Internal Audit Reports CONT 4023

Common Findings Inadequate design of internal control over a significant account or process. Inadequate documentation of the components of internal control. Insufficient control consciousness within the organization, for example, the tone at the top and the control environment. Absent or inadequate segregation of duties within a significant account or process. Absent or inadequate controls over the safeguarding of assets Inadequate design of information technology (IT) general and application controls that prevent the information system from providing complete and accurate information consistent with financial reporting objectives and current needs.

Common Findings Employees or management who lack the qualifications and training to fulfill their assigned functions. Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity’s internal control over time. The absence of an internal process to report deficiencies in internal control to management on a timely basis. Non - compliance

Common Findings Failure in the operation of effectively designed controls over a significant account or process, for example, the failure of a control such as dual authorization for significant disbursements within the purchasing process. Failure of the information and communication component of internal control to provide complete and accurate output because of deficiencies in timeliness, completeness, or accuracy, for example, the failure to obtain timely and accurate consolidating information from remote locations this needed to prepare the financial statements. Failure of controls designed to safeguard assets from loss, damage, or misappropriation. Failure to perform reconciliations of significant accounts. For example, accounts receivable subsidiary ledgers are not reconciled to the general ledge account in a timely or accurate manner.

Common Findings Undue bias or lack of objectivity by those responsible for accounting decisions, for example, consistent understatement of expenses or overstatement of allowances at the direction of management. Misrepresentation by client personnel to the auditor (an indicator of fraud). Management override of controls. Failure of an application control caused by a deficiency in the design or operation of an IT general control.

Purpose of Report A written audit report: Ensures the communication reaches those responsible Prevents misunderstandings Facilitates the follow-up process.

Completeness  Ensure all issues are communicated to management.  Review each issue to determine whether to include it in the audit report.  Prepare a memo for management of the area audited detailing issues not significant enough to include in the report.  Ask management to review a draft of the audit report to ensure facts are correct and understood.

Language Write the audit report using clear, concise language Avoid using inflammatory terms or statements. Audit reports should not be written to blame management for control failings. They should convey only the results of tests and their impact on the entity. Limit or clearly define unique terms, and restrict sentences to 18 to 20 words to improve clarity.

Sentence Length One sentence: "The roles, responsibilities and accountability mechanisms of managers and staffing officers are clearly defined in the departmental training course on sub-delegation which was given to all managers about to receive sub-delegated staffing authority." (33 words) Two sentences: "All managers who were to receive sub-delegated authority attended the departmental staffing course. The course defines the roles, responsibilities and accountability of managers and staffing officers." (13 words in each)

Language - Intensifiers Intensifiers are words like: clearly, special, key, well, reasonable, significant and very. Their use should be limited because they frequently lack precision, reflect personal values and fill space for no real purpose. Intensifiers raise questions such as "significant compared to what?" and "clearly according to whose criteria?"

Presentation Bullets Report writers can use bullets as punctuation in front of points to break up dense text and shorten sentences, focus attention, save words and improve logic and flow. The use of bullets is highly recommended when findings are lists of standards, samples, activities, facts and results.

Example Without Bullets: "The Department possesses control mechanisms such as a clearly identified responsibility center, consultative committees for target groups and an Affirmative Action Steering Committee. These mechanisms which include action plans and reporting systems adequately ensure the effectiveness of employment equity programs." With bullets: "The Department has mechanisms to ensure effective employment equity programs, including: an identified responsibility center action plans and reporting systems consultative committees for target groups an Affirmative Action Steering Committee."

Report Content

Structure Audit reports include the following sections: Cover Title page Table of contents Summary (including the recommendations) Introduction Findings Appendices.

Cover and Title Page Audit reports use a standard cover, with a window showing: The title: "Staffing Audit" or "Personnel Management Audit“ The department's name The report's date of issue (month and year). These items are repeated at the bottom of each page.

Table of Contents The table lists the sections and sub-sections with page numbers as follows: Summary and recommendations Introduction Findings (by audit field) Appendices (as required).

Summary The summary gives a quick overview of the state of the department at the time of the audit in light of the main issues covered by the report. It does not normally exceed three pages, including the recommendations. Recommendations should be listed under a lead statement such as: (example) "We recommend that the Deputy Minister: amend...; establish...; implement..." Recommendations should be stand-alone statements that can be read out of context and still make sense.

Introduction Context: This sub-section briefly describes conditions in the audit entity during the period under review. Purpose: This sub-section is a short description of what functions and special programs were audited and the clients' authorities. Scope: The scope lists the period under review, the issues covered in each function and program, the locations visited and the on-site dates. Methodology: This section briefly describes sampling, data collection techniques and the basis for auditors' opinions. It also identifies any weaknesses in the methodology to allow the client and auditee to make informed decisions as a result of the report..

Findings & Recommendations The findings section details control issues significant enough to warrant attention from management. Findings usually include recommendations on how to fix the controls and management's detailed corrective action plans.

Findings & Recommendations The depth of coverage for issues should normally reflect the significance of the findings. Situations representing a high degree of risk or indicating shortcomings that are serious enough to justify a recommendation should be treated extensively. Specific initiatives that the auditors wish to mention as examples should be described in detail, while issues where the department meets the expectations and there is nothing specific to mention should be dealt with briefly.

Commentary Where a recommendation and a compliment are made under the same issue, they should be in separate paragraphs. Statistics need to be used consistently throughout the report. Sample size and error rate mean more when they are given in context. The size of the population, the number of transactions and the period of time provide that context. Percentages should not be used when referring to small samples (less than one hundred). Graphics should be used when they add to the understanding of the text.