Report Content
Requirements: Report Content, Including Objectives, Scope, and Methodology
9.10
Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted.
9.11
Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit.
9.12
Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals.
9.13
In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors’ overall assessment of the sufficiency and appropriateness of the evidence in the aggregate.
9.14
In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors’ findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population.
Application Guidance: Report Content, Including Objectives, Scope, and Methodology
9.15
Report users need information regarding the audit objectives, scope, and methodology to understand the purpose of the audit; the nature and extent of the audit work performed; the context and perspective regarding what is reported; and any significant limitations in the audit objectives, scope, or methodology.
9.16
In reporting audit methodology, auditors may include a description of the procedures performed as part of their assessment of the sufficiency and appropriateness of information used as audit evidence.
9.17
The auditor may use the report quality elements of accurate, objective, complete, convincing, clear, concise, and timely when developing and writing the audit report as the subject permits.
Accurate: An accurate report is supported by sufficient, appropriate evidence with key facts, figures, and findings being traceable to the audit evidence. Reports that are fact-based, with a clear statement of sources, methods, and assumptions so that report users can judge how much weight to give the evidence reported, assist in achieving accuracy. Disclosing data limitations and other disclosures also contribute to producing more accurate audit reports. Reports also are more accurate when the findings are presented in the broader context of the issue. One way to help the audit organization prepare accurate audit reports is to use a quality control process such as referencing. Referencing is a process in which an experienced auditor who is independent of the audit checks that statements of facts, figures, and dates are correctly reported; the findings are adequately supported by the evidence in the audit documentation; and the conclusions and recommendations flow logically from the evidence.
Objective: Objective means that the presentation of the report is balanced in content and tone. A report’s credibility is significantly enhanced when it presents evidence in an unbiased manner and in the proper context. This means presenting the audit results impartially and fairly. The tone of reports may encourage decision makers to act on the auditors’ findings and recommendations. This balanced tone can be achieved when reports present sufficient, appropriate evidence to support conclusions while refraining from using adjectives or adverbs that characterize evidence in a way that implies criticism or unsupported conclusions. The objectivity of audit reports is enhanced when the report explicitly states the source of the evidence and the assumptions used in the analysis. The report may recognize the positive aspects of the program reviewed if applicable to the audit objectives. Inclusion of positive program aspects may lead to improved performance by other government organizations that read the report. Audit reports are more objective when they demonstrate that the work has been performed by professional, unbiased, independent, and knowledgeable personnel.
Complete: Being complete means that the report contains sufficient, appropriate evidence needed to satisfy the audit objectives and promote an understanding of the matters reported. It also means the report states evidence and findings without omission of significant relevant information related to the audit objectives. Providing report users with an understanding means providing perspective on the extent and significance of reported findings, such as the frequency of occurrence relative to the number of cases or transactions tested and the relationship of the findings to the entity’s operations. Being complete also means clearly stating what was and was not done and explicitly describing data limitations, constraints imposed by restrictions on access to records, or other issues.
Convincing: Being convincing means that the audit results are responsive to the audit objectives, that the findings are presented persuasively, and that the conclusions and recommendations flow logically from the facts presented. The validity of the findings, the reasonableness of the conclusions, and the benefit of implementing the recommendations are more convincing when supported by sufficient, appropriate evidence. Reports designed in this way can help focus the attention of responsible officials on the matters that warrant attention and can provide an incentive for taking corrective action.
Clear: Clarity means the report is easy for the intended user to read and understand. Preparing the report in language as clear and simple as the subject permits assists auditors in achieving this goal. Use of straightforward, nontechnical language is helpful to simplify presentation. Defining technical terms, abbreviations, and acronyms that are used in the report is also helpful. Auditors may use a highlights page or summary within the report to capture the report user’s attention and highlight the overall message. If a summary is used, it is helpful if it focuses on the audit objectives, summarizes the audit’s most significant findings and the report’s principal conclusions, and prepares users to anticipate the major recommendations. Logical organization of material and accuracy and precision in stating facts and in drawing conclusions assist in the report’s clarity and understandability. Effective use of titles and captions and topic sentences makes the report easier to read and understand. Visual aids (such as pictures, charts, graphs, and maps) may help clarify and summarize complex material.
Concise: Being concise means that the report is no longer than necessary to convey and support the message. Extraneous detail detracts from a report and may even conceal the real message and confuse or distract the users. Although room exists for considerable judgment in determining the content of reports, those that are fact-based but concise are likely to achieve results.
Timely: To be of maximum use, providing relevant evidence in time to respond to officials of the audited entity, legislative officials, and other users’ legitimate needs is the auditors’ goal. Likewise, the evidence provided in the report is more helpful if it is current. Therefore, the timely issuance of the report is an important reporting goal for auditors. During the audit, the auditors may provide interim reports of significant matters to appropriate entity and oversight officials. Such communication alerts officials to matters needing immediate attention and allows them to take corrective action before the final report is completed.
Reporting Findings, Conclusions, and Recommendations
Requirements: Reporting Findings, Conclusions, and Recommendations
9.18
In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Auditors should provide recommendations for corrective action if findings are significant within the context of the audit objectives.
9.19
Auditors should report conclusions based on the audit objectives and the audit findings.
9.20
Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology.
9.21
Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately.
9.22
When reporting on the results of their work, auditors should disclose significant facts relevant to the objectives of their work and known to them that if not disclosed could mislead knowledgeable users, misrepresent the results, or conceal significant improper or illegal practices.
9.23
When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended.
Application Guidance: Reporting Findings, Conclusions, and Recommendations
9.24
The extent to which the elements for a finding are developed depends on the audit objectives. Clearly developed findings assist management and oversight officials of the audited entity in understanding the need for taking corrective action.
9.25
As discussed in paragraphs 8.108 through 8.115, even though the auditors may have some uncertainty about the sufficiency or appropriateness of some of the evidence, they may nonetheless determine that in total there is sufficient, appropriate evidence given the findings and conclusions. Describing limitations provides report users with a clear understanding of how much responsibility the auditors are taking for the information.
9.26
Auditors may provide background information to establish the context for the overall message and to help the reader understand the findings and significance of the issues discussed. Appropriate background information may include information on how programs and operations work; the significance of programs and operations (e.g., dollars, effect, purposes, and past audit work, if relevant); a description of the audited entity’s responsibilities; and explanation of terms, organizational structure, and the statutory basis for the program and operations.
9.27
Report conclusions are logical inferences about the program based on the auditors’ findings, not merely a summary of the findings. The strength of the auditors’ conclusions depends on the persuasiveness of the evidence supporting the findings and the soundness of the logic used to formulate the conclusions. Conclusions are more compelling if they lead to recommendations and convince a knowledgeable user of the report that action is necessary.
9.28
Effective recommendations encourage improvements in the conduct of government programs and operations. Recommendations are effective when they are addressed to parties with the authority to act and when the recommended actions are specific, feasible, cost-effective, and measurable.
Reporting on Internal Control
Requirements: Reporting on Internal Control
9.29
When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed.
9.30
When reporting on the scope of their work on internal control, auditors should identify the scope of internal control assessed to the extent necessary for report users to reasonably interpret the findings, conclusions, and recommendations in the audit report.
9.31
When auditors detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, auditors should refer to that written communication in the audit report.
Application Guidance: Reporting on Internal Control
9.32
Auditors may identify the control components, underlying principles, control objectives, or specific controls assessed in describing the scope of their work on internal control. Auditors may also identify the level of internal control assessment performed, as discussed in paragraph 8.50. Control components and underlying principles that are not considered significant to the audit objectives may be identified in the scope if, in the auditors’ professional judgment, doing so is necessary to preclude a misunderstanding of the breadth of the conclusions of the audit report and to clarify that control effectiveness has not been evaluated as a whole. Auditors may also identify and describe the five components of internal control so that report users understand the scope of the work within the context of the entity’s internal control system.
9.33
An internal control system is effective if the five components of internal control are effectively designed, implemented, and operating, and are operating together in an integrated manner. The principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. If a principle is not applied effectively, then the respective component cannot be effective. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective.
9.34
When auditors detect deficiencies in internal control that do not warrant the attention of those charged with governance, determining whether and how to communicate such deficiencies to audited entity officials is a matter of professional judgment.
Reporting on Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements
Requirements: Reporting on Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements
9.35
Auditors should report a matter as a finding when they conclude, based on sufficient, appropriate evidence, that noncompliance with provisions of laws, regulations, contracts, and grant agreements either has occurred or is likely to have occurred that is significant within the context of the audit objectives.
9.36
Auditors should communicate findings in writing to audited entity officials when the auditors detect instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are not significant within the context of the audit objectives but warrant the attention of those charged with governance.
Application Guidance: Reporting on Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements
9.37
Whether a particular act is, in fact, noncompliance with provisions of laws, regulations, contracts, and grant agreements may have to await final determination by a court of law or other adjudicative body.80
9.38
When auditors detect instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that do not warrant the attention of those charged with governance, the auditors’ determination of whether and how to communicate such instances to audited entity officials is a matter of professional judgment.
9.39
When noncompliance with provisions of laws, regulations, contracts, and grant agreements either has occurred or is likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings and, for example, report only on information that is already a part of the public record.
Reporting on Instances of Fraud
Requirements: Reporting on Instances of Fraud
9.40
Auditors should report a matter as a finding when they conclude, based on sufficient, appropriate evidence, that fraud either has occurred or is likely to have occurred that is significant to the audit objectives.
9.41
Auditors should communicate findings in writing to audited entity officials when the auditors detect instances of fraud that are not significant within the context of the audit objectives but warrant the attention of those charged with governance.
Application Guidance: Reporting on Instances of Fraud
9.42
Whether a particular act is, in fact, fraud may have to await final determination by a court of law or other adjudicative body.81
9.43
When auditors detect instances of fraud that do not warrant the attention of those charged with governance, the auditors’ determination of whether and how to communicate such instances to audited entity officials is a matter of professional judgment.
9.44
When auditors conclude fraud has occurred or is likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings and, for example, report only on information that is already a part of the public record.
Reporting Findings Directly to Parties outside the Audited Entity
Requirements: Reporting Findings Directly to Parties outside the Audited Entity
9.45
Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances.
When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the information directly to the specified external parties.
When audited entity management fails to take timely and appropriate steps to respond to noncompliance with provisions of laws, regulations, contracts, and grant agreements or instances of fraud that (1) are likely to have a significant effect on the subject matter and (2) involve funding received directly or indirectly from a government agency, auditors should first report management’s failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the audited entity’s failure to take timely and appropriate steps directly to the funding agency.
9.46
Auditors should comply with the requirements in paragraph 9.45 even if they have resigned or been dismissed from the audit prior to its completion.
9.47
Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by audited entity management that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 9.45 and 9.46.
Application Guidance: Reporting Findings Directly to Parties outside the Audited Entity
9.48
The reporting in paragraph 9.45 is in addition to any legal requirements to report such information directly to parties outside the audited entity.
9.49
Internal audit organizations do not have a duty to report outside the audited entity unless required by law, regulation, or policy.