Reporting recommendations and findings are crucial to audit plan. Recommendations answer the question, “How should we fix this problem?” It should address the condition as well as the cause.

Recommendations are based on the internal auditor’s observations and conclusions. They call for action to correct existing conditions or improve operations and may suggest approaches to correcting or improving performance as a guide for management in achieving desired results.

Recommendations can be general or specific. For example, under some circumstances, the internal auditor may recommend a general course of action and specific suggestions for implementation. In other circumstances, the internal auditor may suggest further investigation or study.

Reporting Recommendations and Findings

In practice, recommendations should adhere to the SMART principle as shown below:

• Specific recommendations outline exactly what the organization should aim to accomplish.
• Measurable recommendations can be evaluated to determine whether they have been accomplished.
• Action-oriented recommendations specify the actions that the organization will be able to take.
• Relevant recommendations relate to the nature of the organization, and they are attainable.
• Time-based recommendations specify the time frame for accomplishing the recommendations.

The internal auditor should go through a logical, thorough process and analyze the recommendations before issuing a report. Basic considerations include (but are not limited to) the following two questions.

• Will the recommendations address the root cause?

• Are the costs realistic in terms of the expected benefits?

The audit client’s management won’t always agree with or want to act upon, the auditor’s recommendations. As part of the internal auditor’s discussions with the engagement client, the internal auditor obtains agreement on the results of the engagement and on any necessary plan of action to improve operations. If the internal auditor and engagement client disagree about the engagement results, the engagement communications state both positions and the reasons for the disagreement. The engagement client’s written comments may be included as an appendix to the engagement report, in the body of the report, or a cover letter.

When making recommendations, the auditor should disclose any conflicts of interest such as previous work with the client.

The internal auditor is specifically enjoined not to take on responsibilities that rightly belong to management because doing so threatens the auditor’s objectivity. This is particularly true in consulting engagements since the auditor may have been called specifically to give advice based on research into a particular problem. This could be whether to accept a particular contract, how to develop a new software system, or whether a particular company is a good takeover target.

Once a consulting auditor feels some sense of responsibility for the actions based upon audit recommendations, the auditor’s objectivity for any future assurance audit comes into doubt. Internal auditors should maintain their objectivity when concluding. 

Recommendations are not commands, merely options, and the auditor should not deliver a recommendation as if it were the only possible course of action. The manager generally has a broader view of the possible consequences of acting upon a recommendation than the auditor. Working jointly with the manager to agree on a corrective course of action improves the relationship. The manager will look better to superiors if the audit report states that recommendations were developed after discussion with the manager.

The internal auditor should consider the relationship between the cost of a recommended action and the benefit to the organization. Some actions must be taken regardless of the cost to bring the organization into compliance with a law or regulation.

The final presentation to the client no longer requires a written document. Many auditors present their conclusions and recommendations in a PowerPoint presentation.

The format and content of the engagement’s conclusions may vary with the type of organization and engagement but should include at least sections describing the purpose, scope, and results of the engagement.

Purpose of the engagement: A precise statement of the purpose of the engagement can provide coherence to the rest of the report and make it easier to read and discuss. Presentation of the audit findings should always be related to the audit’s objective.

Scope of the engagement: The scope statement may be combined with the objective. It identifies the activities audited. It may also specify activities excluded from the audit.

Audit methods: This may or may not be a separate section. A separate section is often merited if new methodologies or technology are being used or if the work of other bodies (internal or external) provides a substantial basis for the work. 

Results: The results section should include observations, conclusions, opinions, recommendations, and action plans. Some complex reports may be preceded by an observation’s summary, perhaps in a table format that identifies and describes specific observations that will be discussed in the body of the report. Minor observations may be put in a separate section.

Recommendations: This may be a separate section if recommendations are general and not tied to specific observations. 

Final communications may also include other, optional, sections such as:

Background information: Background information may describe the organization and the activities to be reviewed along with the results and status of previous audits of the same activities.

Summaries: A summary can be a useful memorandum accompanying the full report when it is provided to an executive in the organization. Executives may want to know the overall results of each audit in their area of concern but not have time to read full reports.

Client accomplishments: The final communication may include descriptions of improvements the client has made in response to a previous audit.

Client views: The report may include the client’s views on the engagement’s conclusions and recommendations. Disagreements between the client and the internal audit activity may require intervention from an executive. The client’s written comments may be included in an appendix or cover letter.

The report must be signed by the internal auditor authorized by the CAE. A signed version of the report must be kept on file by the internal audit activity.

Writing a Quality Report

While drafting a report, it is necessary that the communications must be accurate, objective, clear, concise, constructive, complete, and timely.

The main characteristics of an effective report include the following:

• An organization that is easily understood and followed,
• Clarity,
• Conciseness,
• Constructive tone, and
• Good mechanics (such as spelling, punctuation, grammar, and word choice).

Organization

Five common logical patterns that can be used to organize complex content are:

• Chronological: Observations are described in the order in which they were recorded.

• Topical: Similar observations are grouped under headings such as personnel training, contracting terms, and conditions.

• Comparative: Observations are compared to specific policies such as a requirement for management signatures on certain financial transactions.

• Cause and effect: Observations are grouped by similar causes or effects. For example, lapses in physical security could be discussed with other observations caused by a lack of management control over policies and procedures.

• Spatial. This can reflect both geography and organizational structure. In an audit covering multiple locations, observations can be grouped by unit or office. Problems affecting only certain groups may merit their sections such as subcontractor behavior or warehouse issues.

Tools—like headings, topic sentences, and bulleted lists—can all assist the reader to comprehend the content more quickly and easily.

Clarity

The reading ability of the audience in the language of the report should be considered as well as their familiarity with the business processes being described.

A reader’s ability to understand the “message” of the report could be affected by:

• Sentence length and grammatical complexity.
• Word choice. Common terms are preferable to jargon or specialized language (and acronyms and abbreviations) that can be understood only by experts in the field.

Conciseness

Summaries should be used as necessary, providing an understanding of the main point first and then allowing the reader to pursue more details in the following text. A more formatted organization, such as a table with consistent headings, can be used to avoid repeating similar information.

Constructive tone

The tone of the report should be objective—not overwhelmingly positive or negative but balanced, not alarmist but focused on responses, not assigning blame but focused on solutions. The tone is a hard thing to master as witnessed by the many misunderstandings and conflicts fueled by e-mails that were not reread for tone before being sent. Some writers are good self-editors, but most writers benefit from having someone else review and comment on matters such as tone.

Good Mechanics

Auditors are experts in auditing not necessarily in the mechanics of writing. Auditors should improve their writing skills, and this can be part of a personal development program. Until this happens, an auditor assigned with writing a report should find someone in the activity who can fulfill this role and ask them to review report drafts before they are shared outside the activity. The credibility of a good report can be undermined by poor mechanics that may convey to a reader a certain carelessness and lack of attention and value for detail.

Avoid an Adversarial Tone

Whatever the format of the presentation, however, its chances of success can be enhanced by taking care to avoid creating an adversarial atmosphere. A few “soft skill” suggestions in that regard are:

• Assume that auditor and client are on the same side as partners looking for the best ways to achieve the organization’s objectives. History is not necessarily on your side; the traditional relationship between auditor and client has not always been a happy one. Break this tradition.

• Always begin at a general level rather than launching immediately into detailed findings.    Show that you’ve grasped the nature of the operation, its overall mission, and its special challenges.

• Put the most positive findings first.

• In so far as possible, present negative findings as opportunities for improvement, but don’t overdo it. Nothing is less persuasive than a falsely positive presentation.

• Be sure to emphasize the “effects” aspect of findings—what consequences loom down the road if changes aren’t made.

• Don’t simply stop talking; conclude. Summarize the results with an emphasis on action steps the client can take. 

Approve the Engagement Report

The chief audit executive or a designee should review and approve the final engagement communication before it is issued and should decide who should receive it.

The auditor-in-charge, supervisor or lead auditor may be considered as the proper person to sign on behalf of the CAE. In large, international organizations, requiring the CAE’s signature on all final communications might cause delays.

However, the chief audit executive maintains responsibility for communicating the results of an engagement. In many organizations, the CAE signs the final report before distribution as a sign of commitment to the quality of audit work.

Determine Distribution of the Report

The CAE bears responsibility for communicating results to individuals who can ensure that the results are given due consideration.

The report should go to those in a position to take corrective action. For example, management of the audited area or operation, senior management, or associated functions that may be affected by or can support recommended action plans. Communications may also go to external auditors, the board, and others who are affected by or interested in the results. If substantive corrections must be made to a report after it has been distributed, the CAE should issue a new report that highlights the changes and see that is distributed to all recipients of the original report.

Obtain Management Response to the Report 

Having gone to the trouble of researching and assembling the findings and recommendations, the audit activity would naturally like to see them acted upon. 

The management of the audit client may be engaged in discussions of draft versions of observations and recommendations. At this stage, the client can clear up misunderstandings and react to the findings while there is time to collaborate on revisions.

The participants in these discussions will generally be “individuals who are knowledgeable of detailed operations and those who can authorize the implementation of corrective action.”

In other words, if you can get early agreement on the recommendations from the people who can effect changes in the client’s operations, you have a much better chance of getting the final report acted upon.

Report Outcomes to Appropriate Parties 

The CAE should ensure that appropriate parties receive the type of information appropriate to their interests and, for external parties, a level and scope of information that protects the organization’s proprietary interests and well-being.

Reports of improper or illegal actions should be made separately to senior management and the board or the board alone if the actions involve senior management. Internal auditors may consult legal counsel in matters involving legal issues. The report may be considered privileged information under local law. 

Before releasing reports to parties outside the organization, the CAE should assess potential risks to the organization and obtain approval from senior management, legal counsel, or both. 

The release of consulting reports should be consistent with the organization’s established practices. Because of the nature of the activities that internal auditing helps to evaluate, many organizations allow only limited distribution of consulting reports.

The CAE may customize the distribution of reports. For example, with their agreement, the CAE may distribute only the general summary of the report to senior management and the board who may not be as interested in audit methodology as in the audit results. Related functions may receive only those portions of the report that affect their relationship with the audited area.

Senior management and boards are often well served by receiving multi-report summaries. Multi-report summaries include the results of multiple engagements that have focused on similar observations or trends such as a decrease in the coordination of units in a business process or a cross-functional deterioration in the effectiveness of quality controls. These reports do not describe all the work done by the internal audit team but only the results of audit work.

Final Thoughts

The qualitative and quantitative analyses yield results. Following the outline established in the field guide, findings are typically divided into sections by technical area. Make a point of emphasizing gender-related findings. Furthermore, be prepared for new or unexpected findings, as these may necessitate changes to the original outline. Every assessment report includes a description of the private health sector, also known as the private sector “landscape.” While the information can be presented in a variety of ways, it is helpful to have a visual graphic to illustrate the myriad actors and organizations.

Recommendations are arguably the most important part of the analysis phase because they propose specific interventions or strategies to address the issues and constraints identified in the assessment.