Types of report provided in internal audit assignments09年ACCA_CAT考试

文章作者 100test 发表时间 2009:08:07 17:47:18
来源 100Test.Com百考试题网

　　1.Reports for different purposes
　　An audit report is the key output of internal audit work undertaken.
　　The type of report produced by internal audit will vary according to the nature of work undertaken and the type of organization involved. A detailed, formal report may be appropriate for traditional audits in a large organization. However, advice and guidance on change or a project may be more appropriately communicated through discussion papers or memorandum reports.
　　Whatever the style of report, the internal auditor should take care to ensure that it meets the organizational needs, as well as communicating clearly, concisely and effectively the findings form the audit.
　　2. Report ratings
　　In some organisations, internal auditors provide ‘ratings’ of the area under review, indicating the extent of concern over control or the level of risk. This can be in many forms, for example:
　　colors -red/amber/green
　　numbers /letters – A,B,C or 1,2,3
　　wording, such as ‘acceptable’ or ‘satisfactory’ and ‘unacceptable’ or ‘unsatisfactory’
　　star ratings - *,**,***,
　　The appropriateness of the rating will depend on the culture and style of the organization and demands of management. Such ratings can help senior management form an overall opinion of the organization and to identify trends and can also help with high level reporting. However, they can also be seen negatively if they result in management responding defensively to a report on their area that will result in a poor rating.
　　The most important consideration for rating a report is the basis on which any evaluation or measure will be carried out. This needs to be consistent and clear to ensure credibility of the ratings. The rating may be against a formal control or risk model that drives out the decision or opinion.
　　3. Formal reports
　　This is the traditional style of reporting form an internal audit, setting out a conclusion on the outcome of a review and detailed findings and recommendations.
　　Reports should contain:
　　Executive summary
　　This may include a short overall section on the scope, approach and objectives of the review.
　　This would include an overall conclusion form the audit and may include an opinion. It may also include a balanced overview of the area including both good and bad findings.
　　This should tell any reader the major points arising form the audit so that without reading any further a view on the area and priorities can be formed. The executive summary should be sufficient to read as a stand-alone document if necessary.
　　It should make maximum impact and be short and punchy – Senior Management do no want to go through many pages of executive summary to try and form an opinion.
　　Summary of key findings and recommendations
　　Short, clear summaries of the key findings and recommendations form the review.
　　Detailed findings, recommendations and agreed action
　　This will set out agreed actions, timescale for action and responsibilities for resolution and will be the meat of the report for line management.
　　Appendices
　　This will depend on the type of area under review but could include additional evidence and analysis, any definitions or explanations or terms of reference.
　　4. Other types of report
　　Discussion papers and reports
　　Discussion papers and discussion reports may be used for certain types of audit report
　　project management review reports
　　business case review reports
　　review of implementation reports
　　post – implementation reports
　　due diligence reporting.
　　The types of reports produced will depend on the approach to project auditing within the organization but as the audit of change becomes more important, so the use of more formalised audit project reporting will increase. To an extent, the type and nature of reporting on projects will be driven by the organization approach to reporting.
　　Presentations
　　As internal audit moves towards a consultancy type of audit, then presentations can be an appropriate means of communicating. Presentations can make a particularly good impact when there are a large number of customers or the are is very complex. By getting line/senior managers together and presenting findings, there is more scope for using effective influencing and communication to agree the most effective way forward.
　　Memorandum type reports
　　Memorandum-type reports are appropriate for small reviews that do not warrant a full report but need to have findings and outcomes communicated.
　　Compliance reports
　　Despite the move to a consultant, risk based approach, there is still a need to report on compliance activities undertaken. These may be the results of standard questionnaires or tests that need to be summarized into compliance reports at individual and consolidated levels.
　　Follow-up reporting
　　Professional standards require that all findings raised are followed up to ensure that agreed action has been implemented. This follow-up can be in a number of ways:
　　obtaining management confirmation of resolution of the action
　　testing by internal audit to ensure satisfactory clearance
　　formal follow-up reviews, where significant findings and level of risk had been found.
　　Risk reports
　　Reports from internal audit can analyse the risk exposure within an organization, including risk impact and probability. These may be specific reports produced showing an overall picture of risk and control within the organization to meet the corporate governance requirements .
　　Reports from risk and control workshops
　　Where internal auditors facilitate risk and control workshops where risks are brainstormed with operational management, these will need to be captured and formally reported. The style of reporting will be different because of the nature of the work undertaken, which is more participative than conventional work.
　　Reports should identify key risks identified, the impact and probability of such risks and the controls in place to mitigate the risks. Reports should also capture agreed actions, which should be monitored in the same way as any other agreed actions.
　　Monthly and annual reporting
　　Internal auditors should produce monthly and annual reporting to provide organizations with the assurance required on the level of risk, overall control environment and compliance with corporate governance requirements. These should consolidate all the individual audit work undertaken to give a more rounded and complete picture to management. Such reporting could also include:
　　performance statistics for the department, including productivity and achievement of agreed service standards
　　summary of key outstanding recommendations
　　key risk issues identified but not reported upon
　　future internal audit plans.