• PRO Courses Guides New Tech Help Pro Expert Videos About wikiHow Pro Upgrade Sign In
  • EDIT Edit this Article
  • EXPLORE Tech Help Pro About Us Random Article Quizzes Request a New Article Community Dashboard This Or That Game Popular Categories Arts and Entertainment Artwork Books Movies Computers and Electronics Computers Phone Skills Technology Hacks Health Men's Health Mental Health Women's Health Relationships Dating Love Relationship Issues Hobbies and Crafts Crafts Drawing Games Education & Communication Communication Skills Personal Development Studying Personal Care and Style Fashion Hair Care Personal Hygiene Youth Personal Care School Stuff Dating All Categories Arts and Entertainment Finance and Business Home and Garden Relationship Quizzes Cars & Other Vehicles Food and Entertaining Personal Care and Style Sports and Fitness Computers and Electronics Health Pets and Animals Travel Education & Communication Hobbies and Crafts Philosophy and Religion Work World Family Life Holidays and Traditions Relationships Youth
  • Browse Articles
  • Learn Something New
  • Quizzes Hot
  • This Or That Game New
  • Train Your Brain
  • Explore More
  • Support wikiHow
  • About wikiHow
  • Log in / Sign up
  • Finance and Business
  • Business Skills
  • Business Writing

How to Write an Audit Report

Last Updated: March 6, 2023 Fact Checked

This article was co-authored by Michael R. Lewis . Michael R. Lewis is a retired corporate executive, entrepreneur, and investment advisor in Texas. He has over 40 years of experience in business and finance, including as a Vice President for Blue Cross Blue Shield of Texas. He has a BBA in Industrial Management from the University of Texas at Austin. There are 9 references cited in this article, which can be found at the bottom of the page. This article has been fact-checked, ensuring the accuracy of any cited facts and confirming the authority of its sources. This article has been viewed 461,008 times.

An audit report is the formal opinion of audit findings. The audit report is the end result of an audit and can be used by the recipient person or organization as a tool for financial reporting, investing, altering operations, enforcing accountability, or making decisions. An effective audit report is essential to making sure the results of your audit are presented in a way that is useful to the party receiving the audit.

Preparing to Write an Audit Report

Step 1 Understand the basic goals of all audit reports.

  • Illustrating non-conformities: The main goal of any audit report is to illustrate where the organization does not conform with whatever standard, rule, regulation or objective that it is supposed to. It is important to clearly identify the non-conformity, as well as the standard it does not conform to. It is then important to demonstrate which evidence you used to confirm the non-conformity. The goal is that each non-conformity will contain enough information so that the receivers of the audit report can change it. [1] X Research source
  • Outlining positives: An audit report should not just include negatives. This is especially true for compliance reports, and operational audits. This allows the organization to focus on areas that are working and apply these to other areas. For example, if you are conducting a compliance audit to ensure an organization meets training requirements, you may say, "The audit reveals the current training program has exceeded requirements on-time and on-budget".
  • Opportunities for improvement: Beyond indicating things that are not conforming to requirements (non-conformities), it is important to also indicate high-risk areas, or areas that may be in compliance but are at risk of eventually not complying, or could be improved. [2] X Research source

Step 2 Think about who will be reading the report.

Tip: Make sure to define all the terms and abbreviations you use, as the standard forms of communication have potential to change.

Step 3 Learn the different types of audit.

  • Financial Audit: This is the most commonly known form of audit and refers to the systematic review of a company's financial reporting to ensure all information is valid and conforms to GAAP standards.
  • Operational Audit: An operational audit is a review of an organization's usage of resources to ensure those resources are being utilized as efficiently and effectively as possible to accomplish the mission and goals of the organization.
  • Compliance Audit: A compliance audit is performed to determine if an organization or program is operating in according with laws, policies, regulations, and procedures.
  • Investigative Audit: These are typically commissioned when there is an assumed violation of rules, regulations, or laws, and may involve a blend of all the previously mentioned types of audit.

Step 4 Learn the types of audit opinions.

  • A clean opinion is used if an entity's financial statements are a clear representation of an entity's financial opinion.
  • A qualified opinion is used when there were scope limitations on the auditor's work. Scope limitations are restrictions on the audit caused by the client or other events that do not allow the auditor to complete all aspects of his or her audit procedures.
  • An adverse opinion is used if financial information was misstated.
  • A disclaimer opinion can be triggered by several different situations. For example, the auditor may not be independent or there are concerns with the auditee. [4] X Research source

Beginning Your Report

Step 1 Know the style of audit reporting before you begin.

  • Provide perspective for the reader, giving a fair balance of the positive and negative results of the audit.
  • Be precise, and avoid redundant phrasing and inexact terminology. In interest of clarity, opt for shorter sentences over longer ones. A limit of 15 to 18 words is recommended in business writing. Also, avoid intensifiers like clearly, special, key, and reasonable as these lack precision.
  • Do not use passive voice. Passive voice can be difficult to read. Instead of saying "No irregularity of operation was found" say "The audit team found no evidence of irregularity."
  • Use bullet points, which break up difficult information and make it clearer for the reader.
  • Use gender neutral terms.
  • Do not use audit buzzwords. Buzzwords are ambiguous, overused phrases like "generally improved," "significant risk," and "tighten controls."

Step 2 Outline your audit report.

  • For example, if you are auditing the processes for a particular department of an organization, you may consider breaking the department up into several key sections and reporting findings that way.

Step 3 Write your Introduction.

  • Why was the audit conducted?
  • What was included and not included in the audit?
  • What was the time period audited?
  • What were the audit objectives? [6] X Research source

Step 5 Continue onto the Statement on Auditing Standards.

  • A brief description of what was audited, objectives, scopes, and time periods.
  • Statements of significant action plans.
  • Overall statements of concerns and conclusions.
  • Overall audit report rating. [8] X Research source

Writing Your Results and Recommendations

Step 1 Write an opening statement for your findings/recommendations section.

  • Criteria is an explanation of management goals and the standards use to evaluate the program, function, or activity audited.
  • Condition is how effectively department management is meeting goals and/or achieving standards. Goals can either be fully achieved, partially achieved, or not achieved.
  • Cause is a statement on the reason things have gone well or poorly. Possibilities include inadequate procedures, procedures not being followed, poor supervision, or unqualified employees.
  • Effect states the result of the conditions, in quantifiable terms. Is the effect increased risk or exposure? Is it monetary cost? Is it poor performance? This should be addressed when you cover effect. [10] X Research source

Step 3 Make effective recommendations.

  • Be positive. Focus on what is going right at the moment, and how the good aspects of the entity can be applied in ineffective areas.
  • Be specific. Be very clear as to what specific aspects do not adhere to protocol, and to what concrete steps could be potentially implemented to ensure compliance.
  • Identify who should act. Does the company need better employee performance or should management be picking up the pace? Make clear who needs to make changes.
  • Keep recommendations brief. Be succinct - only include details that are necessary to your point. [11] X Research source

Step 4 Follow proper format.

  • Include a cover page. The cover page should be three or four lines, and outline the subject of the audit report and the type of audit.
  • A memo should follow the cover page. The memo should be one or two short paragraphs overviewing who and what was audited, who has received or is receiving the report, and plans for future distribution.
  • A table of contents follows the memo, and it contains a catalogue of chapters, page numbers, sections, and suggestions of the audit.
  • The report should be written in plainly-worded, non-technical language and use proper grammar and paragraph organization.
  • Reports are organized by chapters, each with a title, and by sections and subsections, each marked with a heading. Headings should go from general to more specific. [12] X Research source

Audit Report Template

how to write a sample audit report

Expert Q&A

Video . by using this service, some information may be shared with youtube..

You Might Also Like

Write a Statistical Report

  • ↑ http://www.qualitydigest.com/june07/articles/05_article.shtml
  • ↑ https://www.cmu.edu/finance/audit-services/internal/types-of-audits.html
  • ↑ https://www.icaew.com/-/media/corporate/files/helpsheets/technical/aaf-guides/audit-report-disclaimer-of-opinion.ashx
  • ↑ https://pcaobus.org/oversight/standards/auditing-standards/details/AS3101
  • ↑ https://audit.mit.edu/guidance-resources/what-expect/what-are-audit-ratings
  • ↑ https://financialcrimeacademy.org/reporting-recommendations-and-findings/
  • ↑ https://www.iiafiji.org/resources/bbc5020b-a5ab-4388-b633-83813515c797.pdf
  • ↑ https://www.anao.gov.au/work/performance-audit/implementation-audit-recommendations
  • ↑ https://www.wallstreetmojo.com/audit-report-format/

About This Article

Michael R. Lewis

To begin an audit report, write an "Introduction" that gives background information. Then, add a "Purpose and Scope Methodology" section that outlines your goals and explains what you included and excluded from your report. After this section, add your disclaimer, the "Statement on Auditing Standards," and end with your "Executive Summary." This summary should explain your findings, ratings, and any action that will be taken. Throughout the report, use concise language and bullet points. For tips from our Financial reviewer on what to include in different types of audits, keep reading! Did this summary help you? Yes No

  • Send fan mail to authors

Reader Success Stories

Deena Ross

Apr 26, 2019

Did this article help you?

Deena Ross

Zaitoon Akram

Jul 14, 2020

Shadreck Chitumbo

Shadreck Chitumbo

Jul 10, 2019

C. Reynolds-Relford

C. Reynolds-Relford

Jun 8, 2022

Goma Mosbah

Goma Mosbah

May 17, 2019

Am I a Narcissist or an Empath Quiz

Featured Articles

Ask Better Questions

Trending Articles

Everything You Need to Know to Rock the Corporate Goth Aesthetic

Watch Articles

Cook Fresh Cauliflower

  • Terms of Use
  • Privacy Policy
  • Do Not Sell or Share My Info
  • Not Selling Info

wikiHow Tech Help Pro:

Develop the tech skills you need for work and life

Audit Report Best Practices 2024

Vice Vicente

Vice Vicente

November 14, 2023

Audit Report Best Practices 2024

Writing a good audit report makes the difference in whether it communicates the message the audit team wanted to convey — and whether or not stakeholders read the report at all.  People, including auditors and company management, are overloaded with information and content on a daily basis. Everything wants our time, our eyes; wants us to read and take action — and an audit report needs to be well-crafted to make an impact above competing demands on attention.

An ineptly written audit report can miscommunicate the results of the audit. Imagine if an audit committee got the wrong picture of a company’s financial statements due to an ineptly written auditor’s report; or if a poorly reviewed report disclosed a material misstatement instead of a material weakness and that made it uncorrected to the Securities and Exchange Commission! These examples are perhaps hyperbolic, but meant to illustrate the importance of producing a good audit report that clearly states the purpose of the audit, the type of report, who performed the audit, and the audit opinion, among other key attributes.

A quality audit report that is written with the audience in mind, and that takes a human-centered approach produces more value for readers and motivates stakeholder action. It saves time across the board by being simple, digestible, and actionable. It’s the sign and core deliverable of a mature audit program. Elevate your next audit report using our tips and tricks on how to boost clarity and deepen impact.

A good audit report, whether it’s an external or internal audit report, doesn’t have to be thirty pages or more to be effective and drive outcomes — in fact, a one-page audit report can be the perfect format for certain initiatives. The level of detail included in an audit report should be enough for the audience to understand the context of the report, determine if the objective of the audit was met (or not), and prompt action on any recommendations or improvement opportunities from there. Executives may want less detail and a short, sweet summary of takeaways, while managers and process owners directly affected by the audit process may need and want to review results and recommendations in detail.

What Is Considered a Good Audit Report?

Tips for Writing an Effective Executive Summary

​​​​​​Different types of reports may need to follow designated templates provided by regulators, or used as a common best practice in the industry. Financial audits and audits of ICFR ( internal control over financial reporting) each fiscal year, for example, must be completed and documented by independent auditors for SOX compliance in accordance with Generally Accepted Accounting Principles (GAAP), and contain specific information and data points dictated by the legislation and the associated regulating bodies. Healthcare audits performed to evaluate compliance with HIPAA will incorporate the citations from the legislation and focus on protected health information (PHI). A good internal audit report should be one that clearly communicates the objectives, scope, and findings of an audit engagement, and in doing so, motivates its readers to take internal audit’s recommended actions. To an extent, what good looks like for audit reports will change depending on the type of report being produced. Still, there are some common themes that contribute to writing a great audit report that we’ll cover in this article.

How Do You Write a Good Audit Report?

A good audit report conveys a clear message to the reader, whether that’s an unqualified opinion or a list of expenditures that can be eliminated. Audit reports should be brief and to the point. Simplicity and specificity go the distance in business writing.The report should also steer clear of any jargon or confidential information, just in case it goes to external parties. Keeping the focus on the audience, and the report centered on the risks and control environment in the area that was audited will help you write a sophisticated audit report.

We’ve included one of our top resources on how to write a good audit report from our  Audit Management Playbook , 10 Best Practices for Writing a Digestible Audit Report,  and you can download the full Audit Management Playbook below.

10 Best Practices for Writing a Digestible Audit Report

​​​​​​Our Audit Management Playbook recommends 10 Best Practices for Writing a Digestible Audit Report, including:

  • Reference everything.
  • Include a reference section.
  • Use figures, visuals, and text stylization.
  • Contextualize the audit.
  • Include positive and negative findings.
  • Ensure every issue incorporates the five C’s of observations.
  • Include detailed observations.
  • Always perform a quality assurance check.
  • Avoid blame and state the facts.
  • Be as direct as possible.

In good writing, there always comes a good time to break the rules. If your audience needs a shorter report and you can’t incorporate all of these into your deliverable, don’t worry! As long as you’ve made an effort to tailor the report to your audience and have your detailed findings in your back pocket to support that report — you should be able to present your findings with confidence.

1. Reference Everything.

Citations are important! Avoid unverifiable claims and make sure to bridge any gaps of information by referencing where you obtained key facts and figures. Give your stakeholders the tools and opportunity to research and look into your findings themselves. Show that you know what you’re talking about in the compliance realm by referencing authoritative documents, calling out audit evidence, and providing insightful data.

2. Include a Reference Section.

To keep your report from getting too congested with references and citations from standards that may detract from the ultimate message, whether those standards are from the local government, an official .gov publication, or another organization, include a reference section in your report and use appendices to your advantage. Even the report for a single audit can benefit from a well-structured references section.

3. Use Figures, Visuals, and Text Stylization.

Use visuals to better convey your message — reports don’t have to be boring and drab. Circle or highlight the key points you want to convey, and employ font styling and color to draw attention to key facts and figures. Use tables or graphs to summarize key trends or important data wherever possible.

4. Contextualize the Audit

Report key statistics and contextual details as part of your audit report to give relevance to audit findings and keep stakeholders invested in the content. Presenting financial information, like the company’s liabilities balance, in a vacuum, means very little. Providing context around that value and illustrating how it relates to the company’s overall financial position gives considerably more value. From there, stakeholders might have a better idea of whether they need to reduce liabilities or have room to take on more debt.

5. Share Positives and Negatives

Audits and auditors get a bad rap for only ever bringing bad news to the table. Break the stereotype and give stakeholders something to smile about by including positive findings, as well as issues and gaps. It may seem trite, but highlighting the positives will encourage those habits, processes, and teams to continue doing the good work.

6. Ensure Every Issue Includes the 5 C’s of Observations.

Since issues and accompanying recommendations do make up some of the meat of an audit report, it is important to include sufficient detail when documenting and reporting on findings, gaps, or control deficiencies. As a guide for what details to include in the audit report, use the five “C’s” of recording observations: criteria, condition, cause, consequence, and corrective action plans (or recommendations).

7. Include Detailed Observations.

Although writing a good audit report involves keeping it short, sweet, and on target, there are circumstances that call for “zooming in” on specific observations or findings. Not every finding needs this treatment in the report, but you may find that some observations are complex, require additional resources to remedy, or need to be called out for some other reason. Having a section in the report for Detailed Observations that dive into a subset of issues and includes additional facts and figures is a great way of drawing readers’ attention to higher-priority items.

8. Always Perform a Quality Assurance Check.

Multiple reviews of an audit report that will be seen by management are recommended. Seek someone who does not have a direct connection to the audit so they can provide fresh eyes. If possible, ask someone from the department or function audited to review the report and provide feedback as well. Audit reports should only be finalized and delivered once the last level of review has been completed and any open comments are addressed.

9. Avoid Blame – State the Facts.

Aim to preserve the relationship with audit clients, especially if you are performing an independent audit as part of a CPA firm, by being as objective as possible and avoiding blame. Simply state issues, opinions, and recommended actions.

10. Be as Direct as Possible.

Avoid soft and indirect statements when making recommendations and opt for solid recommendations and calls to action instead. The reader will appreciate it.

2024 Focus on the Future Report

​​​​​​What Should Be in an Audit Report?

Content matters when learning how to write a good audit report. One way of looking at audit report contents is based on IIA Standard 2410 – Criteria for Communications. In these internal auditing standards, we are told what the report must and should contain. Since we are all working from the same or similar auditing standards, audit reports have a basic structure most internal auditors follow. An audit report generally includes the following elements:

  • Scope and objectives.
  • Results, Recommendations, and Action Plans.
  • Conclusions.
  • Audit opinion (if applicable).

Any audit report typically starts with a description of the scope and objectives of the audit initiative. This section of the report establishes what the audit was about, why the  audit risk areas mattered to management, and what the team included as part of the audit.

Next, the report details issues found in the results section and provides recommendations, and action plans for each of the issues noted.

The conclusion section of the report allows the audit team a chance to make comments that extend beyond the individual issues in the results section. The conclusion section is also where most reports include the internal auditor’s opinion. The end of the report is a good opportunity to include a positive note acknowledging areas where management did well.

Types of Audit Opinions

While not all audit reports involve the issuance of an audit opinion, several do require independent auditors to provide an opinion, such as financial statements and annual reports. There are four possible ways an auditor can opinion on these types of audits.

Image: Types of Audit Opinions

how to write a sample audit report

  • Unqualified Opinion – Results in an unqualified report, meaning that the auditor concludes that the company’s statements are represented fairly (in all material respects). This is the best outcome for an audit that requires an opinion.
  • Qualified Opinion – Results in a qualified report, meaning that the auditor has identified some areas where they cannot conclude that statements were represented fairly, and calls those areas out. This is a step down from an unqualified opinion, but preferable to the next two.
  • Adverse Opinion – Results in an adverse report, meaning that the auditor has detected a material misstatement and is issuing a negative opinion.
  • Disclaimer of Opinion – In these cases, the auditors are unable to obtain sufficient evidence to form a conclusion, and do not express an opinion whatsoever.

Audit Reporting Checklist

To elevate your next audit report, follow our  audit checklist on how to write a good audit report to make sure it clearly communicates the objectives, scope, and findings of an audit engagement — and in doing so,  motivates its readers to take internal audit’s recommended actions.

Audit Report Checklist

If your team is ready to make the move to a technology solution for managing risk and compliance, issuing high-quality audit reports backed by reliable data, and collaborating with teammates around the world, AuditBoard is the platform for you. Elevate your audit programs with OpsAudit  and start saving your organization time and overhead today.

Looking for more resources to take your internal audit team to the next level? Download the full in-depth Audit Management Playbook below and get more best practices, checklists, and tools for each stage of the audit lifecycle — planning, fieldwork, reporting, issue management , and scaling audit practices.

Fill out the form below to get your free guide.

The Audit Management Playbook

Frequently Asked Questions About Audit Reports

What is considered a good audit report.

A good audit report, is clear, only as long as it needs to be, digestible, actionable, and targeted to the audience.

What are the 4 types of audit reports?

The four types of audit report opinions that can be issued are: unqualified, qualified, adverse, and a disclaimer of opinion.

What are the components of a complete audit report?

The components of a complete audit report are: the audit opinion (if applicable), scope, objectives, results and recommendations, and audit conclusions.

Vice

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn .

Related Articles

how to write a sample audit report

  • Advisera Home
  • ISO in General

Partner Panel

ISO 9001 Documentation Toolkits

Iso 9001 training.

  • Documentation Toolkits
  • White Papers
  • Templates & Tools

Where to Start

New ai tool.

  • Live Consultations
  • Consultant Directory
  • For Consultants

Carlos Pereira da Cruz

Carlos Pereira da Cruz

  • Get Started

ISO-9001-blog

ISO 9001 Blog

Writing a good qms internal audit report.

Advisera Mark Hammar

In ISO 9001 , the process for internal audits is one of the most important ways for you to ensure that your quality management system (QMS) is functioning properly and efficiently, but what is the role of the audit report in this process? Many people who are not well versed in audits or the overall quality management system may not fully understand how important an audit report can be. Here is the information you need to know.

What is the importance of an audit report?

An audit report  is the official record of an audit – the only official record. All of the notes taken by the auditors, all of the comments made by employees during the audit, all of the information taken by the process owners during the audit, and all of the statements made at the closing meeting really don’t amount to anything official. If something is not recorded in the audit report, it doesn’t really count. Remember that it will not only be the people who were audited or were at the closing meeting that will read the audit report; these are also used in management review by people who were not part of the audit.

This is why the audit report from, e.g., a third-party certification body is so detailed; the report needs to record all the information necessary to detail any corrective actions needed and justify why your company is compliant with the ISO 9001 standard. The audit report needs to be the complete recorded evidence of all aspects of the audit. In many ways, an audit without a good report is not really an audit.

What should be in an audit report?

So, this brings up the question of what makes a good audit report. What needs to be included, and what should be eliminated? When looking at this, it is important to remember again that the audit report is the one official report of the audit, and therefore must stand on its own. The best practice for audit report content is included in ISO 19011, guidelines for quality and/or environmental management systems auditing. This may be overkill for a small company, and can be reduced if required, but it is a good start when considering what you want to include in your audit reports.

Here is a list from ISO 19011 of the seven items that should be included in an audit report:

  • Audit Objective – What was the purpose of the audit? Was this a regular audit of a process, or a follow-up on a corrective action? All audits are done to demonstrate compliance with the requirements, but was there anything else that was being done?
  • Audit Scope – What were the boundaries of the audit? If there is more than one manufacturing line using the process, how many were audited? Was a night shift or evening shift excluded?
  • Audit Client – Who was the process owner or owners that the audit was performed for?
  • Audit Dates and Places – It is important to be able to demonstrate the timeframe when all of your audits of the system take place. Also, for management review, it might be important to know the chronology of the audits that are being reviewed.
  • Audit Criteria – What were the processes audited against? For instance, this could be the ISO 9001 standard, internal company procedures & policies, or customer requirements.
  • Audit Findings – What are the results of the evidence found? Some companies discriminate between major findings (where there is a systemic failure) and minor findings (such as one or two mistakes that were made, but that were not universal), but this is not necessarily the case. Some companies include positive findings and best practices that can be shared throughout the organization in this section as well. It is important to include the audit evidence for these findings, such as the contract numbers that were reviewed, but leave out the names of people who were audited. The findings are about identifying corrective action, not assigning blame.
  • Audit Conclusions – What is the summary of the outcome of the audit? Were there too many findings to determine if the process was properly implemented? What is the assessment of the effectiveness of the QMS from this audit? For some busy executives who just want the summary of the audit, this might be the one and only thing they read in the report, leaving the details to the process specialists.

Additionally, ISO 19011 includes some optional items; the following could be applicable to an internal audit if deemed to be useful:

  • Audit Plan – This is the plan of who is auditing what processes, and when. For a large audit with multiple auditors, this can be useful.
  • Summary of Audit Process & Obstacles – This is especially important to include if there were some obstacles, such as scheduling for an absent process expert, which hindered the audit.
  • Any Areas not Covered – If you needed to exclude something you intended to cover, like a second shift, this should be noted for future reference.
  • Disagreement between Auditor and Auditee – If the process owner does not agree that the audit evidence presented is non-conforming, as specified by the auditor, then this should probably be noted in the report.
  • Opportunities for Improvement – Like the positive finding mentioned above, many companies will use recommendations for improvement as a way to document the cases when an auditor has identified something that is not non-conforming, but could be improved.
  • Agreed Follow-up Plans – If an agreement was made on how to address a non-conformance, recording it in the report can be helpful.

For more on using ISO 19011 to improve your internal audit process, see ISO 9001 internal audit in 13 steps using ISO 19011 .

An audit report should not include surprises

One final thing to note is that nothing in the report should come as a surprise to the auditees who read it. If information was not presented at the closing meeting, it should not find its way into the audit report. Use your audit report to document what happened in the audit, make it easy to understand, and you will find that your audit information will benefit your efforts to improve your QMS.

Click here to download the free white paper   Clause by clause explanation of ISO 9001  that will explain all the requirements for internal audit.

Banner image

You may unsubscribe at any time. For more information, please see our privacy notice .

The Auditor

An exemplar global publication.

  • Can Boeing Deliver a Long-Term Solution to their 737 MAX Problems?
  • AI management systems: What businesses need to know
  • Healthcare management: Delivering quality to the health industry
  • NIST Offers Guidance on Measuring and Improving Your Company’s Cybersecurity Program
  • Why prep before a walkthrough?
  • Risk and the 10th Edition of API Q1
  • IESBA Launches Public Consultation on New Ethical Benchmark for Sustainability Reporting and Assurance
  • Quality Is Not Just a Word We Use, Part One: What Is Quality?
  • The Scale of Success
  • When Auditors Cross the Line

Missing image

Writing Informative Audit Reports

Denise Robitaille

by Denise Robitaille

Audit reports are the product of audits. Without audit reports, audits are incomplete. The information contained in the audit reports will be used by others to make decisions that affect the entire organization. Audit reports provide insight into what processes and functions are working well, perceptions of risk, and identification of what has gone wrong. From these insights will flow corrective actions, preventive actions, lean initiatives, benchmarking activities, and an array of improvement projects.

Internal audits are essential inputs into the management review process. Some of the decisions that occur during strategic planning may be a direct result of audit findings. Therefore, what goes into the audit reports matters.

As with other chapters, the primary focus is internal auditing. However, it’s appropriate to make a brief comment about supplier audits. Any time an auditor conducts a supplier audit, it’s appropriate to send the supplier (or potential supplier) an audit report. It’s unfair to only send a list of requests for corrective action. The organization has extended you the courtesy of its time and deserves to experience the benefit of a complete assessment report. A supplier audit report contains information that will be used to decide whether the company will be added to the approved supplier list. Additionally, it may contain information about capacity, unique processes, or areas of concern that may need to be addressed either through corrective actions or through a joint improvement project with your organization.

The essential fact to keep in mind is that the audit report needs to be informative and it must provide value. It’s important to write a comprehensive audit report. The report doesn’t have to be lengthy, but it should convey a balanced summary of the status of the organization audited. It should mention good practices that have been observed, risks that have been perceived, and problems that have been identified.

The internal audit report should include the following information. (Again, supplier or third-party audits should contain comparable information.)

Date of the audit. When did the audit take place? This provides evidence that audits are being conducted in accordance with the established audit schedule. Frequent lapses in the schedule may be indicative of an erosion in the organization’s commitment to the internal auditing program. It might also reflect a problem in terms of resources. Are auditors being told by their supervisors that they can’t take time from their regular jobs? This might suggest a devaluation of the process by some middle managers. Or, it may simply be that there aren’t enough auditors in the audit pool and it’s impossible to get the audits done within the allotted time.

Another factor to consider is one of practicality. Auditing is an auditable quality management system (QMS) function. Your registrar or some other third-party assessor needs to verify that audits are being conducted in accordance with the plan and that audit conclusions are based on adequate objective evidence.

It’s also appropriate to record the duration of the audit. This helps top management get a clear picture of the resources that are being expended. How much time and money is the organization spending on internal auditing? This can be weighed against the cost-saving problem solving that resulted from good audit findings.

Areas audited. For an internal audit in a small company, this would be as simple as saying what departments were visited. However, a larger company could have an expansive campus with several buildings or multiple locations. In either of these cases, it’s important to record the location, especially if there are findings that the organization may wish to investigate further to see if they are localized or systemic. Conversely, if good practices are observed, it helps with being able to benchmark them later so that they can be applied in other parts of the organization. There’s also the possibility that an activity is conducted at more than one site so it would be important to ensure that the other sites are audited at a later date in the audit cycle.

Standard used. For a third-party audit, it’s a QMS standard such as ISO 9001, ISO/TS 16949, ISO 13485, etc. For internal audits, it’s usually a list of the internal documents associated with the functions and activities audited. Examples would include procedures and work instructions. In some organizations, the auditors are also asked to verify conformance to the applicable management system standard, so they would include reference to the applicable standard, for example ISO 9001:2008. When referencing the standard, it’s appropriate to include the revision year.

Lead auditor and audit team members. Every team has a lead auditor. If there’s only one auditor, that person is the lead auditor. That individual has the ultimate responsibility for generating the audit report. Other team members must be listed in the report, along with any technical experts who may have accompanied the team. They serve to provide very specific technical information that may exceed the knowledge of any of the auditors. These individuals generally aren’t used for internal audits unless the organization has some highly specialized processes.

Bearing in mind again that the audit process itself gets audited, having the names of the interviewees allows the auditor to confirm that none of the internal auditors audited their own work. When conducting surveillance audits I regularly ask what functions the auditors have in the company and compare them against the scope of the audits they have conducted.

Persons interviewed. This provides evidence that the persons who answered questions were actually the process owners who have responsibility for the activity. It’s not uncommon for people to try to be helpful and answer an auditor’s question even if it’s not part of their regular job. Sometimes the auditor finds out too late that he or she wasn’t speaking to the right person. During a closing meeting you may hear a manager say something like, “Francine doesn’t take care of patient intake, so she wouldn’t know where those forms are kept.” As awkward as it is for the auditor, it’s best to find out even this late in the process, so that corrections can be made and unwarranted findings of nonconformance can be removed.

Recording the names of persons interviewed helps auditors provide objective evidence that they’ve fulfilled the requirements of the auditing process.

Good points. An audit isn’t an attempt to amass a collection of bad events. Therefore, an audit report should also mention good points that were observed. “A newly developed software program is facilitating communication between departments on new projects,” “The records show evidence that operators have had training on the ERP system that was introduced three months ago,” or “The corrective action tracking system is better able to calculate the cost of nonconformities and the money saved when problems are solved.” These are all examples of positive comments an auditor might have observed. They serve as an objective indication that resources allocated are showing return on investment.

It’s also nice to acknowledge accomplishments and success stories. People are so accustomed to only hearing about the dreaded “NCs” that they don’t want to read the audit reports—much less appreciate them as opportunities to make things better. It’s gratifying to hear: “Well done.”

Observations (also called opportunities for improvement and often abbreviated OFI). It’s appropriate for auditors to make statements about perceptions of risk or the identification of a process that may not be controlled as well as it should be to prevent problems. They shouldn’t specifically say something is wrong, but they should intimate what might go wrong. Examples might include: “It was observed that the router for fast-turnaround jobs does not provide adequate instruction for certain steps, which could result in errors and defective products needing to be reworked” or “Nonconforming material waiting to be scrapped is stored in close proximity to customer property. Even though the material is tagged, there is a risk of the customer product being accidentally discarded.” Again, in each example, there is no nonconformance. There is, however, the risk that something could easily happen which could result in a problem or nonconformance.

Nonconformities . ISO 9000:2005—Fundamentals and vocabulary—defines a nonconformity as: “a nonfulfillment of a requirement.” When writing up findings of nonconformity, it’s important to be clear and complete. What is the actual nonconformity? What is the requirement? What evidence did you use to conclude that there was a nonconformity?

Let’s take each one of these in turn.

What is the nonconformity? This should be a clear, unbiased statement of fact. For example, “The inspection records provide evidence that material was accepted that exceeded the allowable tolerance range” or “There are no records to provide evidence that the report was reviewed by an authorized reviewer before being sub-mitted to the client.” Note that in neither case is there an accusatory tone or assignment of blame. In neither finding is it stated that a specific individual did something wrong. It’s important to refrain from using people’s names when writing up a finding of nonconformity. Also, remember that you can’t report what you have not observed. It would not be appropriate to say: “Michael passed material through that was out of spec” or “The report wasn’t reviewed.” You didn’t see the operator accept defective product and you don’t know that the report wasn’t reviewed, only that there’s no record.

It’s important to be starkly factual. It’s possible that there was an engineering deviation issued and so the issue isn’t with Michael, but with the function that was responsible for providing the record of the deviation. And, the report could have been reviewed and approved using a new electronic signature that hasn’t yet been documented in the procedure. In both cases, something isn’t right. The manner in which you write it up will determine if they’ll chock it up to “operator error” and “re-train the operator.” Or, if someone will ask why there was an error and look for the true cause, thereby preventing recurrence—or escalation to a more serious occurrence next time.

This isn’t the time to suggest solutions or to presume to know the cause. The statement should not include language that says, “We should try doing this ______” or “Because the document revisions weren’t distributed…” The audit is an objective factual ac-count. What ensues from the audit report is up to someone else.

What is the requirement? It’s inappropriate—wrong, actually—to write up a finding of nonconformity that can’t be tied to a requirement. Without a requirement, all an auditor has is something he or she doesn’t like—and it’s irrelevant to the audit report. This justifies the finding. For the first example, the requirement is found in the customer specification. When citing a document, the auditor must be specific. The statement of requirement might read: “Drawing 7878993, Rev. F, calls out a tolerance of 9.75″ +/- 0.005″.The records indicate that the parts accepted measured 9.68.” For the second example: “Procedure 8.2.4, Rev. C, specifies in section 7.7 that all reports must be reviewed by a second independent reviewer and that the reviewer must sign and date the last page of the report.” Details like revision levels are also important. They sometimes shine a light on the fact that people don’t have the right information—steering the investigation away from the unfortunate and ubiquitous “operator error” root cause.

Having specific information as to the requirement provides several benefits. It demonstrates why there is a nonconformance. This, in turn, dispels any confrontations as to the legitimacy of the finding. And, finally, it helps to launch the root cause analysis when it comes time to investigate the problem.

What is the evidence? The third factor to include is the evidence that substantiates the finding. For the first it would be Inspection Report #15549 from August 30; for the other it would be the Service Report #546 from September 15. This reinforces the justification for the finding and also facilitates the root cause analysis process.

An additional factor can be added if it’s deemed appropriate. I call it the “So What?” factor. This is a brief statement of the reason this problem needs to be addressed. With both of the examples given it would be appropriate to say that the risk is that customers will get defective product. Other concerns might include timely rework or possible regulatory action.

For most audit reports there should be fewer findings of nonconformity than good things or opportunities for improvement.

The last thing to put into the report would be the results of any verification of open corrective actions. This can relate back to earlier statements about improvements that have been observed. Because the audit function owns responsibility for ensuring action is taken on audit findings, this efficient method serves to close the loop on previous audits.

The auditor’s working papers (checklist, notes, samples, and closed out corrective actions) should be either appended to the report or available for review.

Following these basic audit practices should ensure that the information management gets is accurate, reflects the status of the organization, and is detailed enough so that it results in good decisions. This is what makes audits effective. Anything less is a meaningless paper shuffle.

About the author

Denise Robitaille is a member of the U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is committed to making your quality system meaningful. Through training, Robitaille helps you turn audits, corrective actions, management reviews, and processes of implementing ISO 9001 into value-added features of your company. She’s an Exemplar Global-certified lead assessor, ASQ-certified quality auditor, and ASQ Fellow. She’s the author of numerous articles and several books, including The Corrective Action Handbook , The Preventive Action Handbook , and her newest book, 9 Keys to Successful Audits , all published by Paton Professional .

Leave a Reply Cancel Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

how to write a sample audit report

How to write an internal audit report for ISO 27001

business,marketing,team,discussion,corporate,concept

As part of the management system requirements, Clause 9.2 details what must be done regarding internal audits. This includes a requirement for retaining documented evidence of the audit results, and this is done by way of an audit report.

What is an ISO 27001 internal audit?

An ISO 27001 internal audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that:

  • The requirements of the standard are met,
  • The organisation’s own information requirements and objectives for the ISMS are met,
  • The policies, processes, and other controls are effective and efficient.

In addition to the overall compliance and effectiveness of the ISMS, as ISO 27001 is designed to enable an organisation to manage it’s information security risks to a tolerable level, it will be necessary to check that the implemented controls do indeed reduce risk to a point where the risk owner(s) are happy to tolerate the residual risk.

Internal Audit For ISO 27001 Requirement 9.2

Clause 9.2 Internal audit mandates:

“The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to

  • the organization’s own requirements for its information security management system; and
  • the requirements of this International Standard;

b) is effectively implemented and maintained.

The organization shall:

c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;

d) define the audit criteria and scope for each audit;

e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

f) ensure that the results of the audits are reported to relevant management; and

g) retain documented information as evidence of the audit programme(s) and the audit results.”

how to write a sample audit report

Achieve your first ISO 27001

Download your free guide to fast and sustainable certification

Get your free guide

Your ultimate guide to first-time ISO 27001 success

Achieve ISO 27001 first-time

We just need a few details so that we can email you your guide to achieving ISO 27001 first-time

Download your free guide now and if you have any questions at all then Book a Demo or Contact Us . We’ll be happy to help.

How do ISO 27001 internal audits work?

Internal audits for ISO 27001 work by following an audit programme that identifies the audits to be carried out before certification and during each certification period.

They require the selection of a competent and objective auditor to undertake each internal audit verifying compliance with the requirements of the standard, the organisation’s own information requirements and objectives for the ISMS, and that the policies, processes, and other controls are effective and efficient.

Activities included within an internal audit:

Documentation review

  • Evidential sampling
  • Interviewing staff with key information security responsibilities
  • Interviewing other staff (and possibly contractors)
  • Assessing the findings
  • Writing the audit report.

How often do I need to conduct an audit?

Whilst it is not clear within ISO 27001 itself as to how often you must perform internal audits. It is expected that the audit programme follows the same requirements as those placed upon the certification bodies for conducting their audits following ISO/IEC 27006:2015 – Requirements for bodies providing audit and certification of ISMSs.

Within ISO 27006 requirement 9.1.5.2 e, states that the audit programme “covers representative samples of the scope of the ISMS certification within the three year period.”

Therefore, you need to conduct internal audits covering the entire standard, at minimum, over the certification period (3 years for UKAS accredited certificates).

You could do this as a single audit, but it is more commonly broken down into smaller audits over the 3-year period.

It is also important to audit some areas more frequently if the risk levels are high or the area is subject to frequent changes.

It’s recommended that you audit the management system requirements (Clauses 4-10) annually. This can be tied into your ISMS management review, which also has to be conducted annually.

Within ISMS.online, we provide a pre-built Audit Programme work area which includes:

  • Activities for 2 recommended audits before certification
  • A plan of internal audits for the first 3-year certification period
  • Placeholders for your external certification and periodic audits

We make achieving ISO 27001 easy

Get a 77% headstart.

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.

Book your demo

Why do I need to create a report for an internal audit?

The standard requires you to document the audit results – Clause 9.2 of ISO 27001 includes the requirement to “retain documented information as evidence of the ……… audit results”.

This is done within an Audit Report.

What needs to be done when preparing the report?

Obviously, before you can document the audit report, you have to plan and carry out the audit. You can then document the findings in the report.

Get started with your ISO 27001 audit plan

For each audit, you will need to plan:

  • What the audit is going to cover – which section(s) of the standard, locations, business processes etc
  • Who the auditor will be – must be competent and objective.
  • When the audit is conducted, it must not have a significant, adverse impact on the organisation’s operation.
  • The method(s) of audit – documentation review, sampling, interviews etc
  • Who will need to be involved in the audit?

Every audit will require the review of relevant documentation, including policies, procedures, standards, and guidance relevant to the area(s) of the standard being audited. It is good practice to advise those being audited of the areas to be covered to ensure easy and timely access to the relevant documentation.

In ISMS.online, this is made easy by either having the documentation within the system or linking it within the standard’s relevant section.

Evidential sampling & interviews

Most audits will require the sampling of evidence to a lesser or greater degree. This may include interviewing relevant key staff, end users, and sometimes even temporary staff and contractors.

Sources for sampling may include, for example:

  • Interviews with employees and other persons
  • Observations of activities and the surrounding work environment and conditions
  • Documents, such as policies, objectives, plans, procedures, standards, instructions, licenses and permits, specifications, drawings, contracts and orders
  • Records, such as inspection records, minutes of meetings, audit reports, records of the monitoring programme and the results of measurements
  • Data summaries, analyses, and performance indicators
  • Information on the auditee’s sampling plans and the procedures for the control of sampling and measurement processes
  • Reports from other sources, e.g. customer feedback, external surveys and measurements, additional relevant information from external parties and supplier ratings
  • Databases and websites
  • Simulation and modelling
ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.

Information Security Manager, Honeysuckle Health

Book a demo

Once the data gathering for the audit has been done, it will be necessary for the auditor to assess and analyse the findings to determine any nonconformities or opportunities for improvement.

Findings are normally categorised as one of the following:

  • Major nonconformity
  • Minor nonconformity
  • Opportunity for improvement

Some certification bodies also use:

  • Observation – where there are early indications a minor nonconformity may exist or may develop if no action is taken.
  • Positive point – awarded either where an organisation has gone beyond recognised good practice or where there has been significant improvement in an area since the previous audit.

Having analysed the findings, the audit report can now be prepared and presented to the person or team responsible for the ISMS for review and follow-up.

How is an internal audit report prepared?

The audit report must be prepared as documented information , but this doesn’t mean it has to be a separate Word or PDF document. Within the ISMS.online platform , we try to encourage the avoidance of creating such documents but instead provide a work area in which the report can be directly documented. This area offers additional functionality including the ability to easily link to other work areas, policies, controls, risks, corrective action and improvement “tickets”, and more.

Create an executive summary

The executive summary is useful so that senior management can quickly and easily see an overview of the findings, including any possible critical issues, trends, and opportunities for improvement. This can then be easily linked to the ISMS management review following Clause 9.3 .

This will usually include:

  • A general overview of the operation of the areas of the ISMS covered in the audit.
  • A numerical summary of the categories of findings.
  • The highlighting of any urgent/critical findings.
  • A brief description of the next steps to be taken to address any findings.

Introduce terminology used

To ensure a common understanding of the report’s findings, it is necessary to include the definitions of some terminology used that is either specific to the organisation, the audit process, or the standard. Remember, not all who may need to read, assess and understand the report, will necessarily understand all of the terminology used.

Describe the Audit Plan

This will include:

  • The scope of the audit – area(s) to be covered, locations, staff, business processes etc
  • The name of the auditor(s)
  • The dates, times and locations of the audit

Describe facts found

For each section of the audit, you should document the findings, including notes of any evidential samples taken.*

It is good practice to record compliance and positive points and document any nonconformities or opportunities for improvement.

The findings should record the facts found relevant to the ISMS and the standard and should not include opinion or conjecture beyond reasonable extrapolation.

*Note – if evidential samples contain personally identifiable information , it is usual practice to pseudonymise or anonymise the data in line with privacy legislation requirements such as GDPR.

Document nonconformities and opportunities for improvement

Where nonconformities and opportunities for improvement are identified, these must be clearly documented so that corrective actions and improvement items can be recorded and managed through the organisation’s recognised processes as documented in accordance with Clause 10.1 Nonconformity and corrective action; and 10.2 Continual improvements.

Describe recommendations

As this is an internal audit report, it is allowable for an auditor to make recommendations about how an organisation might address findings. Ultimately the decisions relating to corrective actions and improvements must be made by the relevant individuals or teams responsible for the ISMS and information security.

how to write a sample audit report

See our platform features in action

A tailored hands-on session based on your needs and goals

How ISMS.online makes reporting easy

The ISMS.online platform dispenses with the need for creating Word documents, PDFs and spreadsheets by providing an all-in-one-place solution for easily documenting and linking all aspects of the ISMS, including the documentation of audit reports.

ISMS.online includes a pre-built audit programme project that covers both internal and external audits.

The pre-built audit programme includes:

Each internal audit activity contains a template for a combined audit plan and report.

Prior to conducting the audit, the template acts as the audit plan – including which areas are to be audited and providing prompts for recording when the audit will be conducted and by whom.

During or after conducting the audit, the auditor can write notes directly into the templated audit activity.

As well as simply providing the audit activity templates, ISMS.online provides the ability to quickly link to other work areas within the platform which means that linking audit findings to controls, corrective actions and improvements, and even to risks is made easy and accessible. This will enable you to easily demonstrate to your external auditor the joined-up management of identified findings.

Need help with your ISO 27001 audit?

Contact us , and we can provide support.

ISMS.online makes setting up and managing your ISMS as easy as it can get.

The proven path to ISO 27001 success

Perfect policies & controls.

Easily collaborate, create and show you are on top of your documentation at all times

Simple Risk Management

Effortlessly address threats & opportunities and dynamically report on performance

Measurement & Automated Reporting

Make better decisions and show you are in control with dashboards, KPIs and related reporting

Audits, Actions & Reviews

Make light work of corrective actions, improvements, audits and management reviews

Mapping & Linking Work

Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers

Easy Asset Management

Select assets from the Asset Bank and create your Asset Inventory with ease

Fast, Seamless Integration

Out of the box integrations with your other key business systems to simplify your compliance

Other Standards & Regulations

Neatly add in other areas of compliance affecting your organisation to achieve even more

Staff Compliance Assurance

Engage staff, suppliers and others with dynamic end-to-end compliance at all times

Supply Chain Management

Manage due diligence, contracts, contacts and relationships over their lifecycle

Interested Party Management

Visually map and manage interested parties to ensure their needs are clearly addressed

Strong Privacy & Security

Strong privacy by design and security controls to match your needs & expectations

« What is involved in an ISO 27001 audit?

How to conduct your iso 27001 management review ».

ISMS.online launches Mobile Policy Packs. Click here to find out more

You are using an outdated browser. Please upgrade your browser or activate Google Chrome Frame to improve your experience.

  • Patient safety and quality improvement
  • Conducting a clinical audit

Writing a clinical audit report

It is recommended that you structure your audit report in the following way:

Title:  Give your audit a title that describes what is being audited.

Background:  Provide rationale for topic selection and include background information that is essential to understanding a process or problem.

Aim and objectives:  The aim describes what you want to achieve. The objectives describe what you are going to measure to show that your aim has been met.

Standards:  You must detail the standards used to compare your practice against. Where possible, published national, regional or local standards should be used.

Method:  Describe what data was collected, how it was collected and how it was analysed.

Results/conclusion:  Describe what the data tells you about current practice.

Recommendations:  Describe any suggestions for improvement.

Action plan:  Make an action plan from the recommendations with responsibilities for action and a timescale for implementation. Identify who will implement the action plan and provide a re-audit date.

Plan the reaudit:  Set a timescale for a reaudit (not before changes have been made). The reaudit should use the same design as the audit but you only need to reaudit standards where changes have been made (unless the changes may have affected other standards).

When completed, write up the details of the reaudit in the same manner.

U.S. flag

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Incident Response Plan (IRP) Basics

This factsheet provides an overview of an Incident Response Plan and how it should be implemented before, during, and after a cybersecurity incident. 

Resource Materials

Related resources, cisa gateway digital library, secure by design alert: security design improvements for soho device manufacturers, guidance on assembling a group of products, sbom community legal explanation.

how to write a sample audit report

Example prompts to try with Microsoft Copilot with Graph-grounded chat

Experience the power of Get started with Microsoft Copilot with Graph-grounded chat  (formerly named Microsoft 365 Chat). See how much time you can save and how much more you can get done. Use Microsoft Copilot to catch up, create content, and ask questions. This article provides several example prompts you can try.

Tip:  When you’re giving Copilot instructions, you can direct it to specific work content by using the forward slash key (“/”), then typing the name of a file, person, or meeting.  If you write a prompt and don’t reference a specific file, person, or meeting, Copilot will determine the best source of data for its response, including all your work content.

Synthesize large amounts of data into simple, consumable responses and catch up on things quickly. Here are some examples:

You've been on vacation now you're back. You need to find out what's going on with Project X. Find the latest about Project X. What's the current timeline? When are deliverables due?

You've just joined a new team and you're trying to ramp up on recent activities. Summarize team communications over the last 30 days. What are the team's priorities? 

There's been a recent change in how your team is tracking work. Find information about the new way our team is tracking work. Include email communications and points of contact for questions.

Create content

Brainstorm ideas and draft new content based on information at work. Here are some examples:

You want to draft a one-page description of a new project (let's call it Project Foo) that's just about to kick off at work. Using information in file1, file2, and file3, write a one-page description of Project Foo. Write it so non-technical people can understand what the project is about and when it's scheduled to be completed.

You're preparing an email to invite customers to attend an upcoming conference and visit your company's booth. Using information in Document Z, write a fun, catchy email inviting our customers to come see us at our booth during next month's conference.

You want to plan a morale event for your team. List 3-5 ideas for group activities in the Seattle area that would be suitable for my team. Include approximate cost and time estimates. 

Ask questions

Find information and get answers quickly, even if you can't remember where the information you need is or how it was shared. Here are some examples:

You need to know what's left in the budget for supplies. How much did we spend on supplies for Project Foo?  How much budget do we have left for Project Foo?

Your team received customer feedback. You want to identify the top things your team should address. Review the feedback we received from customers via email last week. What are the top three issues we should address?

Overview of Microsoft Copilot with Graph-grounded chat

Use Copilot at Microsoft365.com

Use Copilot in Teams

Use Copilot at Bing.com

Facebook

Need more help?

Want more options.

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

how to write a sample audit report

Microsoft 365 subscription benefits

how to write a sample audit report

Microsoft 365 training

how to write a sample audit report

Microsoft security

how to write a sample audit report

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

how to write a sample audit report

Ask the Microsoft Community

how to write a sample audit report

Microsoft Tech Community

how to write a sample audit report

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

Thank you for your feedback.

Four full and one empty heparin tubes and a butterfly needle arrayed on a checklist of blood test measurements

What do your blood test results mean? A toxicologist explains the basics of how to interpret them

how to write a sample audit report

Professor of Chemical and Biological Engineering, Biomedical Engineering, and Public Health, Colorado State University

Disclosure statement

Brad Reisfeld does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

Colorado State University provides funding as a member of The Conversation US.

View all partners

Your blood serves numerous roles to maintain your health. To carry out these functions, blood contains a multitude of components, including red blood cells that transport oxygen, nutrients and hormones; white blood cells that remove waste products and support the immune system; plasma that regulates temperature; and platelets that help with clotting.

Within the blood are also numerous molecules formed as byproducts of normal biochemical functions. When these molecules indicate how your cells are responding to disease, injury or stress, scientists often refer to them as biological markers, or biomarkers . Thus, biomarkers in a blood sample can represent a snapshot of the current biochemical state of your body, and analyzing them can provide information about various aspects of your health.

As a toxicologist , I study the effects of drugs and environmental contaminants on human health. As part of my work, I rely on various health-related biomarkers, many of which are measured using conventional blood tests.

Understanding what common blood tests are intended to measure can help you better interpret the results. If you have results from a recent blood test handy, please follow along.

Normal blood test ranges

Depending on the lab that analyzed your sample, the results from your blood test may be broken down into individual tests or collections of related tests called panels . Results from these panels can allow a health care professional to recommend preventive care, detect potential diseases and monitor ongoing health conditions.

For each of the tests listed in your report, there will typically be a number corresponding to your test result and a reference range or interval . This range is essentially the upper and lower limits within which most healthy people’s test results are expected to fall.

Sometimes called a normal range, a reference interval is based on statistical analyses of tests from a large number of patients in a reference population . Normal levels of some biomarkers are expected to vary across a group of people, depending on their age, sex, ethnicity and other attributes.

So, separate reference populations are often created from people with a particular attribute. For example, a reference population could comprise all women or all children. A patient’s test value can then be appropriately compared with results from the reference population that fits them best.

Reference intervals vary from lab to lab because each may use different testing methods or reference populations. This means you might not be able to compare your results with reference intervals from other labs. To determine how your test results compare with the normal range, you need to check the reference interval listed on your lab report.

If you have results for a given test from different labs, your clinician will likely focus on test trends relative to their reference intervals and not the numerical results themselves.

Interpreting your blood test results

There are numerous blood panels intended to test specific aspects of your health. These include panels that look at the cellular components of your blood, biomarkers of kidney and liver function, and many more.

Rather than describe each panel, let’s look at a hypothetical case study that requires using several panels to diagnose a disease.

In this situation, a patient visits their health care provider for fatigue that has lasted several months. Numerous factors and disorders can result in prolonged or chronic fatigue.

Based on a physical examination, other symptoms and medical history, the health practitioner suspects that the patient could be suffering from any of the following: anemia, an underactive thyroid or diabetes.

Close-up of a person holding gauze against the crook of their arm while another person holds up two heparin tubes of blood

Blood tests would help further narrow down the cause of fatigue.

Anemia is a condition involving reduced blood capacity to transport oxygen. This results from either lower than normal levels of red blood cells or a decrease in the quantity or quality of hemoglobin , the protein that allows these cells to transport oxygen.

A complete blood count panel measures various components of the blood to provide a comprehensive overview of the cells that make it up. Low values of red blood cell count, or RBC, hemoglobin, or Hb, and hematocrit, or HCT, would indicate that the patient is suffering from anemia.

Hypothyroidism is a disorder in which the thyroid gland does not produce enough thyroid hormones. These include thyroid-stimulating hormone, or TSH, which stimulates the thyroid gland to release two other hormones: triiodothyronine, or T3, and thyroxine, or T4. The thyroid function panel measures the levels of these hormones to assess thyroid-related health.

Diabetes is a disease that occurs when blood sugar levels are too high. Excessive glucose molecules in the bloodstream can bind to hemoglobin and form what’s called glycated hemoglobin, or HbA1c. A hemoglobin A1c test measures the percentage of HbA1c present relative to the total amount of hemoglobin. This provides a history of glucose levels in the bloodstream over a period of about three months prior to the test.

Providing additional information is the basic metabolic panel, or BMP , which measures the amount various substances in your blood. These include:

  • Glucose, a type of sugar that provides energy for your body and brain. Relevant to diabetes, the BMP measures the blood glucose levels at the time of the test.
  • Calcium, a mineral essential for proper functioning of your nerves, muscles and heart.
  • Creatinine, a byproduct of muscle activity.
  • Blood urea nitrogen, or BUN, the amount of the waste product urea your kidneys help remove from your blood. These indicate the status of a person’s metabolism, kidney health and electrolyte balance.

With results from each of these panels, the health professional would assess the patient’s values relative to their reference intervals and determine which condition they most likely have.

Understanding the purpose of blood tests and how to interpret them can help patients partner with their health care providers and become more informed about their health.

  • Blood cells
  • Diagnostic tools
  • Diagnostics
  • Laboratory tests
  • Medical test
  • Lab testing

how to write a sample audit report

Lecturer / Senior Lecturer - Business Law & Taxation

how to write a sample audit report

Newsletters and Social Media Manager

how to write a sample audit report

Industrial Officer (Senior)

how to write a sample audit report

Supply Chain Management – Open Rank (Tenure-Track)

how to write a sample audit report

RESEARCH SUPPORT OFFICER

U.S. Department of the Treasury

Treasury publishes 2024 national risk assessments for money laundering, terrorist financing, and proliferation financing.

Reports Confirm and Update Key Illicit Finance Concerns in Response to Evolving Threat and Risk Environment 

WASHINGTON –  Today, the U.S. Department of the Treasury published the 2024 National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing. These reports highlight the most significant illicit finance threats, vulnerabilities, and risks facing the United States. 

The reports detail recent, significant updates to the U.S. anti-money laundering/counter-financing of terrorism framework and explain changes to the illicit finance risk environment. These include the ongoing fentanyl crisis, foreign and domestic terrorist attacks and related financing, increased potency of ransomware attacks, the growth of professional money laundering, and continued digitization of payments and financial services. These assessments also address how significant threats to global peace and security—such as Russia’s ongoing illegal, unprovoked, and unjustified war in Ukraine and Hamas’s October 7, 2023 terrorist attacks in Israel—have shaped the illicit finance risk environment in the United States.

Today’s publications are the fourth iterations of the money laundering and terrorist financing risk assessment, and the third update of the proliferation financing risk assessment, in less than a decade. The public and private sectors can use these updated risk assessments to better understand the current illicit finance environment and inform their own risk mitigation strategies. 

“Whether it’s terrorism, drug trafficking, Russian aggression, or corruption, illicit finance is the common thread across our nation’s biggest national security threats,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Treasury, through our National Risk Assessments, is at the cutting edge of analyzing the global risk environment to protect the U.S. and international financial systems from abuse by illicit actors. We urge both the public and private sectors to engage with these reports, as well as our forthcoming National Strategy for Combatting Terrorist and Other Illicit Finance.”

Key findings:

  • Money Laundering : Criminals use both traditional and novel money laundering techniques, depending on availability and convenience, to move and conceal illicit proceeds and promote criminal activity that harms Americans. The crimes that generate the largest amount of illicit proceeds laundered in or through the United States remain fraud, drug trafficking, cybercrime, human trafficking and human smuggling, and corruption. The United States continues to face both persistent and emerging money laundering risks related to: (1) the misuse of legal entities; (2) the lack of transparency in certain real estate transactions; (3) the lack of comprehensive AML/CFT coverage for certain sectors, particularly investment advisers; (4) complicit merchants and professionals that misuse their positions or businesses; and (5) pockets of weaknesses in compliance or supervision at some regulated U.S. financial institutions. 
  • Terrorist Financing : The United States continues to face a wide range of terrorist financing threats and actors, both foreign and domestic. Consistent with the 2022 risk assessment, the most common financial connections between individuals in the United States and foreign terrorist groups entail individuals directly soliciting funds for or attempting to send funds to foreign terrorist groups utilizing cash, registered money services businesses, or in some cases, virtual assets. The 2024 report also discusses Hamas and the ways they exploit the international financial system, including through solicitation of funds from witting and unwitting donors worldwide. Additionally, domestic violent extremist movements have proliferated in recent years, posing an elevated threat to the United States and continued challenges for law enforcement.
  • Proliferation Financing : Russia and the Democratic People’s Republic of Korea (DPRK) presented heightened risk since the 2022 assessment. To support its unlawful war in Ukraine, Russia has expanded efforts to illegally acquire U.S.-origin goods with military applications using a variety of obfuscation techniques, such as the use of front companies and transshipment points around the world. Networks linked to the DPRK increasingly exploit the digital economy, including through hacking of virtual asset service providers and the overseas deployment of fraudulent information technology workers.

Treasury’s Office of Terrorist Financing and Financial Crimes led the assessment process and coordinated closely with offices and bureaus across the Department, relevant law enforcement and regulatory agencies, staff of the federal functional regulators, and across the intelligence and diplomatic communities.

In the coming weeks, Treasury will release the 2024 National Strategy for Combatting Terrorist and Other Illicit Finance, a strategic plan directly informed by the analysis contained in the risk assessments. In the strategy, Treasury will share recommendations for addressing the highlighted issues. This valuable feedback has aided Treasury in assessing and addressing illicit finance risk identified in prior iterations of the strategy to support improvements to the AML/CFT regime, including the launching of the new beneficial ownership reporting requirement that went into effect on January 1, 2024, and informing forthcoming proposed rules to address illicit finance vulnerabilities in the residential real estate sector and for certain investment advisers.

The 2024 National Money Laundering Risk Assessment

The 2024 National Terrorist Financing Risk Assessment

The 2024 National Proliferation Financing Risk Assessment

IMAGES

  1. 50 Free Audit Report Templates (Internal Audit Reports) ᐅ TemplateLab

    how to write a sample audit report

  2. FREE 14+ Internal Audit Report Templates in PDF

    how to write a sample audit report

  3. FREE 32+ Sample Audit Reports in PDF

    how to write a sample audit report

  4. 50 Free Audit Report Templates (Internal Audit Reports) ᐅ TemplateLab

    how to write a sample audit report

  5. Internal Audit Report

    how to write a sample audit report

  6. Audit Report

    how to write a sample audit report

VIDEO

  1. INTERNAL AUDIT REPORT

  2. AUDIT SESSION 6

  3. Video:-3 Audit Report Vs. Audit certificate

  4. Audit clerk interview questions and answers ✅ how well do you perform Under pressure? @NASARTALK

  5. How to Study, Write & Score in AUDIT

  6. Accrual Accounting Reports

COMMENTS

  1. PDF Audit Report Writing Toolkit

    1.1 Develop a template for contractors to use for submitting the annual itemized revenue report that would include all revenue, especially concessions and sponsorships. 1.2 Review the annual itemized revenue report submitted by the contractor to ensure completeness and reasonableness of amounts reported.

  2. How to Write an Audit Report: 14 Steps (with Pictures)

    1 Understand the basic goals of all audit reports. Before delving into the specifics of writing an audit report, it is important to have a broad view of the major objectives of all audit reports. Having these in mind as you delve into the technicalities of writing a report will make sure your report does what it is supposed to do.

  3. Compiling a Useful Audit Report: Best Practices

    How Do You Write a Good Audit Report? A good audit report conveys a clear message to the reader, whether that's an unqualified opinion or a list of expenditures that can be eliminated. Audit reports should be brief and to the point.

  4. 16 Free Audit Report Templates & Examples (Internal Audit Reports)

    Audit Report Templates & Examples #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11 #12 #13 #14 #15 #16 When Do You Need an Audit Report? The audit report templates feature three developed paragraphs.

  5. Sample Format of an Audit Report with Examples

    Audit Report Format is the standardized format prescribed by the concerned authority using which an independent auditor, as appointed by the company in this regard, gives its views and comments on the company's financial condition and internal accounting after analysis of the various documents of the company. What is the Format of the Audit Report?

  6. PDF Beginner's Guide to Audit and Audit Reports Audit

    GAAS provide guidance on the objectives and general principle governing an audit of financial statements. Various GAAS frameworks exist, comprising a set of systematic guidelines used by auditors when conducting audits, ensuring the accuracy, consistency and verifiability of auditors' actions and reports. The principal frameworks recognised ...

  7. Appendix II: Example Template for An Audit Summary Report

    EXAMPLE TEMPLATE FOR AN AUDIT SUMMARY REPORT INTRODUCTION At the completion of the audit, the findings need to be reviewed, organized, and presented in a coherent format that can be circulated and reviewed by management as well as other individuals within the organization. The output of this process is the audit summary report (ASR).

  8. Audit Report Toolkit

    ep-0027 Toolkit includes: Writing an Audit Report, Keys to Report Writing, and Audit Report Template

  9. Writing an Impactful Audit Report: 6 Tips for Being More Persuasive

    1. Keep It Short If you've taken a look at the U.S. Justice Department inspector general's (IG's) report on how federal officials handled the investigation of Hillary Clinton's use of a private email server while secretary of state, you'll see it is strikingly different from the average internal audit report.

  10. PDF A guide to

    When writing a report there are five key areas which you should always consider: What is the purpose of the report? Who will read it? How to start. The report structure. Style and presentation. The purpose of the report Before we start to write the report we need to know its purpose: What is it for? to report the findings of an audit review.

  11. 11 Professional Audit Report Templates for Business

    Give direction and structure to your audit reports by following the 5 C's: Criteria, Conditions, Cause, Consequence and Corrective Action. Use Visme's report maker to present complex financial analysis and opinions in a way that's not only easy to understand but also impresses top-level management. What Is an Audit Report?

  12. 50 Free Audit Report Templates (Internal Audit Reports)

    / Business / Finance / Audit Report Templates 50 Free Audit Report Templates (Internal Audit Reports) An audit report template is a written document which contains the opinion of an auditor about the financial statements of any entity. When writing this report, use a standard format that's mandated by GAAS or Generally Accepted Auditing Standards.

  13. Writing A Great Audit Report

    A great audit report is one that is sent in a timely manner to the auditee whether it is an internal or external audit report. A good rule of thumb is to send the audit report within five to 10 working days. Beyond 10 working days the recipient may not take the audit report seriously. In fact, audit reports that are not sent to external parties ...

  14. Audit Report Examples

    An audit report is an independent opinion of a person/firm (i.e., auditor) about whether the financial statements present a true & fair view of the state of affairs of the entity, profit/loss of the entity & cash flows for the year, and such opinion is given after performing reasonable audit procedures so obtain sufficient & appropriate evidence...

  15. Audit Report Sample: How to Decipher Audit Reports

    Audit reports are generally structured around the following five important elements: Condition: describes the problem in the process, found during the audit. Criteria: indicates the criteria that was not met (e.g. a quality standard, a company policy document, accounting policies etc.) Cause: reason for the problem in the process.

  16. Audit Report Examples

    There can be following variations in an auditor report opinion examples: #1 - Clean Opinion: If the auditor is satisfied with the financials and as per him/her, these are of fair presentation. #2 - Qualified Opinion: In this type of report, the auditor will state limitations faced while auditing. #3 - Adverse Opinion: If the statements ...

  17. Writing a good QMS internal audit report

    Writing a good QMS internal audit report Mark Hammar March 17, 2015 In ISO 9001, the process for internal audits is one of the most important ways for you to ensure that your quality management system (QMS) is functioning properly and efficiently, but what is the role of the audit report in this process?

  18. PDF Audit Report Writing Guide

    Audit Report Writing Guide: A guide for writing audit reports to the Ministry of Health (revised November 2014). Wellington: Ministry of Health. Published in November 2014 by the Ministry of Health PO Box 5013, Wellington 6145, New Zealand. ISBN: 978--478-44444-5 (print) ISBN: 978--478-44445-2 (online) HP 6067.

  19. Writing Informative Audit Reports

    Audit reports provide insight into what processes and functions are working well, perceptions of risk, and identification of what has gone wrong. From these insights will flow corrective actions, preventive actions, lean initiatives, benchmarking activities, and an array of improvement projects. Internal audits are essential inputs into the ...

  20. How to write an internal audit report for ISO 27001

    An ISO 27001 internal audit involves a competent and objective auditor reviewing the ISMS or elements of it and testing that: The requirements of the standard are met, The organisation's own information requirements and objectives for the ISMS are met, The policies, processes, and other controls are effective and efficient.

  21. PDF Effective Audit Report Writing

    General Course Objectives. Identify ways to enhance and streamline existing audit reporting process. Develop a method for drafting audit reports that focus on the 3 "C's" - clear, complete, and concise. Persuade readers to take action. Assess and enhance logical flow of narrative.

  22. How To Write A Cyber Security Audit Report?

    An effective audit report should include the following: Identification of risks Analysis of the risks Recommendations for addressing the risks Long-term solutions to address the identified risks Ensuring the organisation's security posture is continually strengthened and protected against future threats.

  23. Writing a clinical audit report

    Writing a clinical audit report It is recommended that you structure your audit report in the following way: Title: Give your audit a title that describes what is being audited. Background: Provide rationale for topic selection and include background information that is essential to understanding a process or problem.

  24. Incident Response Plan (IRP) Basics

    Publish Date. January 31, 2024. Cybersecurity Best Practices, Election Security. This factsheet provides an overview of an Incident Response Plan and how it should be implemented before, during, and after a cybersecurity incident.

  25. Create a form in Word that users can complete or print

    In Word, you can create a form that others can fill out and save or print. To do this, you will start with baseline content in a document, potentially via a form template. Then you can add content controls for elements such as check boxes, text boxes, date pickers, and drop-down lists. Optionally, these content controls can be linked to ...

  26. Example prompts to try with Microsoft Copilot with Graph-grounded chat

    Tip: When you're giving Copilot instructions, you can direct it to specific work content by using the forward slash key ("/"), then typing the name of a file, person, or meeting. If you write a prompt and don't reference a specific file, person, or meeting, Copilot will determine the best source of data for its response, including all your work content.

  27. What do your blood test results mean? A toxicologist explains the

    Thus, biomarkers in a blood sample can represent a snapshot of the current biochemical state of your body, and analyzing them can provide information about various aspects of your health. As a ...

  28. Treasury Publishes 2024 National Risk Assessments for Money Laundering

    Reports Confirm and Update Key Illicit Finance Concerns in Response to Evolving Threat and Risk Environment WASHINGTON - Today, the U.S. Department of the Treasury published the 2024 National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing. These reports highlight the most significant illicit finance threats, vulnerabilities, and risks facing the United ...