IIA Standard 430 and Statement on Internal Auditing Standards #2 give requirements
and guidelines for communicating the results of audit work. This section of
the audit manual describes our approach to communicating the results of audit
Except for very small reviews, we will issue some form of written communication
at the end of each project. The structure and content of this communication
will be based on the nature and results of a project and what we need to communicate
with whom. Results of small review can sometimes be communicated orally.
Regardless of the format, written communications (reports) should possess certain
basic qualities. They should be:
- Objective- present information in a factual, unbiased manner.
- Constructive- focus on ways to help the auditee and lead to improvement
criticizing errors and control weakness.
- Clear- be logical and easily understood, avoid unnecessary technical language,
and provide appropriate supporting information.
- Concise- be to the point, avoid unnecessary detail, and express thoughts
in the fewest
possible words. Generally, the first sentence of a paragraph in a report or
letter should identify the problem noted or the basic nature of a recommendation.
The choice of words used and tone of reports are as important as the information
presented. For example, if we find a missing process-such as daily deposit of
receipts- it’s better to say that the missing process is required by University
policy instead of describing its absence as a violation of policy. Using neutral
works increases the likelihood that management will provide an acceptable response
and take appropriate corrective action. When writing reports, be guided by how
the language used would sound to you if you were the manager of the area reviewed.
Findings, recommendations, and management’s responses in our reports should
never identify individuals by name. Identifying someone using a position title
or general terms such as "an employee" or "the individual named
in the complaint" preserves objectivity and reduces potential legal liability
for the University and the author of the report.
Reports are typically addressed to the Secretary of the Board of Trustees with
copies provided to the President and members of management who are responsible
for the area audited or who can correct any of the findings reported. However,
close out letters for special projects may be addressed to the manager who requested
the project and copied to the President and/or Vice President.
Until the final report is issued, all pages of the reports should be clearly
A formal report format should be used for routine audits, major special projects,
and major misuse investigations. Formal reports consist of a title page; contents
page; an introduction, purpose and scope, and findings, recommendations and
Close out Letters
The results of smaller special projects and misuse investigations will be communicated
with a close out letter that summarizes the allegation reviewed or nature of
a special project and the results of our review.
If the findings from a misuse investigation or special project cannot be adequately
disclosed with a general statement or we need to obtain management’s responses
to the findings, we will issue a close out letter accompanied by a Findings
and Recommendations section like that of a formal audit report.
Some special projects may require a formal report for significant findings
and a separate memo to department management listing less significant issues.
Whenever our reports present individual findings, we should obtain management’s
response to the findings. These responses will be included in the report immediately
after the related finding and recommendation.
The auditor who conducted the review is responsible for determining that the
responses are adequate, complete, and address the issues in the report. Responses
should state whether or not management agrees with the finding. The responses
should state whether they will implement the corrective action suggested in
the recommendation or describe alternative steps they will take to address the
underlying issue. Responses identify the positions that will be responsible
for making the corrections and the estimated date that corrective action will
If management disagrees with a finding or provides an inadequate response,
the auditor in charge should work to resolve the situation. As a first step,
the auditor should contact the individual to exchange additional information
about the issues. If the auditee disagrees with the finding, the auditor should
obtain and review additional information that supports the auditees’ position
and , if necessary, provide additional details that support the finding. If
the response is incomplete, the auditor should explain what changes are needed
and ask that these be made.
If discussion with the auditee does not resolve the problem, the in-charge
auditor and the Director of Internal Audit will work with each successive level
of management to try to resolve the conflict.
We should not issue a report with the facts of a finding in dispute. Auditee
management may disagree with the significance of an issue in a report, may prefer
an alternative solution to the one suggested in our recommendation, and may
even decline to take corrective action. However, any finding in our reports
should contain accurate, complete information and management’s response should
be clear about the exact nature of any disagreement.
If we are unable to resolve a disagreement about the significance of a finding
or about the need for or adequacy of corrective action, we will include the
auditee’s views in the report. If management has declined to take appropriate
corrective action, our report should disclose that senior management has been
informed of the risk of not taking corrective action and has accepted that risk.
In both cases, all levels of auditee management should be given an opportunity
to review the revised report.
Review of Draft Reports
After we have received responses from the auditee for each of the findings
sheets issued during the audit, the senior auditor will prepare a draft report,
which will contain all major findings that have been reached. Some major findings
that are significant and have been corrected may be appropriate to include in
the report to ensure that executive management and the Board of Trustees are
informed about the findings and that corrective action has been taken.
The draft after being approved by the Director will be forwarded to the auditor
and a formal exit conference will be held to discuss the report. The exit conference
will enable all parties to agree on the factual content of the report and the
fair presentation of the findings. The auditee will be allowed to present any
additional information that could affect the report or findings included in
the report. Any changes made to the draft will be agreed upon in the exit conference.
Issuance of Formal Reports
After the exit conference, the department will be asked to respond in writing
to each specific finding within two weeks. Additional time can be granted but
no later than two weeks prior to the next scheduled meeting of the Fiscal Policy
Committee of the Board of Trustees. The secretary will insert the departmental
response in italics after each finding in the body of the report.
After proof reading by the Director or Auditor-in-charge, the report will be
sent to Printing Services to print and bind 55 copies. Approximately 8-10 days
prior to the Fiscal Policy Committee Meeting the secretary will deliver 40 copies
to the Secretary of the Board of Trustees for distribution to the Board and
members of the Presidents Council and any other interested parties. Materials
must be made available to the public seven days prior to the meeting as required
by the State Freedom of Information Act.
[Back to Table of Contents]