3. Reports
Audit reports provide a formal, permanent record and help with efficient follow-up of agreed action points. Reports may be a management letter or a multi-page report.
Management letters | short reports, eg tests in a Division as part of a multi-Division review or in a follow-up exercise |
interim reports | |
Full reports | key findings of an audit |
Distribution
Final reports are distributed by email to:
- principal auditee (person named in Terms of Reference)
- principal auditee’s line manager and Head of Division
- principal auditee’s Director
- other officers where relevant (agreed with auditee)
And routinely copied to:
- Chief Operating Officer
- Risk Improvement Manager
- NAO
- Audit Committee
Contents
Section one: summary of the audit’s key findings and the overall opinion
Section two: detailed findings and action points to correct identified deficiencies
The overall opinion reflects whether the auditor is content with the risk management or governance arrangements in place:
- Reasonable assurance – arrangements are considered overall to be sound and provide a reasonable expectation that objectives will be achieved without material problems arising.
- Limited assurance – arrangements have important deficiencies, which raise a doubt that objectives will be achieved. The deficiencies relate to inadequate procedures (eg controls are inappropriate) or ineffective procedures (eg controls do not work as intended).
- No assurance – deficiencies are such that there can be no confidence that arrangements will ensure that objectives will be achieved.
Action points
These are the auditor’s proposals for action to correct an identified weakness, categorised by importance:
1 | Aimed at rectifying weaknesses in control that result in an unacceptable level of risk – remedial action should be taken urgently. |
2 | Aimed at rectifying weaknesses in control that carry risks of undesired effects in terms of loss, exposure or poor value for money. |
3 | Areas where management would benefit from improved control, but where risks are medium to low. |
As a manager you can accept or reject action points. If you reject audit advice, you accept the associated risks. If you accept an action point, you must implement it, within the agreed timescale. Non-implementation of agreed action points, or rejection of proposed action points, will be reported to the Audit Committee.
If you accept action points you must provide:
- a target date for implementation of action to overcome the identified weakness
- the name of the officer who will be charged with implementation
These details should be recorded in the Action Point annex to the final report.
Follow-up
Internal Audit is obliged to follow up the implementation of actions points to report on the effectiveness of management’s agreed plan to the Audit Committee.
Follow up work comes from:
- routine enquiries to check the progress of category 1 and 2 action points (usually quarterly in preparation for the next Audit Committee)
- dedicated review by an auditor, which is either a separate review or part of a subsequent audit covering the same area
More:
[Migrate – when content reviewed: http://intranet/finance/internal_audit/1204.html – detailed guidance on internal audits]