writing good audit findings

Audit Findings Decoded: Compliance, Process, and Common Occurrences

Arden Leland

April 4, 2024

Audit Findings Decoded: Compliance, Process, and Common Occurrences

Understanding the depth and breadth of audit findings in your audit report is paramount for any organization striving for operational excellence and compliance integrity. Audit findings not only uncover discrepancies but also highlight areas for improvement and potential risk factors that could hinder an organization’s growth and financial health. Whether you are an auditee or an auditor, it is essential to have a thorough understanding of compliance requirements, internal controls, and the audit process.

This article will decode the world of audit findings by discussing different compliance requirements, an overview of the audit process, and the most common occurrences in various areas such as financial reporting and IT. It will also provide insights on corrective actions, the use of corrective action plans, and the importance of follow-up in ensuring non-compliance is addressed. So let’s dive in and learn how to effectively handle audit findings and ensure the integrity of your audit report.

What Are the Compliance Requirements for Audit Findings?

Navigating the intricate landscape of compliance requirements for audit findings is essential for both auditors and auditees. At the heart of these requirements are the stringent reporting standards set forth by senior management, federal regulations, professional associations, and industry-specific guidelines. These standards necessitate meticulous documentation and reporting of audit findings, especially those related to internal controls over financial reporting.

Compliance requirements dictate that audit reports must be transparent, detailing any deficiencies in internal controls, noncompliance with relevant regulations, and discrepancies within financial statements. Moreover, the timely notification of findings to the relevant stakeholders is a critical component. This ensures that senior management is adequately informed and can take necessary corrective actions promptly. Federal regulations often require organizations to follow specific procedures when reporting findings, particularly when dealing with federal awards or expenditures.

Ensuring adherence to these compliance requirements not only facilitates a robust internal control environment but also safeguards the integrity of financial reporting processes. It is through understanding and implementing these compliance standards that organizations can effectively manage audit findings and uphold the principles of accountability and transparency.

An Overview of The Audit Process

The audit process is a structured approach, meticulously designed to scrutinize an organization’s risk management programs, operations, financials, and compliance with applicable regulations. It begins with Audit Planning , where an auditor establishes the scope and objectives of the audit, laying the groundwork for a comprehensive examination. This phase includes the selection of key areas for review, with a focus on those presenting the greatest risk.

In conjunction with planning planning, Preliminary Assessments and Risk Analysis are conducted to identify areas of potential concern or heightened risk, which informs the Audit Plan. This involves evaluating the effectiveness of internal controls and identifying areas susceptible to misstatement or non-compliance. This stage is crucial for directing the auditor’s focus to the most significant risks. Program Development comes next, where specific audit procedures are designed to test the identified risks. These procedures are tailored to the unique needs and risks of the organization, ensuring a focused and effective audit.

The Fieldwork and Testing phase is where the auditor collects evidence. This involves examining financial records, observing operations, and performing various tests on internal controls. It’s a critical phase where detailed evidence is gathered to support the auditor’s findings. Analysis and Evaluation mark the culmination of the audit process. Here, the auditor analyzes the collected evidence, evaluates the organization’s compliance with regulations, and assesses the effectiveness of internal controls.

Documentation plays a pivotal role throughout the audit process, ensuring every step, from planning to evaluation, is recorded with precision. This comprehensive record-keeping supports the transparency and credibility of the audit findings. The culmination of this process is encapsulated in Report Preparation, where the audit findings, recommendations for corrective actional, and follow-ups are then compiled into the auditor’s report. This report is a vital tool for organizations, providing insights and notifications necessary for addressing deficiencies and enhancing operations.

Through this structured audit process, organizations gain valuable insights into their operations, paving the way for improved accountability and efficiency.

What Are the 5 C’s of Audit Findings?

Delving into the anatomy of audit findings, the framework of the 5 C’s offers a methodical approach to dissecting and comprehending the nuances of audit observations. Understanding the 5 C’s of audit findings — criteria, condition, cause, consequence, and corrective action — is crucial for both auditors and auditees to effectively address areas of noncompliance and strengthen internal controls and processes.

The first “C” stands for Criteria , referring to the benchmarks or compliance requirements against which the auditee’s practices are evaluated. This includes regulations, laws, and standards that dictate how processes should operate. The second “C” is Condition , which describes the auditee’s actual practice or situation as observed during the audit, often highlighting a deviation from the criteria.

The third “C”, Cause , delves into the reason behind the deviation or noncompliance, identifying the root of the issue. This insight is pivotal for developing effective management responses and corrective actions. Consequence , the fourth “C”, outlines the potential or actual impact of the deviation, stressing the importance of addressing audit findings promptly to mitigate risks.

Finally, Corrective Action Plans represent the fifth “C”, illustrating the auditee’s roadmap to rectify the identified issues, thereby aligning practices with the uniform guidance and compliance requirements. These plans are a critical component of the audit report, offering a clear strategy for enhancing operations and ensuring accountability. Together, the 5 C’s provide a comprehensive framework for understanding and acting on audit findings, guiding the path toward regulatory compliance and operational excellence.

What Are the Most Common Business Process Audit Findings?

In the realm of business process or operations, common audit findings include internal control weakness, inefficiencies, and fraud indications — often highlighting significant areas of concern that, if addressed, can substantially improve operational efficiency and compliance.

A pivotal aspect of these findings is Internal Control Weakness , which points to gaps in the organization’s framework meant to safeguard assets and ensure reliable financial reporting. These shortfalls can range from minor weaknesses to significant deficiencies that can severely impact the entity’s ability to conduct business effectively.

Inefficiencies in operations also frequently emerge as a common audit finding. These are identified through an internal audit and often relate to processes that do not achieve their intended outcomes efficiently, leading to wasted resources and reduced productivity. Such inefficiencies not only escalate costs but also detract from an organization’s agility and its ability to adapt to market dynamics or seize new opportunities. Addressing these inefficiencies is crucial for enhancing overall operational performance.

Another critical finding is Fraud Indications , where evidence suggests the possibility of deceitful activities aimed at personal gain or organizational harm. The management response to such findings is essential, as it demonstrates the organization’s commitment to integrity and accountability. Audit reports containing these findings require careful consideration and a strategic approach to rectify identified issues. They call for detailed management response plans to address and correct the underlying causes.

Through such corrective actions, organizations can meet reporting requirements, mitigate questioned costs, and align more closely with best practices, thus minimizing the recurrence of common audit findings in future audits.

What Are the Most Common Audit Findings in Financial Reporting?

In the realm of financial reporting, auditors commonly identify issues including misstatements in financial statements, inaccurate revenue recognition, and asset valuation errors — which can affect the credibility and clarity of an organization’s financial statements.

Misstatements in Financial Statements are among the most frequent audit findings, where inaccuracies or omissions distort the financial health of an organization. This could stem from simple errors or complex issues related to fraud or noncompliance, necessitating a detailed management response to rectify.

Common Audit Findings in Financial Reporting

Inaccurate Revenue Recognition is another prevalent issue, where revenue is either prematurely recognized or improperly classified, leading to a skewed depiction of financial performance. This error not only impacts the financial statements but could also lead to questioned costs and affect the organization’s eligibility for future funding or reimbursements.

Asset Valuation Errors also pose significant risks, as they can mislead stakeholders about the value of the company’s assets. These errors could result from incorrect appraisal methods, failure to account for depreciation, or improper assessment of market conditions. Such discrepancies necessitate adjustments in the audit process, potentially leading to restatements in the auditor’s report and affecting expenditures and disbursement practices.

Organizations must ensure that their financial practices are robust, transparent, and meticulously aligned with the prevailing accounting standards and principles. Addressing these common audit findings is crucial for ensuring the integrity and reliability of financial reporting, safeguarding against noncompliance, and maintaining the trust of investors, regulators, and other stakeholders.

What Are the Most Common Findings in IT?

In the specialized arena of IT, auditors frequently uncover a distinct set of common findings including security vulnerabilities, lack of disaster recovery planning, poor data management, and noncompliance with IT policies and standards. If not addressed through a robust corrective action plan, these IT-related findings could lead to significant operational disruptions and noncompliance with federal program requirements and government auditing standards.

One prominent finding centers on Security Vulnerabilities , which exposes organizations to potential breaches, data loss, and unauthorized access. This underscores the urgent need for enhanced internal controls and rigorous risk assessment processes to protect sensitive information and ensure compliance with stringent compliance requirements.

Another critical area of concern is the Lack of Disaster Recovery Planning . Many organizations fail to prepare for IT emergencies, leaving them vulnerable in the event of system failures or cyberattacks. This lack of preparedness can significantly impact an organization’s ability to maintain continuity of operations, posing a direct challenge to meeting the expectations set by senior management and regulatory bodies.

Poor Data Management also emerges as a frequent audit finding, characterized by insufficient data integrity, accuracy, and availability. Issues in this domain often stem from inadequate segregation of duties and flawed data handling practices, highlighting the necessity for comprehensive internal controls and strategic oversight by senior management.

Auditors may encounter Noncompliance with IT Policies and Standards , which signifies a misalignment between an organization’s IT practices and its established internal protocols or external regulatory requirements. Such discrepancies not only expose the organization to potential legal and regulatory sanctions but also undermine the efficacy and security of IT operations.

By systematically addressing these common audit findings, organizations can strengthen their IT governance frameworks, bolster security measures, and ensure rigorous compliance with relevant policies and standards, safeguarding their critical information assets against emerging threats and maintaining operational resilience.

Finding the Big Picture in the Details

In wrapping up the exploration of audit findings, it’s clear that navigating the complexities of compliance, internal controls, and corrective actions requires not only a deep understanding of the business and the audit process but also the right tools at one’s disposal. The employment of sophisticated audit management software emerges as a game-changer for audit teams , seamlessly integrating audit management, fieldwork, and reporting on a single platform. This technology significantly eases the burdens associated with audits, facilitating more efficient risk assessments, streamlining audit procedures, and ensuring timely follow-up on audit findings. Leveraging such technology can make the difference between merely responding to audit findings and proactively transforming these insights into strategic opportunities.

By adopting a forward-thinking approach to audit findings — viewing them not as setbacks but as catalysts for improvement — organizations can fortify their risk management practices, uphold the highest levels of compliance, and ultimately, secure their operational and financial integrity on a timely basis.

Arden Leland, CPA, is a Manager of Solutions Advisory Services at AuditBoard. Prior to joining AuditBoard, she spent 7 years at PricewaterhouseCoopers managing external audits for both private and public companies, with a specific focus on working with companies in their early years of SOX compliance. Connect with Arden on LinkedIn .

Policy and research
Career Pathway
Training and events
Audit & Risk
Communities
Technical blog
Technical skills
Interpersonal skills
How to audit
Internal audit leadership
Risk management
Control and regulatory compliance
Sector-specific standards and guidance
Global insights
Ask the resources team
Global Internal Audit Standards 2024

You are in:
Technical guidance
Delivering internal audit
Delivering internal audit findings

This page is for members and subscribers only

IIA Membership login is currently disabled.

In the meantime, if you urgently need access to a piece of guidance, please contact [email protected] and we'll email you a copy.

If you have any membership queries, please call 020 7498 0101

Sorry for the inconvenience and thank you for your patience.

Please log in

If you're a member of the Chartered IIA, or a subscriber to our Audit Committee Service, please enter your username and password at the top of the page to access your exclusive content.

Forgotten your username or password?

If you have any problems logging in, please contact us on 020 7498 0101.

Not a member? Why not join us?

When you become a member of the Chartered IIA you'll receive support and guidance on every aspect of internal auditing. You'll get access to all of our technical guidance, exclusive features, news and webinars, plus a host of other membership benefits.

Find out more about membership

What is internal audit?
Join the Chartered IIA
Audit & Risk Magazine
Jobs in internal audit
Regional network
Terms and conditions
Privacy policy

PRO Courses Guides New Tech Help Pro Expert Videos About wikiHow Pro Upgrade Sign In
EDIT Edit this Article
EXPLORE Tech Help Pro About Us Random Article Quizzes Request a New Article Community Dashboard This Or That Game Popular Categories Arts and Entertainment Artwork Books Movies Computers and Electronics Computers Phone Skills Technology Hacks Health Men's Health Mental Health Women's Health Relationships Dating Love Relationship Issues Hobbies and Crafts Crafts Drawing Games Education & Communication Communication Skills Personal Development Studying Personal Care and Style Fashion Hair Care Personal Hygiene Youth Personal Care School Stuff Dating All Categories Arts and Entertainment Finance and Business Home and Garden Relationship Quizzes Cars & Other Vehicles Food and Entertaining Personal Care and Style Sports and Fitness Computers and Electronics Health Pets and Animals Travel Education & Communication Hobbies and Crafts Philosophy and Religion Work World Family Life Holidays and Traditions Relationships Youth
Browse Articles
Learn Something New
Quizzes Hot
This Or That Game
Train Your Brain
Explore More
Support wikiHow
About wikiHow
Log in / Sign up
Finance and Business
Business Skills
Business Writing

How to Write an Audit Report

Last Updated: March 6, 2023 Fact Checked

This article was co-authored by Michael R. Lewis . Michael R. Lewis is a retired corporate executive, entrepreneur, and investment advisor in Texas. He has over 40 years of experience in business and finance, including as a Vice President for Blue Cross Blue Shield of Texas. He has a BBA in Industrial Management from the University of Texas at Austin. There are 9 references cited in this article, which can be found at the bottom of the page. This article has been fact-checked, ensuring the accuracy of any cited facts and confirming the authority of its sources. This article has been viewed 469,286 times.

An audit report is the formal opinion of audit findings. The audit report is the end result of an audit and can be used by the recipient person or organization as a tool for financial reporting, investing, altering operations, enforcing accountability, or making decisions. An effective audit report is essential to making sure the results of your audit are presented in a way that is useful to the party receiving the audit.

Preparing to Write an Audit Report

Step 1 Understand the basic goals of all audit reports.

Illustrating non-conformities: The main goal of any audit report is to illustrate where the organization does not conform with whatever standard, rule, regulation or objective that it is supposed to. It is important to clearly identify the non-conformity, as well as the standard it does not conform to. It is then important to demonstrate which evidence you used to confirm the non-conformity. The goal is that each non-conformity will contain enough information so that the receivers of the audit report can change it. [1] X Research source
Outlining positives: An audit report should not just include negatives. This is especially true for compliance reports, and operational audits. This allows the organization to focus on areas that are working and apply these to other areas. For example, if you are conducting a compliance audit to ensure an organization meets training requirements, you may say, "The audit reveals the current training program has exceeded requirements on-time and on-budget".
Opportunities for improvement: Beyond indicating things that are not conforming to requirements (non-conformities), it is important to also indicate high-risk areas, or areas that may be in compliance but are at risk of eventually not complying, or could be improved. [2] X Research source

Step 2 Think about who will be reading the report.

Tip: Make sure to define all the terms and abbreviations you use, as the standard forms of communication have potential to change.

Step 3 Learn the different types of audit.

Financial Audit: This is the most commonly known form of audit and refers to the systematic review of a company's financial reporting to ensure all information is valid and conforms to GAAP standards.
Operational Audit: An operational audit is a review of an organization's usage of resources to ensure those resources are being utilized as efficiently and effectively as possible to accomplish the mission and goals of the organization.
Compliance Audit: A compliance audit is performed to determine if an organization or program is operating in according with laws, policies, regulations, and procedures.
Investigative Audit: These are typically commissioned when there is an assumed violation of rules, regulations, or laws, and may involve a blend of all the previously mentioned types of audit.

Step 4 Learn the types of audit opinions.

A clean opinion is used if an entity's financial statements are a clear representation of an entity's financial opinion.
A qualified opinion is used when there were scope limitations on the auditor's work. Scope limitations are restrictions on the audit caused by the client or other events that do not allow the auditor to complete all aspects of his or her audit procedures.
An adverse opinion is used if financial information was misstated.
A disclaimer opinion can be triggered by several different situations. For example, the auditor may not be independent or there are concerns with the auditee. [4] X Research source

Beginning Your Report

Step 1 Know the style of audit reporting before you begin.

Provide perspective for the reader, giving a fair balance of the positive and negative results of the audit.
Be precise, and avoid redundant phrasing and inexact terminology. In interest of clarity, opt for shorter sentences over longer ones. A limit of 15 to 18 words is recommended in business writing. Also, avoid intensifiers like clearly, special, key, and reasonable as these lack precision.
Do not use passive voice. Passive voice can be difficult to read. Instead of saying "No irregularity of operation was found" say "The audit team found no evidence of irregularity."
Use bullet points, which break up difficult information and make it clearer for the reader.
Use gender neutral terms.
Do not use audit buzzwords. Buzzwords are ambiguous, overused phrases like "generally improved," "significant risk," and "tighten controls."

For example, if you are auditing the processes for a particular department of an organization, you may consider breaking the department up into several key sections and reporting findings that way.

Why was the audit conducted?
What was included and not included in the audit?
What was the time period audited?
What were the audit objectives? [6] X Research source

Step 5 Continue onto the Statement on Auditing Standards.

A brief description of what was audited, objectives, scopes, and time periods.
Statements of significant action plans.
Overall statements of concerns and conclusions.
Overall audit report rating. [8] X Research source

Writing Your Results and Recommendations

Step 1 Write an opening statement for your findings/recommendations section.

Criteria is an explanation of management goals and the standards use to evaluate the program, function, or activity audited.
Condition is how effectively department management is meeting goals and/or achieving standards. Goals can either be fully achieved, partially achieved, or not achieved.
Cause is a statement on the reason things have gone well or poorly. Possibilities include inadequate procedures, procedures not being followed, poor supervision, or unqualified employees.
Effect states the result of the conditions, in quantifiable terms. Is the effect increased risk or exposure? Is it monetary cost? Is it poor performance? This should be addressed when you cover effect. [10] X Research source

Be positive. Focus on what is going right at the moment, and how the good aspects of the entity can be applied in ineffective areas.
Be specific. Be very clear as to what specific aspects do not adhere to protocol, and to what concrete steps could be potentially implemented to ensure compliance.
Identify who should act. Does the company need better employee performance or should management be picking up the pace? Make clear who needs to make changes.
Keep recommendations brief. Be succinct - only include details that are necessary to your point. [11] X Research source

Include a cover page. The cover page should be three or four lines, and outline the subject of the audit report and the type of audit.
A memo should follow the cover page. The memo should be one or two short paragraphs overviewing who and what was audited, who has received or is receiving the report, and plans for future distribution.
A table of contents follows the memo, and it contains a catalogue of chapters, page numbers, sections, and suggestions of the audit.
The report should be written in plainly-worded, non-technical language and use proper grammar and paragraph organization.
Reports are organized by chapters, each with a title, and by sections and subsections, each marked with a heading. Headings should go from general to more specific. [12] X Research source

Audit Report Template

Expert Q&A

↑ http://www.qualitydigest.com/june07/articles/05_article.shtml
↑ https://www.cmu.edu/finance/audit-services/internal/types-of-audits.html
↑ https://www.icaew.com/-/media/corporate/files/helpsheets/technical/aaf-guides/audit-report-disclaimer-of-opinion.ashx
↑ https://pcaobus.org/oversight/standards/auditing-standards/details/AS3101
↑ https://audit.mit.edu/guidance-resources/what-expect/what-are-audit-ratings
↑ https://financialcrimeacademy.org/reporting-recommendations-and-findings/
↑ https://www.iiafiji.org/resources/bbc5020b-a5ab-4388-b633-83813515c797.pdf
↑ https://www.anao.gov.au/work/performance-audit/implementation-audit-recommendations
↑ https://www.wallstreetmojo.com/audit-report-format/

About This Article

To begin an audit report, write an "Introduction" that gives background information. Then, add a "Purpose and Scope Methodology" section that outlines your goals and explains what you included and excluded from your report. After this section, add your disclaimer, the "Statement on Auditing Standards," and end with your "Executive Summary." This summary should explain your findings, ratings, and any action that will be taken. Throughout the report, use concise language and bullet points. For tips from our Financial reviewer on what to include in different types of audits, keep reading! Did this summary help you? Yes No

Send fan mail to authors

Reader Success Stories

Apr 26, 2019

Did this article help you?

Zaitoon Akram

Jul 14, 2020

Shadreck Chitumbo

Jul 10, 2019

C. Reynolds-Relford

Jun 8, 2022

Goma Mosbah

May 17, 2019

Featured Articles

Watch Articles

Terms of Use
Privacy Policy
Do Not Sell or Share My Info
Not Selling Info

Get all the best how-tos!

Internal Audit Foundation
Chapters & Affiliates
Internal Auditor Magazine
Group Sales
Career Center
Quality Services

Complimentary On-Demand Webinar

In today's dynamic audit landscape, writing stands out as a potent tool for communicating report findings and driving meaningful change. Dr. Lauren Primuth and Dr. Hernan Murdock, both seasoned professionals in the field, will guide you through the process of harnessing this power.

Watch as we explore:

Streamlined techniques for crafting impactful audit reports
User-friendly writing tools for immediate improvement
Tailoring writing styles to suit diverse report types

Equip yourself with the skills and tools to elevate your audit report writing from the very first session. Don't miss this valuable opportunity to enhance your professional capabilities.

Ready to take your audit reporting to the next level?

Gain Access

Explore More Like This

Privacy Policy
Accessibility Policy
Advertise With Us
Affiliate/Chapter Leader Login

Sep 20, 2019

How to write a clear and concise audit finding statements

In this blog you will learn how to write clear, concise and complete audit findings. Particularly statements of non-conformance or conformance.

Within the organisation that you are conducting the internal audit, you’re going to have to make yourself aware of what your audit finding categories are. You need at least one category for conformance and at least one category for non-conformance.

Most organisations have other categories as well, such as;

Opportunities for improvement - Not a non-conformance, just a suggestion that the team might want to consider but ultimately, they could take or leave that opportunity for improvement

Observations - a findings category where you are just noting that you have observed something on the day of the audit

Look at your finding categories, and how they are defined under the ISO management system standards.

The term non-conformance does have a bit of a negative connotation, but is simply defined as non-performance of one of the requirements we are auditing against.

For either a conformance or non-conformance, let’s look at how to write a statement that’s clear and concise and helps us maximise the chance that the auditees understand what the finding is.

The two critical elements that must be found in any non-conformance or conformance statement is giving reference to the requirement , and providing the evidence that demonstrates that conformance or non-conformance against that requirement.

They’re fundamental and both of those elements (the requirement and evidence) must be reflected in your conformance or non-conformance statement.

Before we dig into that too much a couple of tips;

1. Be complete but concise.

This means you need to state the requirement and you need to state supporting Evidence.

When stating these, 1 or 2 paragraphs maximum between these is enough.

If you get any further than that, such as writing two pages, the risk is the auditee will look at it and go “hang on, I’m not quite sure what we haven’t conformed with.” Or even “I’m not sure what the evidence is.”

This is particularly important with the requirements – if you have written two pages, there will be a risk that they don’t understand what they haven’t conformed with and they could go and start to take corrective action on the wrong thing.

2. Be Specific (with both the requirement and Evidence)

You need to state why exactly something is required.

A simple example:

If you have a purchasing procedure that says ‘purchase orders over $10,000 must be signed off by the general manager or above’.

You don’t just say as per purchasing procedure; you would be specific.

If that’s required by 16.1(c) of the purchasing procedure that is what you would put in there: - “As required by 16.1(c) of the purchasing procedure not all purchasing orders over $10,000 were signed off by the general manager”.

The latter half there is the tip. Use the words out of that team’s own procedure. That saves the situation where the auditee might ask “why you are making us do this?”

You can reply “No I’m not, that is what your own procedure states”.

If you are not absolutely specific, you might have a 10 – 15 page purchasing procedure, the team you have audited will pick it up and they will pick out the wrong clause and start taking corrective action on the wrong thing.

This is also a good road test for yourselves as the auditor. Particularly if you think there is potentially a non-conformance finding.

You can’t call something a non-conformance unless it is specifically required somewhere in that procedure or in the audit criteria.

I have seen auditors fall into the trap of saying “ Here’s something I think they should do in their purchasing process or here’s something they can improve”, but unless it is specifically required, and you can trace back to it, then it shouldn’t be a non-conformance statement. Maybe an opportunity for improvement if you think they could do something better.

With the evidence though, again you should be very specific. What exact purchase orders demonstrate that some of them over the required $10,000 are not signed off by the authorised person?

You need to be specific and say for example “purchase order 16 and purchase order 25.”

What you don’t want to say is “the evidence is some of your purchase orders” as they might have a big drawer or a big electronic folder of hundreds of purchase orders.

Again, you don’t want them looking through them and picking out the wrong purchase order and fixing the wrong thing.

This method is complete and concise.

When they see it expressed like that, they cannot argue about the finding, clearly it is required and clearly there is evidence. There is no wiggle room to argue, it’s pretty clear it is a non-conformance.

Take the same pattern with your conformance statements.

You can reverse that as well, you can sometimes start with evidence “Purchase orders 16 and 25 were sighted, over $10,000 not signed off by the General Manager as required by 16.1(c) of the purchasing Procedure.”

Download the ‘ Internal Audit Training – Simple’ Document template from our Resources Page under the training section at the bottom of the page.

OTHER AUDITING BLOGS:

Do you need an audit plan? (and how to create one)

How to gather OBJECTIVE audit evidence

How MUCH audit evidence is enough to draw a factual finding?

What you can do if the auditee is uncomfortable with the audit process

Video Blogs

Six Tips for Writing Effective Internal Audit Reports

Audit , Risk Advisory/Internal Audit

You’ve successfully planned and executed your audit. Now, it’s time to communicate your findings to the client, board, or committee. Here are six quick tips for writing effective internal audit reports:

Know your audience . When crafting your audit report, it’s important to remember who the end user is. How much does the audience know about the audit and the processes involved? How do they plan on using the information in the report? Are your recommendations in line with their objectives? Playing to your audience is one of the best ways to reach them quickly and effectively.
Consider Tone . Think about how you feel after reading these statements:

“The manager failed to provide the proper documentation to verify compliance with the policy.”

“Documentation was unavailable to verify compliance with the policy.”

While these two statements convey the same information, the tone and connotation of each is different. Avoid using words with negative connotations, as they can come across as aggressive. Stay away from terms like failed or neglected . The more defensive and annoyed the reader feels, the less likely they are to receive the information within the report.

Keep it simple and specific . You don’t have to use big words to express big ideas. Keep language clear and concise without “dumbing down” the report. For example, instead of using timely , be specific. Use terms like daily , monthly or quarterly instead. Readers of audit reports are often busy, so keeping things clear and to the point will allow them to quickly understand ideas without laboring through a lengthy, overdetailed report.
Remember the basics . Proper spelling and grammar go a long way, and can ultimately be more persuasive when trying to get the report reader to consider your recommendations. While this may sound like common sense, simple errors still seem to creep into documents even with the use of spell check and proofreaders . Don’t forget to give your report a triple check for spelling and grammar.
Give and take. It’s common for auditors to be considered the “bearers of bad news.” While more often than not audit reports contain findings and recommendations based on things process owners are doing wrong, it is helpful to consider communicating things they’re doing right. A little “give-and-take” will help keep a positive tone and give an overall view of the area under audit. For example, instead of only communicating that the warehouse doesn’t have proper smoke detectors, consider phrasing your finding as:

“Company ABC has improved safety procedures by installing fire extinguishers at every sector of the warehouse. However, safety procedures need enhancement as smoke detectors were not found within the warehouse.”

Visualize. People understand information in different ways. Consider utilizing charts and graphs within your report to deliver findings, recommendations and other information you want the reader to understand. Some readers may absorb information more efficiently using a visual vehicle, as opposed to a lengthy paragraph or standard bullet points.

Getting audiences to receive and truly reflect on the feedback offered in audit reports can be a challenge, but using these tips might get you one step closer to producing an effective report.

IPE 101 – Assessing Management IPE Controls and Report Risks
Holiday Spending and Budgeting
IPE 101 – Differentiating Populations and Key Reports
Subservice Organizations: Their Role and Impact on Your SOC Report

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected] .

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

Our Thoughts On

OMB Releases 2024 Uniform Guidance

Federal trade commission votes to ban noncompete agreements, the impact of accounting advisory in 2024: supplemental talent for accounting and finance needs, schneider downs construction industry group annual summit 2024, is your company prepared for the methane emissions charge, get the weekly newsletter with our most recent columns and relevant insights to you..

Government , Higher Education , Not-for-Profit
Peter Frauen

Have a question? Ask us!

Subscribe for updates.

Receive all the latest insights and industry tips.

Office Locations

One PPG Place, Suite 1700 Pittsburgh, PA 15222

65 East State Street, Suite 2000 Columbus, OH 43215

1660 International Drive McLean, VA 22102

Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax, audit and business advisory services to public and private companies, not-for-profit organizations and global companies. We also offer Internal Audit; Technology Consulting; Software Solutions; Personal Financial Services; Retirement Plan Solutions and Corporate Finance Services. Schneider Downs is the 13th largest accounting firm in the Mid-Atlantic region and serves individuals and companies in Pennsylvania (PA), Ohio (OH), West Virginia (WV), New York (NY), Maryland (MD), and additional states in the United States with offices in Pittsburgh, PA, Columbus, OH, and McLean, VA.

Subscribe for updates!

Get the latest articles on various interest areas related to our current work.

Every moment counts. For urgent requests, contact the Schneider Downs digital forensics and incident response team at 1-800-993-8937. For all other requests, please complete the form below.

" * " indicates required fields

Jump to navigation

Get Email Updates
Vision, Mission & History
Our Programs
Board & Staff
Networking & Programs
Census Funder Collaborative
CNPE Principles & Practices
Resource Library
Foundation Dashboard
Economic Impact Report
NM Census Summary
Frequently Asked Questions
Virtual Technical Assistance
Annual Conference
Events Calendar
Find a Nonprofit
Find a Foundation or Grantmaker
Work at a Nonprofit
Volunteer at a Nonprofit
Volunteer to Join a Board

Writing Effective Audit Observations

Consequences (Effect)
Corrective Action (Recommendation)

Why should you attend this webinar?

Concise, understandable, and persuasive observations
Actionable recommendations

Areas Covered in the Session:

Criteria (Standard used for comparison of area under review)
Condition (Current status used in the comparison)
Cause (Reason that the Condition does not meet the Criteria)
Consequence (Risk if not corrected)
Corrective Actions (Action needed to manage the risk)
Exercises for each component

Search form

The Auditor

An exemplar global publication.

What are compensating controls?
Embracing nature: Climate change solutions for a healthy future
Unlocking operational excellence: The power of quality management software
How Are HACCP and SQF Used Together?
Closing the Gaps in Consumer Food Safety Knowledge and Understanding
Look in the Mirror: Are you already an Auditor?
Crucial Update to Management System Standards
The Greenhouse Effect: Counting Gases and Why It Matters
Artificial Intelligence: What It Is, How It Works and Why It Matters
The Two-Step Secret for Control Assessment

Writing Nonconformities

by Craig Cochran

The term “nonconformity” inspires fear in many people. It shouldn’t. A nonconformity is simply an opportunity for the management system to improve. It should not be viewed as an indictment of any person or group, but rather as a factual statement that drives improvement. Before we get any further, it’s helpful to provide a clear definition of what a nonconformity is. A nonconformity is the failure to meet a requirement.

It’s a short definition, but it packs a lot of power. The first thing you should notice is the prerequisite. You need a requirement before you can ever have a nonconformity. When we write a nonconformity, you always write the requirement first. It sets the tone for everything else. If you can’t find a requirement for a particular situation, then categorically you can’t have a nonconformity. You might have a concern, observation, remark, or opportunity, but it’s not a nonconformity unless it’s clearly tied to a requirement.

The second half of a nonconformity is the objective evidence. The evidence states exactly what the auditor saw, heard, read, or experienced that contradicted the requirement. The objective evidence is factual and traceable, but it is stated as concisely as possible. We can’t write a book detailing every minute thing that happened. A good auditor simply cites the evidence that fails to meet the requirement.

A child could write a clear nonconformity. It’s a simple one-two process. This is how the two halves of a nonconformity statement fit together:

Requirement: The company committed itself to doing XYZ. The commitment is a fact, evidenced by its presence in a procedure, plan, policy, specification, contract, work instruction, standard, or statement.
Evidence: The company failed to do XYZ. The failure is a fact, based on evidence such as records, observations, documents, or interviews.

No opinions are present in the nonconformity, just cold, hard facts. It’s hard to argue with facts. It also makes the audit go much smoother. Sure, facts may remove a degree of creativity that auditors exercised, but creativity is better expressed in other ways.

Writing effective nonconformities is one of the most fundamental auditing skills. Despite its fundamental nature, it is a skill that even the most experienced auditors struggle with. Here are a few keys that will help you write nonconformities as well as anybody out there.

Match the requirement with concise evidence. This is the single most important key. State the requirement and then provide the evidence that shows that the requirement was not met.
Write in complete sentences. This is what your eighth grade english teacher would have insisted on, and good auditing insists on it, also. Complete sentences, in both the requirement and the evidence, provides the customer of the audit with a complete product. This complete product is more likely to be understood, and thus more likely to be acted upon.
Include all applicable identifiers (what, who, when, where). It is critical that your evidence is fully traceable. This is achieved by including all identifiers: what the nonconformity was, who was involved, when it happened, where was it located, and how much was involved. This builds credibility in the evidence and allows the auditee to know exactly what needs to be done to remedy the situation. The only identifier that is not clearly stated are people’s names. We use job titles in the evidence, because we want to remind everybody involved that the audit is about the process, not people.
Use an economy of words. Writing a nonconformity is a balancing act. We need to include all identifiers, but we need to use an economy of words. As Shakespeare said, “Brevity is the soul of wit.” Not only is brevity the soul of wit, but it helps drive understanding. Ironically, including more words rarely increases anybody’s understanding of what you’re trying to communicate. Keep your nonconformity statement nice and tight. If you can remove a few words, while still communicating the essential message, then by all means do it.
State the facts, not your opinions. The audit is about facts. There is no need to editorialize as part of the evidence. This happens when the auditor tries to explain why the nonconformity is harmful or what the effects could be. This is not necessary. Just state the evidence and no more.

Here is an example of a well written nonconformity:

Requirement: SOP #QOP-32, revision 3, states in section 6.5 that employees must wear white gloves when handling finished product.

We state exactly where the requirement comes from. In this case, it’s a procedure written by the organization being audited. We provide the procedure number, revision, and even the section. Some auditors also include the procedure name, and this can add value too. Once we say where the requirement comes from, we state exactly what the requirement is. We don’t paraphrase it or get creative, we repeat the requirement word for word.

Evidence: The auditor observed two employees in the warehouse handling finished product without white gloves.

The language in the evidence mimics the language in the requirement. The organization committed to wearing white gloves when handling finished product, but the auditor observed two people not wearing white gloves. Cut and dry.

Here is an example of a poorly written nonconformity:

Requirement: All products must be identified.

There is no traceability to this requirement. Where did it come from? There is a similar requirement in ISO 9001:2015, but that source is not referenced. Always cite where the requirement is coming from, and never paraphrase it. It is permissible to add ellipsis (…) if the requirements is taken from a long passage and the entire section is not needed.

Evidence: Returned goods were missing the nonconforming materials tags, which greatly increases the chance of accidentally shipping bad material.

This evidence has a lot of problems, most of which can be summarized by saying the evidence is not traceable. Firstly, there’s no indication of where the returned goods were located. The returned goods are also not identified in any unique way. The quantity of returned goods is also not indicated—there could be two or 200, it’s not clear. Finally, the auditor included a lot of editorial opinion at the end of the evidence. This opinion is not needed and only serves to inflame the auditee. Stick to the facts when you write evidence and make sure the facts are fully traceable.

Auditors are held to a higher standard

It’s tempting to just say “Who cares?” when it comes to writing clear and correct nonconformity statements. After all, the rest of the world writes in a very informal manner. Grammar, correct spelling, and proper usage all seem optional these days. As long as the auditee understands what I’m talking about, it’s okay, right? Wrong answer. Auditors must produce a polished and professional product. Everything you write, say, and do is being scrutinized constantly by the auditee. Not in an attempt to disparage you, but simply to ensure that audit is credible. The output of the audit that gets the most attention are nonconformity write-ups. Even though nonconformities are not aimed at any particular person in an organization, auditees are still keenly aware that they represent failings of a sort. A requirements was established, but we weren’t able to meet it. Because of the high profile of nonconformities, they need to be written very well.

If you’re auditing with another person or as part of a team, make sure to have someone else review your nonconformity write-up. This is usually the role of the lead auditor, but really any set of trained eyes are helpful. Any rework that is necessary should be performed by the auditor who originally wrote the nonconformity. Recognize also that sometimes the answer is not reworking the nonconformity, it’s ripping it up. These are the conditions that usually result in a nonconformity being removed and not being provided as part of the final report:

Requirement does not actually exist
Requirement exists, but it’s outside the scope of the audit
Evidence is not traceable and it’s too late in the audit to gather the details
Evidence relies on hearsay, rumors, or second/third hand information
Auditee has presented evidence (after the original interview) that shows the requirement was met

This is a good time to address findings that fall outside the scope of the audit. They could be in a department/process that is not officially being audited, or they could be against a standard that is not being used in the present audit. For instance, we see something happening in the warehouse that constitutes a nonconformity, but the warehouse is not part of the audit. Or the auditors observe a safety violation, but the audit is against ISO 9001 and safety is not included. In these cases it is usually of verbally reporting the finding to your contact within the auditee organization. Verbally report it, mention that it is officially outside the scope, and ask him/her if they would like you to include it in the report. If they say “no,” then you don’t include it. The scope of the audit is almost a contract, and you don’t intentionally audit outside the scope or report findings that are outside the scope. It’s perfectly fine to make a note of the issue and follow up the next time there is an audit that includes that topic.

About the author

Craig Cochran is the North Metro Regional Manager with Georgia Tech’s Economic Development Institute. He has assisted more than 5,000 companies since 1999 in QMS implementation, problem solving, auditing, and performance improvement. Cochran is a Certified Quality Manager, Certified Quality Engineer, and Certified Quality Auditor through the American Society for Quality. He is certified as a QMS Lead Auditor through Exemplar Global.

He is the author of numerous books, including ISO 9001:2015 in Plain English , published by Paton Professional . His latest book, Internal Auditing in Plain English , from which this article was excerpted, was released in late 2016.

2 Responses

Hi Craig Thank you for a very well written article and explanation. Unfortunately some auditors hand-out NCRs like lollies and leave the client very confused. I have previously read your ISO 9001:2015 ABC book and found that to be really useful in explaining the basics. It’s what people want. I have recommended it to several people here in Australia and likewise they have found it to be very helpful. Any plans for an ABC book for 14001 and 45001? Regards David Page

This guidance is fine when there are hard and fast requirements like those listed above as examples. How does one write a nonconformance on the more subjective management requirements in the latest version of ISO 9001, such as those listed in section 5 of the standard, and how does the auditee respond? I can easily see addressing the relative effectiveness or maturity of the processes, but this is a different thought process. Thanks.

Early release prison scheme causing 'high-risk' offenders to be let out, new report finds

The findings, part of a wide-ranging inspection at Lewes prison in February, found that some prisoners who are being released under the scheme are a "risk to children" and "had a history of stalking, domestic abuse, and being subject to a restraining order".

By Mollie Malone, news correspondent

Tuesday 14 May 2024 00:25, UK

TUESDAY MAY 14 File photo dated 29/04/13 of a general view of a Prison. Dangerous criminals including a domestic abuser who posed a risk to children have been freed from jail early as part of a Government bid to cut overcrowding, a watchdog has warned. Issue date: Tuesday May 14, 2024.

An early release prison scheme, used to free up space in jails across England and Wales, is causing "high-risk" offenders to be let out, some of whom are a "risk to children", according to a new report.

The examination of HMP Lewes, by the chief inspector of prisons, found that "safe risk management" is being undermined.

The findings, published on Tuesday, were part of a wide-ranging inspection at the East Sussex prison in February, but some similar problems were highlighted in a parallel report into Chelmsford prison published last week.

The government says that those guilty of serious crimes, such as terrorism or sexual offences, plus those serving sentences of more than four years, are not eligible for early release.

But this inspection at Lewes found an example of a prisoner who had their release date brought forward under the early release scheme despite deeming him a "risk to children" and "having a history of stalking, domestic abuse, and being subject to a restraining order".

Another example cited a "high-risk prisoner with significant class A drug misuse issues" being released without a home.

"This release took place despite appeals for the decision to be reversed and staff having serious concerns for his and the public's safety," it said.

More on Prisons

Angela Constance at the Scottish Parliament in in Edinburgh, after MSP John Swinney became the first candidate to declare his bid to become the new leader of the SNP and Scotland's next first minister.Picture date: Thursday May 2, 2024.

Scottish government seeking to release prisoners early amid soaring numbers

'High risk' prisoners 'let out of jail' under early release scheme - despite PM assurance

Daniel Abed Khalife escaped from Wandsworth prison

Wandsworth prison needs 'urgent improvement' eight months on from alleged Daniel Khalife escape, watchdog says