eye they are. Do you have large chunks of unbroken text in small type? Are you using elaborate script instead of sans-serif font? Are the colours reader-friendly? If you use graphics as well as text, are the colours intuitive and the type readable?

This isn’t simply an aesthetic question – unnecessarily complex or fussy presentation can breach disability discrimination legislation. Many organisations, when creating (or hiring consultants to create) apparently stylish new branding, often overlook this point. And yet, if your type is calligraphic or too small, with too little contrast between background and type, you risk excluding readers. Accessibility is an essential component of CSR, ESG and indeed complying with the law – don’t get caught out by trendy corporate branding.

Wording – specifically plain language – is also a component of accessibility. Unless all relevant readers can easily grasp your meaning, the communication has failed. Understand your readers, and keep language simple, clear and concise.

Be brief – don’t use three words when one will do (‘future action plans’ are merely ‘plans’) or longer words in the belief they’re more impressive. No one will thank you for using ‘utilise’ or ‘leverage’ instead of ‘use’ – you’re just delaying getting to the point. Sentences longer than 20 words, unless perfectly constructed and punctuated, risk losing readers’ limited attention.

Use the active rather than the passive voice – in other words, put the doer first. 

  • Active sentence: The manager (doer) reviewed (action) the report (object of the action – the done-to).
  • Passive sentence: The report (done-to) was reviewed (action) by the manager (doer).
  • Passive sentence: The report (done-to) was reviewed (action). (No doer!)

If you have too many passive sentences, your writing will be wordier and possibly confusing. Too many passive sentences can be hard to follow, or even appear evasive. Leaving out the doer only muddies waters further, by creating a report full of mysterious actions with no apparent author or cause.

Many internal auditors fear that using active voice is too much like pointing a finger. But if we think of how often we report on a team or area or senior managers not adhering to controls, it’s clear we’re not singling out individuals. And saying that a specific team does not adhere to a control is more useful than saying the control isn’t adhered to. After all, if we can’t say who should be performing it, are we certain where the problem is? If not, we can’t define root cause and make recommendations.

Keeping your passive to less than 20% of the overall document will increase readability. You can use readability statistics functionality to track this. Most software will give you a wealth of statistics – the two most important ones are average word count per sentence and percentage of passive. Keep both under 20 and your readers will thank you.

Good looks like whatever works for you and your readers. It may not be a report – it may be, as mentioned above, the body of an email, or a video presentation. The more and better you communicate with readers throughout an engagement, the less you may find yourself writing.

One U.S. Government Accountability Office audit report led with the title on its cover page: ‘The Navy Needs to Improve Control over its Building’. It would be hard to argue that the message wasn’t clear or upfront. Burying bad news helps no one and in fact actively harms organisations. If people don’t know what’s wrong, they can’t fix it. You may have readers who resist bad news, argue and obstruct – they are common across the world.

However, what is ‘good’ for them may not be good for the organisation. Report what you have found clearly and concisely, and readers will be better able to understand what they should do.

‘Accurate, objective, clear, concise, constructive, complete and timely’ is the standard – it may not be easy to produce, especially under pressure. Perform the fieldwork as thoroughly and objectively as possible. Analyse your results to conclude the overall message. Understand your readers – their assumptions, values and preferred communication styles. Structure and lay out your report in a way that invites, rather than repels readers. And above all, keep it simple and to the point – you will be surprised how many readers welcome the result.

Communicating our results effectively is critical to the organisation. Doing this requires us to understand, communicate with, and ultimately respect our readers enough to do so without fear or favour.

  • AbilityNet (IBM and Microsoft) https://abilitynet.org.uk/factsheets/creating-accessible-documents-0
  • Change (UK), https://www.changepeople.org/getmedia/923a6399-c13f-418c-bb29-051413f7e3a3/How-to-make-info-accessible-guide-2016-Final
  • Chartered IIA, ‘Communication skills’ https://www.iia.org.uk/resources/interpersonal-skills/communication-skills/
  • Chartered IIA, ‘Writing about risk’ https://www.iia.org.uk/resources/risk-management/writing-about-risk/
  • Martin Cutts, The Oxford Guide to Plain English (Oxford: Oxford University Press, 2020)
  • Sara I. James, Radical Reporting: Writing Better Audit, Risk, Compliance, and Information Security Reports (Abingdon: Routledge/Taylor & Francis/CRC Press, 2022)
  • Plain Language Association International, ‘What is plain language?’ https://plainlanguagenetwork.org/plain-language/what-is-plain-language/
  • Time Atlas, ‘Word readability statistics and alternatives’ https://www.timeatlas.com/word-readability-statistics/
  • UK Government, ‘Publishing accessible documents’ https://www.gov.uk/guidance/publishing-accessible-documents

how to write an effective internal audit report

  • What is internal audit?
  • Join the Chartered IIA
  • Audit & Risk Magazine
  • Jobs in internal audit
  • Regional network
  • Terms and conditions
  • Privacy policy

how to write an effective internal audit report

SoftExpert Blog

  • Business Process
  • Corporate Performance
  • Compliance Management
  • Enterprise Asset
  • Enterprise Content
  • Enterprise Quality
  • Enterprise Risk
  • Environment, Health and Safety
  • Enterprise Service
  • Human Development
  • Product Lifecycle
  • Project and Portfolio
  • Aerospace & Defense
  • Agribusiness
  • Food and Beverage
  • Pharmaceuticals
  • Public Sector
  • Financial Services
  • Mining and Metals
  • ISO/IEC 17025
  • ISO/IEC 20000-1
  • ISO/TS 16949
  • Suite Updates
  • Institutional

How to prepare a high-impact Internal Audit Report

Learn more about what an internal audit report is and how to prepare a high-impact report. Read this article now!

Internal audits can provide a range of benefits to companies, such as identifying areas or processes that need to be changed, finding new risks and preparing the organization for external audits.

That is why upper management must understand the discoveries and results of audits, making all of the effort of planning and executing internal audits worthwhile. This is where the internal audit report comes in.

Let’s look at how it works.

What is an internal audit report?

An internal audit report is a document with the formal results of an audit. It is used by the internal auditor to show what was examined, highlighting positives, negatives and conclusions, so that the company’s management knows what is going well and what needs to be improved.

The report should be carefully prepared. Yet it is at this point that many internal auditors fail.

The text needs to be clear, objective and impartial in order to ensure that the audit’s results are useful and the organization can use them as a guide to set the direction of actions .

What needs to be done when preparing the report?

Reiterating what was discussed above, one of the benefits of performing internal audits is to find opportunities for improvement. Based on this, the auditor should therefore focus when producing the report. The auditor should avoid:

  • Finding guilty parties or specifying that a particular person made a mistake;
  • Seeing problems universally;
  • Producing an evasive report;
  • Applying unnecessary technical terms;
  • Lauding their own work. The report should have a natural and straightforward tone.

How is an internal audit report prepared?

1.      make a cover.

Have you ever heard the saying that the first impression is the one that lasts?

The auditor’s work should make a good impression, which is why starting with a quality cover is fundamental. It will be upper management’s first point of contact with the audit results, which is why it is important to present information such as:

  • Report title
  • Name of auditor responsible
  • Audit end date
  • Name of company or business unit audited.

Internal audit template

  2.      Draft an introduction

The auditor should use this section to provide an overview, with information on the area and processes audited, which standards are providing support to carry out the audit (E.g.: ISO 9001, ISO 14001), in addition to telling the reader about any historical information that may be required before reading the full report. That way, anyone who reads the report will be able to understand the reasons that led to the audit to be executed.

Example: The report may cover the emergence of new legislation that impacts the company’s operations. The introduction can describe the laws that had been applicable to that point along with their shortcomings and how the new law aims to deal with these matters.

3.      Create an executive summary

The executive summary should contain a compact discussion of the conclusions of the work done. It should be structured as follows:

  • A brief description of what was audited, objectives, scope and start and end dates.
  • Discuss the auditor’s conclusions.

Example: State that the main goal of the audit was to evaluate the organization’s processes in order to identify the level of adherence/gaps in relation to the new law. At the end, it can say that one of the main conclusions is that the company needs to adapt its facilities.

4.      Introduce Terminology used

The next section should show the terms used in drafting the report, so that everyone can understand the information presented.

Example: If there are any references to ISO, it is important to clarify that this refers to the International Organization for Standardization.

5.      Discuss the Audit Plan

The audit plan should name the lead auditor and list their qualifications, along with other auditors on the team. This section should also describe the documents evaluated and name the people interviewed.

The auditor should describe the stages followed during the audit (a tool for mapping processes can help) and which criteria were used to select documents evaluated and people interviewed.

6.      Describe facts found

When something is not compliant with established standards, the auditor should take note, describing the facts and evidence found.

7.      Discuss recommendations

Finally, the auditor should conclude the report with a section on “Recommendations” for the organization’s improvement. At this stage, the auditor should consider the following aspects:

  • Be positive: The auditor should focus on what is going on right now and on how the company’s positive aspects can be applied to inefficient areas or processes.
  • Be specific: The auditor should be very clear and specific on which aspects are not in compliance with established standards and which actions should be implemented to guarantee compliance. It should be clear who needs to act.
  • Be concise: The auditor should make brief recommendations and only include the information and details that are really necessary.

Final considerations

As you can see, certain steps must be taken when preparing a high-impact internal audit report.

Members of upper management are busy people with full schedules. Auditors are becoming aware that they need to submit clear and objective audit reports so that executives can understand the situation and work so that there is continual improvement. This is possible through an internal audit report.

We hope that this article has helped you to better understand what an internal audit report is, why it is important and how to prepare a high-impact report.

SoftExpert has the best solutions to optimize your company’s management, performance and competitiveness. Don’t waste time and request a demo to learn the benefits.

I want a presentation

Are you interested in learning more about auditing after reading this article? If so, please take a look at more content that we have already covered here in the blog!

  • The 4 key steps in quality audits
  • How to prepare for an ISO Audit and what to expect
  • 8 tips for optimizing audit management based on ISO 19011
  • Environment Health and Safety

Marcelo Becher

Marcelo Becher

Specialist in Strategic Management from PUC-PR. Business and market analyst at SoftExpert, a software provider for enterprise-wide business processes automation, improvement, compliance management and corporate governance.

You might also like:

Quality week 2023: competitive potential in the spotlight, sds – safety data sheet: applications and contributions, document management and training for the pharmaceutical industry: an essential combination, fmea method: what is it, where can it be used and what are its advantages, why do change management plans fail, iso 9001: softexpert maintains certification, get free content in your inbox.

Subscribe to our Newsletter and get content about corporate management's best practices produced by specialists.

By clicking the button below, you confirm that you have read and accept our Privacy Policy .

Thank you for registering

Follow our publications by email, please, fill out the form to download.

By clicking the button below, you confirm that you have read and accept our Privacy Policy

Six Tips for Writing Effective Internal Audit Reports

You’ve successfully planned and executed your audit. Now, it’s time to communicate your findings to the client, board, or committee. Here are six quick tips for writing effective internal audit reports:

  • Know your audience . When crafting your audit report, it’s important to remember who the end user is. How much does the audience know about the audit and the processes involved? How do they plan on using the information in the report? Are your recommendations in line with their objectives? Playing to your audience is one of the best ways to reach them quickly and effectively.
  • Consider Tone . Think about how you feel after reading these statements:

“The manager failed to provide the proper documentation to verify compliance with the policy.”

“Documentation was unavailable to verify compliance with the policy.”

While these two statements convey the same information, the tone and connotation of each is different. Avoid using words with negative connotations, as they can come across as aggressive. Stay away from terms like failed or neglected . The more defensive and annoyed the reader feels, the less likely they are to receive the information within the report.

  • Keep it simple and specific . You don’t have to use big words to express big ideas. Keep language clear and concise without “dumbing down” the report. For example, instead of using timely , be specific. Use terms like daily , monthly or quarterly instead. Readers of audit reports are often busy, so keeping things clear and to the point will allow them to quickly understand ideas without laboring through a lengthy, overdetailed report.
  • Remember the basics . Proper spelling and grammar go a long way, and can ultimately be more persuasive when trying to get the report reader to consider your recommendations. While this may sound like common sense, simple errors still seem to creep into documents even with the use of spell check and proofreaders . Don’t forget to give your report a triple check for spelling and grammar.
  • Give and take. It’s common for auditors to be considered the “bearers of bad news.” While more often than not audit reports contain findings and recommendations based on things process owners are doing wrong, it is helpful to consider communicating things they’re doing right. A little “give-and-take” will help keep a positive tone and give an overall view of the area under audit. For example, instead of only communicating that the warehouse doesn’t have proper smoke detectors, consider phrasing your finding as:

“Company ABC has improved safety procedures by installing fire extinguishers at every sector of the warehouse. However, safety procedures need enhancement as smoke detectors were not found within the warehouse."

  • Visualize. People understand information in different ways. Consider utilizing charts and graphs within your report to deliver findings, recommendations and other information you want the reader to understand. Some readers may absorb information more efficiently using a visual vehicle, as opposed to a lengthy paragraph or standard bullet points.

Getting audiences to receive and truly reflect on the feedback offered in audit reports can be a challenge, but using these tips might get you one step closer to producing an effective report.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected] .

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission .

Learn more about how to lock in yields for the next several years. ...

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

One PPG Place, Suite 1700 Pittsburgh, PA 15222

[email protected] p:412.261.3644     f:412.261.4876

65 East State Street, Suite 2000 Columbus, OH 43215

[email protected] p:614.621.4060     f:614.621.4062

1660 International Drive McLean, VA 22102

[email protected] p:571.380.9003

Image of Prime Global Logo

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

how to write an effective internal audit report

Step-by-Step Internal Audit Checklist

Vice Vicente

Vice Vicente

March 21, 2023

Step-by-Step Internal Audit Checklist

What can internal auditors do to prepare a more comprehensive scope for their internal audit projects? And where can internal auditors find the subject matter expertise needed to create an audit program “from scratch”? AuditBoard’s “ Planning an Audit: A How-To Guide ” details how to build an effective internal audit plan from the ground up through best practices, resources, and insights, rather than relying on templated audit programs. 

One of the guide’s highlights is a comprehensive checklist of audit steps and considerations to keep in mind as you plan any audit project. Use the checklist below to get started planning an audit, and download our full “ Planning an Audit: A How-To Guide ” for tips to help you create a flexible, risk-based audit program. 

What is an Internal Audit?

An internal audit is a fundamentally independent function that evaluates an organization’s operations, internal controls, and risk management processes with the aim of improving the organization’s effectiveness and efficiency. Internal auditors will conduct interviews, inspect evidence, test controls, and read policies to understand the environment and validate that controls and processes are working — and working well. 

The Difference Between Internal and External Audits

The essential difference between internal audits and compliance audits , sometimes referred to as external audits, is who performs the audit. Internal audits, as the name indicates, are performed by internal auditors who are employed by the business. Compliance audits are performed by independent, third-party, or external auditors, often certified in the audit that is being performed.

The Benefits of an Effective Internal Audit

Internal audits provide many benefits to an organization, giving management and leadership another lens through which to look at the organization. While external compliance audits are essential, they often have a specific scope and aim — PCI DSS , for example, zooms in on credit cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to focus on those areas that are a priority, or areas that may not be looked at in a formal compliance audit.

Internal audits give advantages to organizations pursuing external audits  as well as preparing stakeholders and process owners for future audits. Findings from internal audits can be addressed quickly; observations can give management greater insight into the business, people, technology, and processes. Impetus from internal audit reports can encourage optimization, saving the organization in costs and ultimately improving the customer’s experience.

So, how can an organization plan for a successful internal audit ? Read on for our checklist!

Internal Audit Checklist

The steps to preparing for an internal audit are 1) initial audit planning, 2) involve risk and process subject matter experts, 3) frameworks for internal audit processes, 4) initial document request list, 5) preparing for a planning meeting with business stakeholders, 6) preparing the audit program, and 7) audit program and planning review.

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why a given project is part of the internal audit program. The following questions should be answered and approved before fieldwork begins:

  • Why was the audit project approved to be on the internal audit plan?
  • How does the process support the organization in achieving its goals and objectives?
  • What enterprise risk(s) does the audit address?
  • What is the overall audit schedule, and how does this project fit into the plan?
  • Was this process audited in the past, and if so, what were the results of the previous audit(s)? 
  • Were audit findings or nonconformities investigated and remediated according to the action plan?
  • Have there been significant changes in the process recently or since the previous audit?
  • What is the scope of the project, and what specific requirements need to be met for a successful outcome?

Additionally, participants in the project should review the audit report and audit results to refresh their understanding of the environment, scope, and project parameters. The team may also want to review any standards, frameworks, and regulatory requirements relevant to the project or program. Reporting on internal audit objectives should be delivered to top management periodically — quarterly or biannually is common depending on the size and complexity of the business.

2024 Focus on the Future Report

2. Involve Risk and Process Subject Matter Experts

Performing an audit based on internal company information is helpful to assess the operating effectiveness of the process’s controls. However, for internal audits to keep pace with the business’s changing landscape, and to ensure key processes and controls are also designed correctly, seeking out external expertise is increasingly becoming a best practice, even when a formal external audit is not required.

Organizations can employ Subject Matter Experts (SMEs) from the Big 4 (Deloitte, EY, PwC, and KPMG) and other consulting providers to supplement risk management and internal audit programs. These consultants can provide additional guidance, insight, and clarity on specific regulatory requirements, information security, and business processes. When contracting with consultants, be sure to disclose any other consulting relationships you may have with that firm or company, as there may be independence considerations that the consulting firm has to take into account.

In terms of fostering talent, skills, and development, internal audit professionals should stay abreast of current trends, topics, and themes in their industry. The following resources can help audit professionals understand the present landscape and augment their knowledge:  

  • Recent articles from WSJ.com , HBR.org , or other leading business periodicals
  • Newsletters and updates from the AICPA , ISACA , ISO , NIST , and other similar organizations
  • Relevant blog posts from Deloitte Insights ,  EY Insights , The Protiviti View , RSM’s Blog , or The IIA’s blogs  

Image: The Institute of Internal Audit (IIA) Competency Framework for Internal Audit Professionals

how to write an effective internal audit report

Source: The IIA Competency Framework for Internal Audit Professionals

All of these resources can be leveraged to identify relevant risks, inform internal audit procedures,  and encourage continuous improvement in your internal audit program. Having the right people and talent in place to perform the necessary audit activities is critical to your program’s success, and pulling in additional resources in the midst of an audit can be tough. By lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.

3. Frameworks for Internal Audit: The International Professional Practices Framework (IPPF)

Collating guidance from the Institute of Internal Auditors (IIA), the International Professional Practices Framework (IPPF) contains both mandatory and best practice recommendations. The IPPF aims to support the overall mission, “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” The core elements of the IPPF are the: Core Principles for the Professional Practice of Internal Auditing , Definition of Internal Auditing , Code of Ethics, and International Standards for the Professional Practice of Internal Auditing .

In addition to the IIA, organizations like ISACA  can also provide guidance around internal audit processes.

4. Frameworks for Internal Audit Processes: COSO ICIF 

Although a risk-based approach to internal auditing can and should result in a bespoke internal audit program for each organization, taking advantage of existing frameworks like the Committee of Sponsoring Organizations of the Treadway Commission’s ( COSO ) 2013 Internal Control — Integrated Framework to inform your program can be a win for your internal audit team and avoid reinventing the wheel. Before applying a certain framework, the internal audit team and leadership should evaluate the suitability of that framework as they map to the business.

While used extensively for Sarbanes-Oxley (SOX) statutory compliance purposes, internal auditors can also leverage COSO’s 2013 Internal Control — Integrated Framework (ICIF) to create a more comprehensive audit program.  COSO’s ICIF focuses on fraud, internal controls, and financial reportin g , while covering subjects like the overall Control Environment of the organization, Information, and Communication, and Risk Management. Since COSO’s ICIF was designed to address SOX, which is a U.S. statute, publicly traded companies based in the US may benefit the most from employing this framework as part of their internal audit program.  

  • Review COSO’s 2013 Internal Control components, principles, and points of focus here .

5. Initial Document Request List

The Document Request List or Evidence Request List, often abbreviated to “Request List” or “RL” is one of the central documents of any audit. The Request List is an evolving list of requests which may cover everything from interview scheduling, evidence requests, policy and procedures, reports, supporting documentation, diagrams, and more with the purpose of providing auditors with the information and documents they need to complete the audit program for the designated projects or processes.  

Requesting and obtaining documentation on how processes workis an obvious next step in preparing for an audit. These requests should be delivered to stakeholders as soon as possible in the audit planning process to give stakeholders (with day jobs!) time to provide the right evidence. As requests come in, the internal audit team should be reviewing documented information for any follow-ups, and periodically updating the request list as items get closed out. The following requests should be made in order to gain an understanding of processes, relevant applications, and key reports:

  • All policies, procedure documents, workflow diagrams, and organization charts
  • Key reports used to manage the effectiveness, efficiency, and process success
  • Access to key applications used in the process; read-only if possible
  • Description and listing of master data for the processes being audited, including all data fields and attributes

From the listings received of master data, auditors can then make detailed sampling selections to test that processes and controls are being performed effectively, as designed, every time. 

6. Preparing for a Planning Meeting With Business Stakeholders

Before meeting with business stakeholders, the internal audit committee should hold a meeting in order to confirm a high-level understanding of the objectives of the audit plan and program(s), key processes and departments, and the fundamental roadmap for the audit.. 

Then, after aligning some ducks internally, the audit team should also schedule and conduct a planning meeting with business stakeholders for the scoped processes. This keeps everyone on the same page, and gives business personnel the time and opportunity to coordinate audit efforts with their business units. The following steps should be performed to prepare for a planning meeting with business stakeholders:

  • Outline key process steps by narrative, flowchart, or both, highlighting information inflows, outflows, and internal control components.
  • Validate draft narratives and flowcharts with subject matter experts and stakeholders (if possible).
  • Develop an agenda or questionnaire for all meetings internally or with business stakeholders.

Preparing the questionnaire after performing the initial research  sets a positive tone for the audit , and demonstrates that  internal audit is informed and prepared. Planning, preparedness, and cooperation are critical to achieving audit objectives and gleaning deeper insights from the audit.

7. Preparing the Audit Program

Once the internal audit team has completed initial planning, consulted with SMEs, and researched the applicable frameworks, they will be  prepared to create an audit program . Audit teams can leverage past audit programs to better design present and future procedures. An audit program should detail the following information:

Summary and Purpose of the Audit Program

Since internal audit reports are usually designed for the consumption of leadership and management, providing an executive summary of the audit program and outcomes gives the audience a snapshot of the audit and results.

Process Objectives and Owners

When completing the audit program, documenting the process objectives and tying each process to owners designates accountability.

Process Risks

Along with the process objectives and owners, the risks associated with the process should also be noted.

Controls Mitigating Process Risks

Once details about the process, including risks, are documented, the audit team should identify and map the mitigating controls to the risks that they address. Compensating controls can also be noted here.

Control Attributes

Control attributes are the components and characteristics of the control activity that are critical to the effective execution of that control. Asking the following questions and documenting the results are a good starting point — though some controls may have unique or uncommon attributes as well.

  • Is the control preventive or detective? If the control is detective, are there corrective actions required as part of completing the control? 
  • How frequently does the control occur (e.g. many times a day, daily, weekly, monthly, quarterly, annually, etc.)?
  • What type of risk does the control mitigate (fraud, operational, security, etc.)?
  • Is the control manually performed, performed by an application, or a combination?
  • How likely is the risk to be realized (e.g. Highly Likely, Likely, Unlikely)?
  • How impactful would the risk be if it were realized (e.g. High Impact, Medium Impact, Low Impact)?
  • What evidence does the audit team need to complete audit testing procedures?

Testing Procedures and Methods for Controls to be Tested During the Audit

There are four ways to test controls as part of an audit. Many times, these methods must be combined to fully and completely test a control. These four methods are as follows:

  • Inquiry, or asking how the control is performed
  • Observation, or viewing the control be performed, typically in real-time
  • Inspection, or reviewing documentation evidencing the control was performed
  • Re-performance, or independently performing the control to validate outcomes

A comprehensive audit program contains sensitive information about the business. Access to the full audit program(s) should be restricted to appropriate personnel only, and only shared when approved.

8. Audit Program and Planning Review

Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:

  • Internal Audit Manager or Senior Manager
  • Chief Audit Executive
  • Subject Matter Expert(s)
  • Management’s Main Point of Contact for the Audit (i.e. Audit Customer)

Internal auditors who take a risk-based approach, create and document audit programs from scratch — and do not rely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited. When internal audit teams can spend more of their time and resources aligned to their organization’s key objectives,  internal auditor job satisfaction increases as they take on more interesting projects and have an effect on the organization. The Audit Committee and C-suite may become more engaged with internal audit ‘s work in strategic areas. Perhaps most importantly, recommendations made by internal audit will have a more dramatic impact to enable positive change in their organizations.

Complete the form to get your free copy of  Planning an Audit From Scratch: A How-To Guide .

Planning an Audit From Scratch: A How-To Guide

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn .

Related Articles

how to write an effective internal audit report

The Auditor

An exemplar global publication.

  • People and Processes: United Quality Transformation
  • EAGLE Makes Connections with Exemplar LINK
  • Can Boeing Deliver a Long-Term Solution to their 737 MAX Problems?
  • AI management systems: What businesses need to know
  • Healthcare management: Delivering quality to the health industry
  • NIST Offers Guidance on Measuring and Improving Your Company’s Cybersecurity Program
  • Why prep before a walkthrough?
  • Risk and the 10th Edition of API Q1
  • IESBA Launches Public Consultation on New Ethical Benchmark for Sustainability Reporting and Assurance
  • Quality Is Not Just a Word We Use, Part One: What Is Quality?

Missing image

Writing A Great Audit Report

audit report

by Richard A. Vincins

Preparing for and conducting an audit are the initial components of the audit process; writing a good audit report is the final step. However, auditors are often frustrated when their audit reports are not taken seriously or used effectively because they do not provide meaningful information. This article will discuss how to write a great audit report so that whether it’s used internally or externally, the audit report conveys the proper information. We will discuss some of the best practices for audit report writing to ensure that the content of an audit report is not merely sufficient. This article will also cover writing audit reports for both internal audits and external audits, such as supplier audits or compliance audits. It will conclude with another important aspect of writing a great audit report: timely distribution so the results of the audit are kept fresh and current.

Know your audience

One of the more difficult aspects of writing an audit report is understanding your intended audience. This may seem like common sense, but many audit reports are confusing to the recipient or not at the right level. This is particularly true for compliance audits where the findings are written in regulatory jargon so that the meaning of the finding is not clear. Writing a great audit report requires that you put yourself in your audience’s perspective to make sure the content is understandable and what the audience expects. Internal audit reports are typically sent to the process owner or department manager. They will expect to see a list of specific findings. Generally, internal audit reports can be written with more technical terms because the reader will understand the relation to the processes at the company. This may not be true when writing external audit reports.

When sending external audit reports to a recipient such as supplier or contract manufacturer, he or she will want to see more of a narrative of the issues that were found during the audit. In fact, the audit findings may need to be written in plain terms that may come close to sounding like recommendations so that the external party knows what actions must be taken. The audience of the audit report may not have adequate knowledge of regulations or standards referenced in the report. If the report contains technical terms or regulatory terms from a standard that the auditee may not be familiar with, then the audit report will be confusing to him or her. Writing the report with the auditee’s experience in mind will ensure that it is not disregarded because the recipient does not understand it.

Use a standard templates for your audit report

Another way of writing great audit reports is to standardize them, which can be accomplished through using templates. Developing a standardized report template for audits will also ensure that multiple auditors are conveying similar information. Typically, organizations already have an internal audit report for their quality systems. However, many organizations do not utilize the same report for external audits or allow different departments to publish their own external audit report. This results in suppliers or contract manufacturers not receiving consistent information or receiving inadequate information from the auditors.

A standard template allows the company to convey to external parties the proper information of the audit criteria, audit findings, and what is expected from the organization in the future. This may include a clear delineation of audit findings that require corrective action. By having a standard template for internal audits and external audits the organization conveys the correct and complete information to the recipient.

Generate a clear and concise list of findings

The list of findings in the audit report needs to be generated at the appropriate level for the recipient and provide enough detail that the finding is understood. An audit report might be reviewed by the auditee weeks later and he or she may have already forgotten what was covered during the audit. If the finding in the audit report does not convey the deficiency appropriately, the auditee may not apply the corrective action needed to resolve the issue. Audit findings are not easily applied to different situations, so an audit finding statement may not be able to be “reused” in the audit report. However, it may be possible to utilize an audit checklist that will help the organization keep consistency between audits performed at different times.

Internal audit reports typically include more technical information than all personnel at the company would understand. When writing an audit report for an external audit, this may require more simplistic phrases or the audit findings written in plain context. The external parties may not have the expertise to understand how an audit finding relates to their overall business because they may not have a quality management system (QMS) implemented. The following two statements show a comparison between an audit finding written for an internal audit report and the same finding written for an external audit report. This example shows that the same audit finding can be interpreted or read differently by the audience depending on their knowledge and experience with quality systems.

  • Internal audit report: There is no evidence of employee training as there was no training record completed for the quality system procedures. According to the training chart, form 6.2-1-2, the employees must be trained on required procedures according to their job description. Specifically, two employees’ training records were reviewed with no evidence of completed training records to the required quality system procedures because the form 6.2-1-1 was not completed.
  • External audit report: There is no record that employees have been trained on their specific job functions. Without a record to show that employees are properly trained, the quality of the product cannot be fully assured. The training must be completed to support that the products of Company X are made consistently to specification.

Another method to be applied for writing a great audit report is to not use “wishy-washy” words or “gobbledygook” (long phrases with no meaning). Make the audit finding statements clear and concise. Write the findings without emotion or feeling words so that the audit report is fact-based. Don’t confuse the recipient of the audit report by writing around the issue or trying to soften its message. Doing so makes it less likely the appropriate corrective action will be applied or the auditee may even choose not to do anything because he or she doesn’t understand the report. The audit finding must be written concisely with clear statements that relate back to the observation because the audit report may be reviewed weeks later.

Timely distribution of the audit report

Although it may not be directly related to the writing of an audit report, the timely distribution of the audit report is still an important aspect of the audit process. The audit report could be the best audit report ever produced, but if it’s sent to the auditee a month after the audit, the report loses much of its relevance. A great audit report is one that is sent in a timely manner to the auditee whether it is an internal or external audit report. A good rule of thumb is to send the audit report within five to 10 working days. Beyond 10 working days the recipient may not take the audit report seriously. In fact, audit reports that are not sent to external parties in a timely manner lose much credibility for the organization. When a great audit report has been written, make sure this is also sent promptly to have the most benefit.

Audit report–Conclusion

To write a good audit report takes practice. To write a great audit report takes much more practice. Hopefully the discussion presented in this article will help bridge that gap to present much better audit reports, be they for internal or external audits. Before you begin writing the audit report think about your intended audience. Don’t write to yourself, as you are writing think about saying the statement to your intended audience. Use standard templates for the audit report to stay consistent while providing the correct information to the auditee each time. Ensure that the audit findings are clear and concise to convey the appropriate level of detail. Then make sure that the audit report is sent in a timely manner so the audit does not lose its priority.

About the author

Richard A. Vincins, CQA, CBA, RAC(US, EU) is the vice president of quality assurance with Emergo Group, a global medical device consulting firm with headquarters in Austin, Texas. He is responsible for the implementation of quality systems, conducting quality system audits, training on quality system tools, and providing regulatory expertise in national and international regulations. Vincins has more than 20 years of experience in the medical industry, including worldwide regulatory compliance efforts for in-vitro device, medical device, and pharmaceutical companies. 

Leave a Reply Cancel Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

  • Advisera Home
  • ISO in General

Partner Panel

ISO 9001 Documentation Toolkits

Iso 9001 training.

  • Documentation Toolkits
  • White Papers
  • Templates & Tools

Where to Start

New ai tool.

  • Live Consultations
  • Consultant Directory
  • For Consultants

Carlos Pereira da Cruz

Carlos Pereira da Cruz

  • Get Started

Writing a good QMS internal audit report

Advisera Mark Hammar

In ISO 9001 , the process for internal audits is one of the most important ways for you to ensure that your quality management system (QMS) is functioning properly and efficiently, but what is the role of the audit report in this process? Many people who are not well versed in audits or the overall quality management system may not fully understand how important an audit report can be. Here is the information you need to know.

What is the importance of an audit report?

An audit report  is the official record of an audit – the only official record. All of the notes taken by the auditors, all of the comments made by employees during the audit, all of the information taken by the process owners during the audit, and all of the statements made at the closing meeting really don’t amount to anything official. If something is not recorded in the audit report, it doesn’t really count. Remember that it will not only be the people who were audited or were at the closing meeting that will read the audit report; these are also used in management review by people who were not part of the audit.

This is why the audit report from, e.g., a third-party certification body is so detailed; the report needs to record all the information necessary to detail any corrective actions needed and justify why your company is compliant with the ISO 9001 standard. The audit report needs to be the complete recorded evidence of all aspects of the audit. In many ways, an audit without a good report is not really an audit.

What should be in an audit report?

So, this brings up the question of what makes a good audit report. What needs to be included, and what should be eliminated? When looking at this, it is important to remember again that the audit report is the one official report of the audit, and therefore must stand on its own. The best practice for audit report content is included in ISO 19011, guidelines for quality and/or environmental management systems auditing. This may be overkill for a small company, and can be reduced if required, but it is a good start when considering what you want to include in your audit reports.

Here is a list from ISO 19011 of the seven items that should be included in an audit report:

  • Audit Objective – What was the purpose of the audit? Was this a regular audit of a process, or a follow-up on a corrective action? All audits are done to demonstrate compliance with the requirements, but was there anything else that was being done?
  • Audit Scope – What were the boundaries of the audit? If there is more than one manufacturing line using the process, how many were audited? Was a night shift or evening shift excluded?
  • Audit Client – Who was the process owner or owners that the audit was performed for?
  • Audit Dates and Places – It is important to be able to demonstrate the timeframe when all of your audits of the system take place. Also, for management review, it might be important to know the chronology of the audits that are being reviewed.
  • Audit Criteria – What were the processes audited against? For instance, this could be the ISO 9001 standard, internal company procedures & policies, or customer requirements.
  • Audit Findings – What are the results of the evidence found? Some companies discriminate between major findings (where there is a systemic failure) and minor findings (such as one or two mistakes that were made, but that were not universal), but this is not necessarily the case. Some companies include positive findings and best practices that can be shared throughout the organization in this section as well. It is important to include the audit evidence for these findings, such as the contract numbers that were reviewed, but leave out the names of people who were audited. The findings are about identifying corrective action, not assigning blame.
  • Audit Conclusions – What is the summary of the outcome of the audit? Were there too many findings to determine if the process was properly implemented? What is the assessment of the effectiveness of the QMS from this audit? For some busy executives who just want the summary of the audit, this might be the one and only thing they read in the report, leaving the details to the process specialists.

Additionally, ISO 19011 includes some optional items; the following could be applicable to an internal audit if deemed to be useful:

  • Audit Plan – This is the plan of who is auditing what processes, and when. For a large audit with multiple auditors, this can be useful.
  • Summary of Audit Process & Obstacles – This is especially important to include if there were some obstacles, such as scheduling for an absent process expert, which hindered the audit.
  • Any Areas not Covered – If you needed to exclude something you intended to cover, like a second shift, this should be noted for future reference.
  • Disagreement between Auditor and Auditee – If the process owner does not agree that the audit evidence presented is non-conforming, as specified by the auditor, then this should probably be noted in the report.
  • Opportunities for Improvement – Like the positive finding mentioned above, many companies will use recommendations for improvement as a way to document the cases when an auditor has identified something that is not non-conforming, but could be improved.
  • Agreed Follow-up Plans – If an agreement was made on how to address a non-conformance, recording it in the report can be helpful.

For more on using ISO 19011 to improve your internal audit process, see ISO 9001 internal audit in 13 steps using ISO 19011 .

An audit report should not include surprises

One final thing to note is that nothing in the report should come as a surprise to the auditees who read it. If information was not presented at the closing meeting, it should not find its way into the audit report. Use your audit report to document what happened in the audit, make it easy to understand, and you will find that your audit information will benefit your efforts to improve your QMS.

Click here to download the free white paper   Clause by clause explanation of ISO 9001  that will explain all the requirements for internal audit.

Banner image

Related Products

how to write an effective internal audit report

ISO 9001 Documentation Toolkit

Integrated iso 9001/14001/45001 toolkit.

how to write an effective internal audit report

ISO 9001 Foundations Course

Upcoming free webinar.

Advisera Carlos Pereira da Cruz

Suggested reading

You may unsubscribe at any time. For more information, please see our privacy notice .

  • PRO Courses Guides New Tech Help Pro Expert Videos About wikiHow Pro Upgrade Sign In
  • EDIT Edit this Article
  • EXPLORE Tech Help Pro About Us Random Article Quizzes Request a New Article Community Dashboard This Or That Game Popular Categories Arts and Entertainment Artwork Books Movies Computers and Electronics Computers Phone Skills Technology Hacks Health Men's Health Mental Health Women's Health Relationships Dating Love Relationship Issues Hobbies and Crafts Crafts Drawing Games Education & Communication Communication Skills Personal Development Studying Personal Care and Style Fashion Hair Care Personal Hygiene Youth Personal Care School Stuff Dating All Categories Arts and Entertainment Finance and Business Home and Garden Relationship Quizzes Cars & Other Vehicles Food and Entertaining Personal Care and Style Sports and Fitness Computers and Electronics Health Pets and Animals Travel Education & Communication Hobbies and Crafts Philosophy and Religion Work World Family Life Holidays and Traditions Relationships Youth
  • Browse Articles
  • Learn Something New
  • Quizzes Hot
  • This Or That Game New
  • Train Your Brain
  • Explore More
  • Support wikiHow
  • About wikiHow
  • Log in / Sign up
  • Finance and Business
  • Business Skills
  • Business Writing

How to Write an Audit Report

Last Updated: March 6, 2023 Fact Checked

This article was co-authored by Michael R. Lewis . Michael R. Lewis is a retired corporate executive, entrepreneur, and investment advisor in Texas. He has over 40 years of experience in business and finance, including as a Vice President for Blue Cross Blue Shield of Texas. He has a BBA in Industrial Management from the University of Texas at Austin. There are 9 references cited in this article, which can be found at the bottom of the page. This article has been fact-checked, ensuring the accuracy of any cited facts and confirming the authority of its sources. This article has been viewed 461,865 times.

An audit report is the formal opinion of audit findings. The audit report is the end result of an audit and can be used by the recipient person or organization as a tool for financial reporting, investing, altering operations, enforcing accountability, or making decisions. An effective audit report is essential to making sure the results of your audit are presented in a way that is useful to the party receiving the audit.

Preparing to Write an Audit Report

Step 1 Understand the basic goals of all audit reports.

  • Illustrating non-conformities: The main goal of any audit report is to illustrate where the organization does not conform with whatever standard, rule, regulation or objective that it is supposed to. It is important to clearly identify the non-conformity, as well as the standard it does not conform to. It is then important to demonstrate which evidence you used to confirm the non-conformity. The goal is that each non-conformity will contain enough information so that the receivers of the audit report can change it. [1] X Research source
  • Outlining positives: An audit report should not just include negatives. This is especially true for compliance reports, and operational audits. This allows the organization to focus on areas that are working and apply these to other areas. For example, if you are conducting a compliance audit to ensure an organization meets training requirements, you may say, "The audit reveals the current training program has exceeded requirements on-time and on-budget".
  • Opportunities for improvement: Beyond indicating things that are not conforming to requirements (non-conformities), it is important to also indicate high-risk areas, or areas that may be in compliance but are at risk of eventually not complying, or could be improved. [2] X Research source

Step 2 Think about who will be reading the report.

Tip: Make sure to define all the terms and abbreviations you use, as the standard forms of communication have potential to change.

Step 3 Learn the different types of audit.

  • Financial Audit: This is the most commonly known form of audit and refers to the systematic review of a company's financial reporting to ensure all information is valid and conforms to GAAP standards.
  • Operational Audit: An operational audit is a review of an organization's usage of resources to ensure those resources are being utilized as efficiently and effectively as possible to accomplish the mission and goals of the organization.
  • Compliance Audit: A compliance audit is performed to determine if an organization or program is operating in according with laws, policies, regulations, and procedures.
  • Investigative Audit: These are typically commissioned when there is an assumed violation of rules, regulations, or laws, and may involve a blend of all the previously mentioned types of audit.

Step 4 Learn the types of audit opinions.

  • A clean opinion is used if an entity's financial statements are a clear representation of an entity's financial opinion.
  • A qualified opinion is used when there were scope limitations on the auditor's work. Scope limitations are restrictions on the audit caused by the client or other events that do not allow the auditor to complete all aspects of his or her audit procedures.
  • An adverse opinion is used if financial information was misstated.
  • A disclaimer opinion can be triggered by several different situations. For example, the auditor may not be independent or there are concerns with the auditee. [4] X Research source

Beginning Your Report

Step 1 Know the style of audit reporting before you begin.

  • Provide perspective for the reader, giving a fair balance of the positive and negative results of the audit.
  • Be precise, and avoid redundant phrasing and inexact terminology. In interest of clarity, opt for shorter sentences over longer ones. A limit of 15 to 18 words is recommended in business writing. Also, avoid intensifiers like clearly, special, key, and reasonable as these lack precision.
  • Do not use passive voice. Passive voice can be difficult to read. Instead of saying "No irregularity of operation was found" say "The audit team found no evidence of irregularity."
  • Use bullet points, which break up difficult information and make it clearer for the reader.
  • Use gender neutral terms.
  • Do not use audit buzzwords. Buzzwords are ambiguous, overused phrases like "generally improved," "significant risk," and "tighten controls."

Step 2 Outline your audit report.

  • For example, if you are auditing the processes for a particular department of an organization, you may consider breaking the department up into several key sections and reporting findings that way.

Step 3 Write your Introduction.

  • Why was the audit conducted?
  • What was included and not included in the audit?
  • What was the time period audited?
  • What were the audit objectives? [6] X Research source

Step 5 Continue onto the Statement on Auditing Standards.

  • A brief description of what was audited, objectives, scopes, and time periods.
  • Statements of significant action plans.
  • Overall statements of concerns and conclusions.
  • Overall audit report rating. [8] X Research source

Writing Your Results and Recommendations

Step 1 Write an opening statement for your findings/recommendations section.

  • Criteria is an explanation of management goals and the standards use to evaluate the program, function, or activity audited.
  • Condition is how effectively department management is meeting goals and/or achieving standards. Goals can either be fully achieved, partially achieved, or not achieved.
  • Cause is a statement on the reason things have gone well or poorly. Possibilities include inadequate procedures, procedures not being followed, poor supervision, or unqualified employees.
  • Effect states the result of the conditions, in quantifiable terms. Is the effect increased risk or exposure? Is it monetary cost? Is it poor performance? This should be addressed when you cover effect. [10] X Research source

Step 3 Make effective recommendations.

  • Be positive. Focus on what is going right at the moment, and how the good aspects of the entity can be applied in ineffective areas.
  • Be specific. Be very clear as to what specific aspects do not adhere to protocol, and to what concrete steps could be potentially implemented to ensure compliance.
  • Identify who should act. Does the company need better employee performance or should management be picking up the pace? Make clear who needs to make changes.
  • Keep recommendations brief. Be succinct - only include details that are necessary to your point. [11] X Research source

Step 4 Follow proper format.

  • Include a cover page. The cover page should be three or four lines, and outline the subject of the audit report and the type of audit.
  • A memo should follow the cover page. The memo should be one or two short paragraphs overviewing who and what was audited, who has received or is receiving the report, and plans for future distribution.
  • A table of contents follows the memo, and it contains a catalogue of chapters, page numbers, sections, and suggestions of the audit.
  • The report should be written in plainly-worded, non-technical language and use proper grammar and paragraph organization.
  • Reports are organized by chapters, each with a title, and by sections and subsections, each marked with a heading. Headings should go from general to more specific. [12] X Research source

Audit Report Template

how to write an effective internal audit report

Expert Q&A

You Might Also Like

Write a Statistical Report

  • ↑ http://www.qualitydigest.com/june07/articles/05_article.shtml
  • ↑ https://www.cmu.edu/finance/audit-services/internal/types-of-audits.html
  • ↑ https://www.icaew.com/-/media/corporate/files/helpsheets/technical/aaf-guides/audit-report-disclaimer-of-opinion.ashx
  • ↑ https://pcaobus.org/oversight/standards/auditing-standards/details/AS3101
  • ↑ https://audit.mit.edu/guidance-resources/what-expect/what-are-audit-ratings
  • ↑ https://financialcrimeacademy.org/reporting-recommendations-and-findings/
  • ↑ https://www.iiafiji.org/resources/bbc5020b-a5ab-4388-b633-83813515c797.pdf
  • ↑ https://www.anao.gov.au/work/performance-audit/implementation-audit-recommendations
  • ↑ https://www.wallstreetmojo.com/audit-report-format/

About This Article

Michael R. Lewis

To begin an audit report, write an "Introduction" that gives background information. Then, add a "Purpose and Scope Methodology" section that outlines your goals and explains what you included and excluded from your report. After this section, add your disclaimer, the "Statement on Auditing Standards," and end with your "Executive Summary." This summary should explain your findings, ratings, and any action that will be taken. Throughout the report, use concise language and bullet points. For tips from our Financial reviewer on what to include in different types of audits, keep reading! Did this summary help you? Yes No

  • Send fan mail to authors

Reader Success Stories

Deena Ross

Apr 26, 2019

Did this article help you?

how to write an effective internal audit report

Zaitoon Akram

Jul 14, 2020

Shadreck Chitumbo

Shadreck Chitumbo

Jul 10, 2019

C. Reynolds-Relford

C. Reynolds-Relford

Jun 8, 2022

Goma Mosbah

Goma Mosbah

May 17, 2019

Am I a Narcissist or an Empath Quiz

Featured Articles

Get Started in Standup Comedy

Trending Articles

How to Take the Perfect Thirst Trap

Watch Articles

Wrap a Round Gift

  • Terms of Use
  • Privacy Policy
  • Do Not Sell or Share My Info
  • Not Selling Info

Don’t miss out! Sign up for

wikiHow’s newsletter

  • Internal Audit Foundation
  • Chapters & Affiliates
  • Internal Auditor Magazine
  • Group Sales
  • Career Center
  • Quality Services

Complimentary On-Demand Webinar

In today's dynamic audit landscape, writing stands out as a potent tool for communicating report findings and driving meaningful change. Dr. Lauren Primuth and Dr. Hernan Murdock, both seasoned professionals in the field, will guide you through the process of harnessing this power.

Watch as we explore:

  • Streamlined techniques for crafting impactful audit reports
  • User-friendly writing tools for immediate improvement
  • Tailoring writing styles to suit diverse report types

Equip yourself with the skills and tools to elevate your audit report writing from the very first session. Don't miss this valuable opportunity to enhance your professional capabilities.

Ready to take your audit reporting to the next level?

How to Write Effective Audit Reports

Gain Access

ACI Learning logo

Explore More Like This

  • Privacy Policy
  • Accessibility Policy
  • Advertise With Us
  • Affiliate/Chapter Leader Login

how to write an effective internal audit report

How to write an internal audit report for ISO 27001

business,marketing,team,discussion,corporate,concept

As part of the management system requirements, Clause 9.2 details what must be done regarding internal audits. This includes a requirement for retaining documented evidence of the audit results, and this is done by way of an audit report.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that:

  • The requirements of the standard are met,
  • The organisation’s own information requirements and objectives for the ISMS are met,
  • The policies, processes, and other controls are effective and efficient.

In addition to the overall compliance and effectiveness of the ISMS, as ISO 27001 is designed to enable an organisation to manage it’s information security risks to a tolerable level, it will be necessary to check that the implemented controls do indeed reduce risk to a point where the risk owner(s) are happy to tolerate the residual risk.

Internal Audit For ISO 27001 Requirement 9.2

Clause 9.2 Internal audit mandates:

“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to

  • the organization’s own requirements for its information security management system; and
  • the requirements of this International Standard;

b) is effectively implemented and maintained.

The organization shall:

c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;

d) define the audit criteria and scope for each audit;

e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

f) ensure that the results of the audits are reported to relevant management; and

g) retain documented information as evidence of the audit programme(s) and the audit results.”

how to write an effective internal audit report

Achieve your first ISO 27001

Download your free guide to fast and sustainable certification

Get your free guide

Your ultimate guide to first-time ISO 27001 success

Achieve ISO 27001 first-time

We just need a few details so that we can email you your guide to achieving ISO 27001 first-time

Download your free guide now and if you have any questions at all then Book a Demo or Contact Us . We’ll be happy to help.

How do ISO 27001 internal audits work?

Internal audits for ISO 27001 work by following an audit programme that identifies the audits to be carried out before certification and during each certification period.

They require the selection of a competent and objective auditor to undertake each internal audit verifying compliance with the requirements of the standard, the organisation’s own information requirements and objectives for the ISMS, and that the policies, processes, and other controls are effective and efficient.

Activities included within an internal audit:

Documentation review

  • Evidential sampling
  • Interviewing staff with key information security responsibilities
  • Interviewing other staff (and possibly contractors)
  • Assessing the findings
  • Writing the audit report.

How often do I need to conduct an audit?

Whilst it is not clear within ISO 27001 itself as to how often you must perform internal audits. It is expected that the audit programme follows the same requirements as those placed upon the certification bodies for conducting their audits following ISO/IEC 27006:2015 – Requirements for bodies providing audit and certification of ISMSs.

Within ISO 27006 requirement 9.1.5.2 e, states that the audit programme “covers representative samples of the scope of the ISMS certification within the three year period.”

Therefore, you need to conduct internal audits covering the entire standard, at minimum, over the certification period (3 years for UKAS accredited certificates).

You could do this as a single audit, but it is more commonly broken down into smaller audits over the 3-year period.

It is also important to audit some areas more frequently if the risk levels are high or the area is subject to frequent changes.

It’s recommended that you audit the management system requirements (Clauses 4-10) annually. This can be tied into your ISMS management review, which also has to be conducted annually.

Within ISMS.online, we provide a pre-built Audit Programme work area which includes:

  • Activities for 2 recommended audits before certification
  • A plan of internal audits for the first 3-year certification period
  • Placeholders for your external certification and periodic audits

We make achieving ISO 27001 easy

Get a 77% headstart.

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.

Book your demo

Why do I need to create a report for an internal audit?

The standard requires you to document the audit results – Clause 9.2 of ISO 27001 includes the requirement to “retain documented information as evidence of the ……… audit results”.

This is done within an Audit Report.

What needs to be done when preparing the report?

Obviously, before you can document the audit report, you have to plan and carry out the audit. You can then document the findings in the report.

Get started with your ISO 27001 audit plan

For each audit, you will need to plan:

  • What the audit is going to cover – which section(s) of the standard, locations, business processes etc
  • Who the auditor will be – must be competent and objective.
  • When the audit is conducted, it must not have a significant, adverse impact on the organisation’s operation.
  • The method(s) of audit – documentation review, sampling, interviews etc
  • Who will need to be involved in the audit?

Every audit will require the review of relevant documentation, including policies, procedures, standards, and guidance relevant to the area(s) of the standard being audited. It is good practice to advise those being audited of the areas to be covered to ensure easy and timely access to the relevant documentation.

In ISMS.online, this is made easy by either having the documentation within the system or linking it within the standard’s relevant section.

Evidential sampling & interviews

Most audits will require the sampling of evidence to a lesser or greater degree. This may include interviewing relevant key staff, end users, and sometimes even temporary staff and contractors.

Sources for sampling may include, for example:

  • Interviews with employees and other persons
  • Observations of activities and the surrounding work environment and conditions
  • Documents, such as policies, objectives, plans, procedures, standards, instructions, licenses and permits, specifications, drawings, contracts and orders
  • Records, such as inspection records, minutes of meetings, audit reports, records of the monitoring programme and the results of measurements
  • Data summaries, analyses, and performance indicators
  • Information on the auditee’s sampling plans and the procedures for the control of sampling and measurement processes
  • Reports from other sources, e.g. customer feedback, external surveys and measurements, additional relevant information from external parties and supplier ratings
  • Databases and websites
  • Simulation and modelling
ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.

Information Security Manager, Honeysuckle Health

Book a demo

Once the data gathering for the audit has been done, it will be necessary for the auditor to assess and analyse the findings to determine any nonconformities or opportunities for improvement.

Findings are normally categorised as one of the following:

  • Major nonconformity
  • Minor nonconformity
  • Opportunity for improvement

Some certification bodies also use:

  • Observation – where there are early indications a minor nonconformity may exist or may develop if no action is taken.
  • Positive point – awarded either where an organisation has gone beyond recognised good practice or where there has been significant improvement in an area since the previous audit.

Having analysed the findings, the audit report can now be prepared and presented to the person or team responsible for the ISMS for review and follow-up.

How is an internal audit report prepared?

The audit report must be prepared as documented information , but this doesn’t mean it has to be a separate Word or PDF document. Within the ISMS.online platform , we try to encourage the avoidance of creating such documents but instead provide a work area in which the report can be directly documented. This area offers additional functionality including the ability to easily link to other work areas, policies, controls, risks, corrective action and improvement “tickets”, and more.

Create an executive summary

The executive summary is useful so that senior management can quickly and easily see an overview of the findings, including any possible critical issues, trends, and opportunities for improvement. This can then be easily linked to the ISMS management review following Clause 9.3 .

This will usually include:

  • A general overview of the operation of the areas of the ISMS covered in the audit.
  • A numerical summary of the categories of findings.
  • The highlighting of any urgent/critical findings.
  • A brief description of the next steps to be taken to address any findings.

Introduce terminology used

To ensure a common understanding of the report’s findings, it is necessary to include the definitions of some terminology used that is either specific to the organisation, the audit process, or the standard. Remember, not all who may need to read, assess and understand the report, will necessarily understand all of the terminology used.

Describe the Audit Plan

This will include:

  • The scope of the audit – area(s) to be covered, locations, staff, business processes etc
  • The name of the auditor(s)
  • The dates, times and locations of the audit

Describe facts found

For each section of the audit, you should document the findings, including notes of any evidential samples taken.*

It is good practice to record compliance and positive points and document any nonconformities or opportunities for improvement.

The findings should record the facts found relevant to the ISMS and the standard and should not include opinion or conjecture beyond reasonable extrapolation.

*Note – if evidential samples contain personally identifiable information , it is usual practice to pseudonymise or anonymise the data in line with privacy legislation requirements such as GDPR.

Document nonconformities and opportunities for improvement

Where nonconformities and opportunities for improvement are identified, these must be clearly documented so that corrective actions and improvement items can be recorded and managed through the organisation’s recognised processes as documented in accordance with Clause 10.1 Nonconformity and corrective action; and 10.2 Continual improvements.

Describe recommendations

As this is an internal audit report, it is allowable for an auditor to make recommendations about how an organisation might address findings. Ultimately the decisions relating to corrective actions and improvements must be made by the relevant individuals or teams responsible for the ISMS and information security.

how to write an effective internal audit report

See our platform features in action

A tailored hands-on session based on your needs and goals

How ISMS.online makes reporting easy

The ISMS.online platform dispenses with the need for creating Word documents, PDFs and spreadsheets by providing an all-in-one-place solution for easily documenting and linking all aspects of the ISMS, including the documentation of audit reports.

ISMS.online includes a pre-built audit programme project that covers both internal and external audits.

The pre-built audit programme includes:

Each internal audit activity contains a template for a combined audit plan and report.

Prior to conducting the audit, the template acts as the audit plan – including which areas are to be audited and providing prompts for recording when the audit will be conducted and by whom.

During or after conducting the audit, the auditor can write notes directly into the templated audit activity.

As well as simply providing the audit activity templates, ISMS.online provides the ability to quickly link to other work areas within the platform which means that linking audit findings to controls, corrective actions and improvements, and even to risks is made easy and accessible. This will enable you to easily demonstrate to your external auditor the joined-up management of identified findings.

Need help with your ISO 27001 audit?

Contact us , and we can provide support.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

The proven path to ISO 27001 success

Perfect policies & controls.

Easily collaborate, create and show you are on top of your documentation at all times

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

« What is involved in an ISO 27001 audit?

How to conduct your iso 27001 management review ».

ISMS.online launches a new Public API. Click here to find out more

IMAGES

  1. FREE 14+ Internal Audit Report Templates in PDF

    how to write an effective internal audit report

  2. 10+ Sample Audit Report Templates

    how to write an effective internal audit report

  3. FREE 14+ Internal Audit Report Templates in PDF

    how to write an effective internal audit report

  4. Audit Report

    how to write an effective internal audit report

  5. FREE 31+ Sample Audit Reports in PDF

    how to write an effective internal audit report

  6. Internal Audit Report

    how to write an effective internal audit report

VIDEO

  1. a

  2. Understanding Internal Audit: A Simple Guide

  3. How can to MAXIMIZE the value you give to your audit clients?

  4. How to Study, Write & Score in AUDIT

  5. Internal Audit Report Updating Automatically

  6. Difference between Audit Report and Audit Certificate

COMMENTS

  1. PDF Audit Report Writing Toolkit

    The style and format of written internal audit reports varies across organizations. The internal audit report structure could be consistent with the organization's communication templates and practices, reflecting the organization's culture, and/or incorporate suggestions from senior management and the board.

  2. Compiling a Useful Audit Report: Best Practices

    How Do You Write a Good Audit Report? A good audit report conveys a clear message to the reader, whether that's an unqualified opinion or a list of expenditures that can be eliminated. Audit reports should be brief and to the point.

  3. Writing an Impactful Audit Report:

    The best internal audit reports express big ideas in small words, never small ideas in big words. Our writing is most persuasive when we use clear, direct, and familiar language. This does not mean "dumbing down" our reports; it does mean clear and effective communication — the opposite of legalese.

  4. Writing an effective Internal Audit report

    1. Internal audit standards relevant to the reporting - Standards relevant to reporting are: SIA 370 - Reporting results (issued by ICAI) 2060 - Reporting to Senior Management and the Board...

  5. PDF A guide to

    When writing a report there are five key areas which you should always consider: What is the purpose of the report? Who will read it? How to start. The report structure. Style and presentation. The purpose of the report Before we start to write the report we need to know its purpose: What is it for? to report the findings of an audit review.

  6. Effective Report Writing| Delivering internal audit

    Effective Report Writing This brief guidance addresses internal audit functions that produce written reports. You may believe this is all of them - however, nowhere in the Standards does it say we must produce a final written report.

  7. Breaking Down the Audit Report

    A well-written internal audit report, which some may argue is a rare thing, should be easy to read and review and even easier to act on. Whether new or experienced, internal auditors can always benefit from a refresher on the basics of audit report writing. Digital Global Regions English You are attempting to access subscriber-restricted content.

  8. What is an internal audit report?

    How is an internal audit report prepared? 1. Make a cover Have you ever heard the saying that the first impression is the one that lasts? The auditor's work should make a good impression, which is why starting with a quality cover is fundamental.

  9. Writing Effective Internal Audit Reports

    Here are six quick tips for writing effective internal audit reports: Know your audience. When crafting your audit report, it's important to remember who the end user is. How much does the audience know about the audit and the processes involved? How do they plan on using the information in the report?

  10. Step-by-Step Internal Audit Checklist

    The steps to preparing for an internal audit are 1) initial audit planning, 2) involve risk and process subject matter experts, 3) frameworks for internal audit processes, 4) initial document request list, 5) preparing for a planning meeting with business stakeholders, 6) preparing the audit program, and 7) audit program and planning review. 1.

  11. Writing A Great Audit Report

    by Richard A. Vincins Preparing for and conducting an audit are the initial components of the audit process; writing a good audit report is the final step. However, auditors are often frustrated when their audit reports are not taken seriously or used effectively because they do not provide meaningful information.

  12. Writing a good QMS internal audit report

    Writing a good QMS internal audit report Mark Hammar March 17, 2015 In ISO 9001, the process for internal audits is one of the most important ways for you to ensure that your quality management system (QMS) is functioning properly and efficiently, but what is the role of the audit report in this process?

  13. How to Write an Audit Report: 14 Steps (with Pictures)

    1 Understand the basic goals of all audit reports. Before delving into the specifics of writing an audit report, it is important to have a broad view of the major objectives of all audit reports. Having these in mind as you delve into the technicalities of writing a report will make sure your report does what it is supposed to do.

  14. Writing Highly Effective Internal Audit Report In < 60 Days

    Description. - The components of an Audit Finding (Condition, Criteria, Cause, and Effect) and how to organize the flow of thought to write a clear and concise Audit Finding in accordance with the Institute of Internal Auditors' International Standards for Professional Practice of Internal Auditing (IIA's Standards). Case studies included;

  15. Tips on writing Internal Audit Reports

    Internal Audit Report writing constitutes the most critical and significant component of any internal audit assignment regardless of the size, location and complexity of business,...

  16. How to write an Internal Audit Report that influences Action

    Tip 3. KEEP IT SHORT - Keep your report short and concise, most times the report is read by people who spend minimum time at their desks and more in transit or on site. A 10-page report can convey ...

  17. How to Write Effective Audit Reports

    Watch as we explore: Streamlined techniques for crafting impactful audit reports User-friendly writing tools for immediate improvement Tailoring writing styles to suit diverse report types Equip yourself with the skills and tools to elevate your audit report writing from the very first session.

  18. How to write an internal audit report for ISO 27001

    An ISO 27001 internal audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that: The requirements of the standard are met, The organisation's own information requirements and objectives for the ISMS are met, The policies, processes, and other controls are effective and efficient.

  19. PDF Effective Audit Report Writing

    General Course Objectives. Identify ways to enhance and streamline existing audit reporting process. Develop a method for drafting audit reports that focus on the 3 "C's" - clear, complete, and concise. Persuade readers to take action. Assess and enhance logical flow of narrative.

  20. HOW TO WRITE EFFECTIVE AUDIT OBSERVATIONS

    Preparing for and conducting an audit are the initial components of the audit process; writing a good audit report is the final step. ... it is an internal or external audit report. A good rule of ...