The result of the audit. Information on the results of the audit The results of the audit are drawn up

At the end of the audit and before drawing up the auditor's report, the auditor informs information obtained from the audit, the management of the audited entity and representatives of its owner.

Information is information that has become known to the auditor, which, in the auditor's opinion, is simultaneously important for the management and representatives of the owner of the audited entity when they exercise control over the preparation of reliable financial (accounting) statements of the audited entity and disclosure of information in it.

The information obtained by the auditor is audit secrecy and cannot be shared with anyone. Therefore, the primary task is to determine the circle of persons from among the management and representatives of the owner. It is advisable, by agreement with the audited organization, to determine the person to whom the information is transferred. To avoid the following can be specified in the audit contract:

  • 1) the form in which the information will be communicated is indicated;
  • 2) the proper recipients of the information are determined;
  • 3) specific audit issues are identified, information on which will be provided.

Information that should be communicated to the management of the audited entity and representatives of its owner is not strictly defined, but this information should be important and, as a rule, should reflect:

  • - the general approach of the auditor to the audit and its scope, the impact of accounting policies;
  • - disclosure of risks affecting reporting (for example, litigation);
  • - significant adjustments to the financial (accounting) statements proposed by the auditor, both made and not carried out by the audited entity;
  • - significant uncertainties related to events or conditions that may significantly call into question the ability of the audited entity to continue as a going concern;
  • - disagreements between the auditor and the management of the audited entity on issues that, individually or in the aggregate, may be significant for the financial (accounting) statements of the audited entity or the auditor's report. The information provided in this regard should include an explanation of the importance of the issue and information about whether the issue has been resolved or not;
  • - Proposed modifications to the auditor's report;
  • - other issues that deserve the attention of the owner (for example, significant - shortcomings in the field of internal control, issues related to the integrity of the management of the audited entity, as well as cases of unfair management actions);
  • - issues, coverage of which is agreed by the auditor with the audited entity in the contract for the provision of audit services.

Auditor also should inform appropriate recipients of information that:

  • The information provided by the auditor includes only those matters that have attracted the auditor's attention as a result of the audit;
  • - audit of accounting (financial) statements is not aimed at identifying all issues that may be of interest to the management of the audited entity.

Information should be provided in a timely manner. Terms of submission are determined by agreement of the parties and, as a rule, are prescribed in the contract. However, if it is necessary to resolve an urgent issue, the auditor can report it earlier than it was previously agreed.

Information can be transferred: 1) in writing; 2) orally. The auditor independently decides on the form of information transfer. The main criterion is an importance... An audit involves the transfer of critical information in writing to avoid disputes with the management of the audited entity. When communicating orally, the auditor should document the information and the recipients' responses to it in the working papers. Such documents may take the form of copies of the minutes of the discussions held by the auditor with representatives of the owner and the management of the audited entity. In some cases, it is advisable for the auditor to obtain written confirmation from the representatives of the owner and management of the audited entity with respect to any oral communications on audit matters of interest to the management of the audited entity. The auditor should analyze whether any information obtained from the results of the previous audit can be important for expressing an opinion on the reliability of the accounting (financial) statements of the current year. If the auditor concludes that such information is of interest to the management of the audited entity, he may decide to re-communicate it to the representatives of the owner of the audited entity. Thus, the most important information should be provided in writing, regardless of any prior agreements with representatives of the auditee. Otherwise, additional disputes may arise regarding the correct understanding of the information provided. Written information eliminates all contradictions and is the most significant in disputes.

The order, form and composition of information provided to the client depends on the type of audit work. If a statutory audit is carried out, the auditor must report information to the management and representatives of the owner of the audited entity in accordance with the requirements of Federal Rule (standard) No. 22 "Communication of information obtained from the audit results to the management of the audited entity and representatives of its owner."

Information- this is information that has become known during the audit of financial statements, which, in the auditor's opinion, are simultaneously important for the management and representatives of the owner of the audited entity in exercising control over the preparation of the financial statements of the audited entity and disclosure of information in it. The information includes only those matters that have caught the attention of the auditor. He is not obliged during the audit to develop procedures specifically aimed at finding information that is relevant to the management of the auditee.

The auditor determines who is the proper recipient of information from the audit results from among the management and representatives of the owner of the audited entity. TO management of the audited entity includes those responsible for the day-to-day management of the audited entity, as well as the implementation of financial and business operations, accounting and preparation of financial statements. By representatives of the owner of the audited entity are persons or collegial bodies that carry out general supervision and strategic management of the audited entity, and in accordance with the constituent documents can control the current activities of its management, including the appointment or dismissal of representatives of senior management.

To determine the persons who need to communicate information, the auditor relies on his own professional judgment, taking into account the management structure of the audited entity, the circumstances of the audit engagement and the specifics of the legislation of the Russian Federation, as well as taking into account the rights and obligations of the relevant persons. If, based on the characteristics of the audited entity, the auditor cannot determine who is the proper recipient of the information, then he needs to agree with the client to whom the information should be communicated.

The auditor should review the information and communicate the information of interest for the management of the audited entity to its appropriate recipients. Such information includes:
  • The auditor's general approach to the audit and its scope, communication of any restrictions on the scope of the audit, and comments on the appropriateness of any additional requirements of the auditee's management;
  • the choice or change by the management of the audited entity of the principles and methods of accounting policies that have or may have a significant effect on its financial statements;
  • possible impact on the financial statements of the audited entity of any significant risks and external factors that should be disclosed in the financial statements;
  • the auditor's proposed significant adjustments to the financial statements, both made and not made by the audited entity;
  • material uncertainties about events or conditions that may significantly cast doubt on the ability of the auditee to continue as a going concern;
  • disagreements between the auditor and the management of the audited entity on matters that, individually or in the aggregate, may be significant to the financial statements of the audited entity or the auditor's report, and information on the resolution of the disagreements;
  • proposed modifications to the auditor's report;
  • other issues that deserve the attention of the representatives of the owner;
  • issues, coverage of which is agreed by the auditor with the audited entity in the audit contract.
The appropriate recipients of the information should be informed by the auditor that:
  • information is provided only on those issues that attracted the attention of the auditor;
  • an audit of financial statements is not aimed at finding information that is of interest to the management of the audited entity.

The information should be received from the auditor in a timely manner, which allows the relevant persons of the auditee to take appropriate action promptly. To do this, it is necessary to discuss with the representatives of the audited entity the procedure, timing and principles for communicating information.

Information can be communicated orally or in writing. The decision in what form to present information is influenced by:
  • size, structure, organizational and legal form and technical support of the audited entity;
  • the nature, importance and characteristics of information obtained from the results of the audit, which is of interest for the management of the audited entity;
  • existing agreements between the auditor and the audited entity regarding regular meetings or reports;
  • the forms of interaction with representatives of the owner and management of the audited entity adopted by the auditor.

If information is communicated orally, then the auditor needs to document this information in the working papers and the reactions to it of the recipients of the information.

The auditor has the right to preliminary discuss with the client's management issues of interest for the management of the audited entity. If the management of the audited entity intends to independently transfer information of interest for the management of the organization to the representatives of the owner, then the auditor does not have to re-communicate such information.

Any written information is not a substitute for a modified auditor's report.

In a recurring (agreed) audit, the auditor should analyze whether any information obtained from the previous audit is relevant to the reliability of the financial statements of the current year, and decide to re-communicate information of interest to the management of the audited entity.

The auditor is obliged to comply with the requirement of confidentiality with respect to information obtained from the audit results.

When providing related services to the audit, conducting an initiative audit, agreed procedures, the auditor provides the client with a report as agreed by the parties. The audit organization can determine in the internal standards the list of documents, composition, content and procedure for their provision to the client based on the results of the work performed.

In accordance with Federal Standard No. 22, information is information that became known to the auditor during the audit of accounting (financial) statements, which, in the auditor's opinion, are important for the management and (or) representatives of the owner of the audited entity when they exercise control over the preparation of reliable financial statements the audited entity and the disclosure of information in it, the effectiveness and efficiency of business operations and the efficient use of resources, as well as the compliance of the audited entity's activities with the regulatory legal acts of the Russian Federation. The information includes only those matters that have come to the attention of the auditor as a result of the audit.

The auditor is not obliged during the audit to develop procedures specifically aimed at finding information relevant to the management of the audited entity.

The auditor must communicate information to the management and (or) representatives of the owner of the audited entity.

Management of the audited entity - persons responsible for the day-to-day management of the audited entity, as well as the implementation of business operations, accounting and preparation of financial (accounting) statements (for example, the general director, chief accountant, etc.).

Representatives of the owner of the audited entity - persons or collegial bodies that exercise general supervision and strategic management of the audited entity, and in accordance with the constituent documents can control the current activities of its management, including the appointment or dismissal of senior management representatives.

The auditor should identify the appropriate recipients of information from among the management and representatives of the owner of the audited entity.

The organizational structure and principles of corporate governance may be different for different audited entities. This complicates the task of determining the circle of persons to whom the auditor communicates information of interest for the management of the audited entity. The auditor relies on his own professional judgment to determine those persons to whom the information should be communicated, taking into account the management structure of the audited entity, the circumstances of the audit engagement and the specifics of the legislation of the Russian Federation. The auditor should take into account the rights and obligations of the persons concerned.

For example, in audited entities that have a board of directors and an audit committee, both of these bodies or one of them may be appropriate recipients of information.

If the management structure of the audited entity is not clearly defined or the representatives of the owner cannot be clearly defined in accordance with the terms of the engagement or in accordance with the legislation of the Russian Federation, then the auditor comes to an agreement with the audited entity as to whom the information should be disclosed to.

To avoid misunderstandings in the audit contract, it may be clarified that the auditor will only disclose information of management interest to which he or she draws attention as a result of the audit, and that the auditor is not required to develop audit procedures specifically aimed at finding information that has importance for the management of the audited entity. The contract for the provision of audit services may also:

  • a) indicate the form in which the information will be communicated;
  • b) the appropriate recipients of the information are identified;
  • c) identify specific audit issues of interest to the management of the audited entity, in relation to the communication of information about which an agreement has been reached.

Communication of information will be more effective in establishing a constructive working relationship between the auditor and management or representatives of the owner of the audited entity. These relationships should be developed in accordance with the requirements of professional ethics, independence and objectivity.

The information provided by the auditor to the management of the audited entity and (or) representatives of its owner, as a rule, reflects:

  • a) the auditor's general approach to the audit and its scope, the auditor's concerns about any restrictions on the scope of the audit, and comments on the appropriateness of any additional management requirements of the auditee;
  • b) the choice of accounting policy or its change by the management of the audited entity, which has or may have a significant impact on the financial statements of the audited entity;
  • c) the possible impact on the financial statements of the audited entity of any significant risks and external factors that should be disclosed in the statements (for example, legal proceedings);
  • d) significant adjustments to the financial statements proposed by the auditor, both made and not carried out by the audited entity;
  • e) significant uncertainties related to events or conditions that may significantly call into question the ability of the audited entity to continue as a going concern;
  • f) disagreements between the auditor and the management of the audited entity on issues that, individually or in the aggregate, may be significant for the financial statements of the audited entity or the auditor's report. The information provided in this regard should include an explanation of the importance of the issue and information about whether the issue has been resolved or not;
  • g) proposed modifications to the auditor's report;
  • h) other issues that deserve the attention of the owner's representatives (for example, significant shortcomings in the field of internal control, issues related to the business reputation of the management of the audited entity, as well as cases of management fraud);
  • i) issues, the coverage of which is agreed by the auditor with the audited entity in the contract for the provision of audit services.

The auditor must inform the representatives of the owner about the adjustments not corrected by the audited entity, proposed by the auditor during the audit, recognized by the management of the audited entity as insignificant, individually or in aggregate for the financial statements as a whole.

Unfulfilled adjustments, which are reported to the representatives of the owner, should not be lower than the selected value of the materiality level.

The auditor should also inform the appropriate recipients of the information that:

  • a) the information provided by the auditor includes only those matters that have attracted the auditor's attention as a result of the audit;
  • b) the audit of financial statements is not aimed at identifying all issues that may be of interest to the management of the audited entity.

The auditor should communicate information in a timely manner so that representatives of the owner and management of the audited entity are able to promptly take appropriate action.

In order to communicate information in a timely manner, the auditor should discuss with the representatives of the owner and the management of the audited entity the procedure, principles and timing of the communication of such information.

In certain cases, due to the need to resolve an urgent issue, the auditor may report it earlier than previously agreed.

The auditor may communicate the information to the appropriate recipients orally or in writing. The auditor's decision on whether to communicate information orally or in writing is influenced by:

  • a) the size and complex structure, organizational and legal form and technical support of the audited entity;
  • b) the nature, importance and characteristics of the information obtained as a result of the audit, which is of interest for the management of the audited entity;
  • c) existing agreements between the auditor and the audited entity regarding regular meetings or reports;
  • d) the forms of interaction with representatives of the owner and management of the audited entity adopted by the auditor.

If information of interest to the management of the auditee is communicated orally, the auditor should document that information and the recipients of the information in the working papers. Such documents may take the form of copies of the minutes of the discussions conducted by the auditor with representatives of the owner and management of the audited entity. In some cases, depending on the nature, importance and characteristics of the information, it is advisable for the auditor to obtain written confirmation from the representatives of the owner and management of the audited entity regarding any oral communications on audit matters of interest to the management of the audited entity.

As a rule, the auditor preliminarily discusses with the management of the audited entity the audit issues of interest to the audited entity, except for those matters that call into question the competence or business reputation of the management itself. Preliminary discussions with the auditee's management are essential to clarify facts and issues, and to enable the auditee's management to provide additional information. If the management of the audited entity agrees to independently (without the participation of the auditor) communicate information of interest to the management of the audited entity to the representatives of the owner, then the auditor may not need to re-communicate this information, provided that the auditor is satisfied with the effectiveness and appropriateness of the communication of such information.

If the auditor believes that it is necessary to modify the auditor's report, then any other written information provided by the auditor to the management or representatives of the owner of the audited entity cannot be considered as an appropriate substitute for the modified auditor's report.

The auditor should analyze whether any information obtained from the previous audit may be relevant to the reliability of the financial statements of the current year. If the auditor concludes that such information is of interest to the management of the audited entity, he may decide to re-communicate it to the representatives of the owner of the audited entity.

The auditor is obliged to comply with the requirements of the legislation of the Russian Federation and the Code of Ethics of Auditors of Russia in relation to the confidentiality of information obtained as a result of the audit. In some cases, potential conflicts between the auditor's ethical and legal obligations with respect to confidentiality and reporting requirements can be complex. In this case, it is advisable for the auditor to obtain legal advice.

In all cases of statutory audit, audit organizations, according to their obligations, must prepare and provide the addressee with written information (report) of the auditor to the management (owners) of the audited entity based on the results of the audit (Federal Standards No. 3, 12, 22, 23, etc.) ...

The audit team leader is responsible for the accuracy, completeness and reliability of the final audit report. Adhering to the order of immediate reporting, then the effectiveness of the audit, the speed and accuracy of the completion of corrective actions is significantly increased.

The audit report should contain a complete, accurate, concise and clear description of the audit and, in accordance with audit procedures, include:

  • audit objectives;
  • the scope of the audit, the identification of the organizational and functional units or processes where the audit took place, and the period of time when the audit took place;
  • information about the customer of the audit;
  • information about the audit team and representatives of the auditee involved in the audit;
  • the dates and locations of the units audited;
  • audit criteria;
  • audit observations;
  • conclusion on the results of the audit;
  • conclusion on the degree of compliance with the audit criteria.

The audit report may also include:

  • audit plan;
  • a summary of the audit process, including uncertainty and / or other obstacles that may reduce the reliability of the audit conclusion;
  • confirmation that the audit objectives have been achieved for this audit area in compliance with the audit plan;
  • a list of all non-audited areas within the audit scope;
  • a summary of the audit report and key audit findings for management purposes;
  • any unresolved conflicts between the audit team and the auditee;
  • opportunities for improvement, if provided for by the audit objectives;
  • strong areas and identified best practices;
  • agreed action plans based on audit results;
  • confidentiality issues;
  • the mailing list of the audit report.

The report should not include minor deficiencies that are discovered and corrected during the audit (information about these deficiencies should be retained in the auditor's records in case of repeated audits).

The issue of the effectiveness of quality audits (both external and internal) is of particular importance to the organization. In our opinion, one of the criteria for the effectiveness of internal audit should be a systematic reduction of inconsistencies identified during audits. Another criterion for the effectiveness of the internal audit process may be the number of recommendations for improvement made by auditors during the audit process.

The audit report is drawn up within the agreed time frame, approved and sent to the recipients specified by the customer in the audit plan. It should be remembered that the report is the property of the audit client, therefore the necessary confidentiality requirements must be observed. The materials of the audit are completed in a special case under the appropriate registration number. The audit file is kept for the period established by the documents of the CM K organization. The experience gained during the audit process should be used to continually improve the auditee's QMS.

An audit is considered complete when all activities included in the audit plan have been completed. Corrective, preventive and improvement actions carried out following the audit results in accordance with ISO 19011: 2011 are not considered as part of the audit and are undertaken by the auditee within the agreed time frame. Correction and corrective actions are carried out after the detection of a nonconformity. Correction is an action aimed at eliminating a detected nonconformity (for example, replacing nonconforming products with appropriate products or replacing an outdated procedure with an updated one). Corrective action is action to eliminate the cause of a detected nonconformity, i.e. it cannot be undertaken without identifying the reasons for the nonconformity.

There are many methods for determining the cause of a mismatch (from simple brainstorming to more complex, systemic problem-solving methods). The auditor should be familiar with these problem solving tools. The depth and effectiveness of corrective action depends on identifying the true cause of the nonconformity. In some cases, this will help the organization identify and resolve similar inconsistencies in other areas.

In reviewing the organization's response to a nonconformity, the auditor should confirm that the organization has documentation and objective evidence for correction, cause analysis and corrective action, is appropriate, and is prepared prior to making the auditor's judgment. The following important elements should be considered during the analysis:

  • a report on the actions taken (whether it is clear and concise);
  • a description of the actions (whether they are thorough and whether they are accurately directed to specific documents, procedures);
  • whether they are stated in the past tense as an indication that the actions taken have been completed;
  • Completion date of corrective actions (dates indicating a past period indicate that corrective actions have been taken; dates indicating future actions are not good practice);
  • Objective evidence that corrective actions are fully and effectively implemented and performed to the extent described by the organization. An effective corrective action should prevent the reoccurrence of the nonconformity by eliminating its causes. Corrective action should not be confused with warning action.

action, and these actions should not replace each other. Preventive action does not apply to an already detected nonconformity. However, an analysis of the causes of detected nonconformities can identify potential nonconformities in other areas of the organization and provide an input for preventive action.

The algorithm for checking the implementation of corrective actions is shown in Fig. 27. The fact of the implementation of corrective actions and their effectiveness must be confirmed in the manner prescribed by the organization's standard for conducting QMS audits.

The audit of corrective actions is fairly obvious and well designed, since the results and effectiveness of these actions are usually well defined (if the organization has already identified a nonconformity, it is not particularly difficult for the auditor to evaluate the actions of the organization, check whether plans are being drawn up and whether these actions are effective in avoiding repetition of the mismatch). Auditing preventive actions is usually more complex.

GOST standard ISO 9001: 2011 requires an organization to develop a documented procedure for preventive action. The combination of documented procedures for corrective and preventive actions into one procedure in the QMS is permissible, but not recommended from the standpoint of the special importance of preventive

Rice. 27.

actions to improve the QMS K. When these procedures are combined, the auditor should check that the organization really clearly understands the difference between corrective and preventive actions. In most Russian organizations, these procedures, unfortunately, are combined, and the corrective actions are described in sufficient detail, and the warning ones are indicated only in outline.

The auditor should seek objective evidence that:

  • the organization analyzes the causes of potential nonconformities (uses cause and effect diagrams and other possible quality tools);
  • the required actions apply to all required areas of the organization;
  • responsibility for identifying, evaluating, implementing and reviewing preventive actions is clearly defined.

The analysis of preventive actions includes answers to the questions:

  • whether the actions were effective (i.e. whether the occurrence of the nonconformity was prevented and whether any additional benefits were obtained);
  • whether there is a need to continue preventive actions in the direction where they were taken;
  • whether they can be changed or it is necessary to plan new

actions.

Sometimes there is a discussion between the auditor and the organization about where the corrective action ends and the preventive action begins. The auditor should avoid bias in these discussions and focus on the effectiveness of the actions taken.

This article was written for a trade magazine a few years ago, but the publication unexpectedly closed. The text has been revised in accordance with the new wording of the International Standards for the Professional Practice of Internal Auditing. It is assumed that even today it has not lost its relevance and practical significance regarding the issues of presentation of the results of internal audit.

The presentation of audit results, or, more simply, the writing of an audit report, often turns into a real challenge for internal auditors. The requirements for the presentation of the material, the formats of reports, the list of their recipients are individual for each company. The company itself decides what should be the report of its internal audit function. For one company, in the audit report, it is enough to indicate in one sentence that such and such internal regulations have been violated, and the guilty person will be fired. For the other, a well-founded reasoning is needed that it is precisely as a result of the identified deficiencies in control that the company loses profit, assets, does not fulfill plans, etc.

So, the initial data: two large oil companies - a public American (let's call it WorldWideOil, abbreviated as WWO) and a Russian (let's call it PetrolUnion, or PU). Both operate around the world, and both strive to increase capitalization and expand their activities. The securities of the American company are listed on the New York Stock Exchange (NYSE), the shares of the Russian company are listed on the London Stock Exchange (LSE). Both companies have approximately equal internal audit services. The PU internal audit service was formed in 2002. WWO's internal audit is much older, but in the same 2002, as a result of major mergers that WWO carried out, its internal audit service underwent significant changes and was actually re-created.

Reporting on internal audit activities

International Professional Standards for Internal Auditing. Standard 2060 "Reporting to Senior Management and the Board"

The chief audit executive should periodically report to senior management and the board on the objectives, authority and responsibilities of internal audit, and on progress in the implementation of the work plan. The report should also contain information on significant risks and control issues, including risks of fraud, corporate governance issues, and other information required by senior management and the Board.

Ideally, the internal audit function is considered to have dual accountability: functional - to the board of directors, more precisely, its audit committee, and administrative - to the head of the organization or another leader (CFO, controller ...) with the appropriate level of authority in order to ensure day-to-day activities of the internal audit service. It is generally accepted that accountability to the audit committee of the board of directors ensures the independence of the internal audit function.

In the companies under consideration, the situation is as follows.

Administrative accountability:

WWO: The auditor general (as the head of internal audit is called) reports to the first vice president of finance (CFO). That is, all issues related to the daily activities of the internal audit service are resolved through the CFO.

PU: The Vice President (Head of Internal Audit) reports directly to the President of the company.

Functional accountability:

Under this line of accountability, the internal audit services of both companies report periodically to their audit committees. In addition, the head of the PU internal audit service reports quarterly on the results of the work to the board of the company.

Both companies try to comply with the requirements of 2060. In PU, the frequency of reports to the audit committee is not established, is arbitrary, depends entirely on the committee's work plan, which indicates the number and timing of issues related to internal audit. No special standard report form has been developed. The reports contain general information on the nature of the deficiencies identified, including significant risks and control problems, as well as information on the number of inspections performed.

The WWO Auditor General reports regularly to the Audit Committee throughout the year: reports on the progress of the annual plan are submitted 5-6 times a year (in the form of a status report) and once - a report on the work of the internal audit service for the year (in the form of a report ).

The report on the work of the internal audit service for the year contains information:

  • on the strategy and goals in the field of work with the personnel of the internal audit service;
  • staff qualifications;
  • the results of assessing the quality of internal audit;
  • internal audit budget;
  • implementation of key performance indicators and metrics by the internal audit service;
  • the annual audit planning process;
  • implementation of the audit plan for the current year;
  • updating the internal audit strategy;
  • justification of the plan for the next year.

Progress reports on the implementation of the annual audit plan are submitted in the form established by the internal audit service and agreed with the audit committee. They contain information:

  • about the audits carried out;
  • on the assessment of internal control;
  • management plans to address deficiencies, as well as progress in implementing those plans.

Schematically it looks like this:

The status provides three states: completed, in progress, due date overdue. In the report, these states are reflected in the colors of the "traffic light", respectively: green, yellow and red dots.

Information for reports on the progress of the annual audit plan is collected from reports on the results of the implementation of specific audit engagements. The information is shown objective, but at the same time it is "dosed". What does it mean? This means that you should not embarrass all participants in the process, including members of the board of directors; information about shortcomings is not inflated to the size of a "universal catastrophe" (as, for example, modern Russian television likes to do), the negative is not whipped up. Everything is business-like: something has been discovered, we plan to do something to improve it, something has already been done or something has not been done.

We can recall the case when subordinates once prepared a report to the audit committee for the head of the PetrolUnion internal audit service in the form in which a report is usually made at a board meeting: scathing phrases about outrageous things, predicting the consequences of exaggerated proportions - in a word, a picture of the real Apocalypse.

Explanation is indispensable.

It is one thing to bring information in this form to the members of the board (executive body of the company), who are obliged to adequately respond to signals from internal audit, and therefore, “the worse the story, the calmer the auditor’s conscience,” and another thing - to the members of the audit committee, who are called carry out supervisory, but not administrative functions.

Reporting on the results of the audit: form, content, timing, recipients

Group of standards 2400-2440 "Communication of results".

Internal auditors should report the results of the assignments performed.

Results messages should contain definitions of the objectives, scope and content of the assignment, as well as relevant conclusions, recommendations and action plans.

Messages should be accurate, clear, objective, clear, constructive, concise and timely.

The chief audit executive should communicate the results of the engagement to the relevant parties.

The standard form of the WWO audit report changed at certain stages in the development of the internal audit function. Now it is determined by the corporate internal audit regulations and the audit report looks like this:

Rice. 1. WorldWideOil Oil and Gas Production Subsidiary Audit Report

In fact, the report is a conclusion of the WWO internal audit on the state of the internal control system of those areas of the enterprise or structural unit that were audited. The conclusions are summarized.

The actual audit report usually occupies one page. The audit report must include three annexes:

A. Evaluation of control in each area of ​​focus (see Fig. 2);
V. List of control deficiencies identified as a result of the audit;
WITH. Description of control deficiencies and management action plan to address them (see Figure 3).

Rice. 2. Appendix A to the audit report of the WWO oil and gas production subsidiary

Explanation for fig. 2 (Appendix A). Internal audit WWO uses four assessments of control: positive - effective, reliable; negative - in need of improvement, weak. Corresponding criteria are defined for each assessment. For example, rating “reliable” corresponds to the level of control that can be provided to protect against material losses, distortions and errors, inconsistency with company policies. In this case, the control can be assigned the highest positive rating, even if audit testing revealed certain deficiencies in it, but only on the condition that these flaws do not lead to distortion of reporting and do not violate the security of the information systems used.

Control is assessed as “weak”, the shortcomings of which are significant: important control procedures are ignored, objects of audit are not performed or are not defined by management at all, which leads to high risks of financial losses, leakage of confidential information, and non-compliance with company policies.

Appendix B is actually the content of Appendix C, i.e. it lists all identified control deficiencies simply in order.

Rice. 3. Appendix C to the Audit Report of the WWO Oil and Gas Production Subsidiary.

Appendix C. When describing control gaps, internal auditors are guided by WWO Internal Audit regulations, according to which the description of “weaknesses” should be short and accurate (usually 2-3 sentences for each example). Insignificant remarks are not included in the report. It is mandatory to indicate what control procedures should be carried out, what risks the identified shortcomings lead to, what specific WWO internal control standards and the provisions of other local regulations of the company have not been complied with. The draft audit report is prepared by the head of the audit (working) group (Lead Auditor, Auditor In-Charge). Deadline - by the last day of the audit "in the field", by the final conference with the object of the audit. The draft report is sent to the management of the audited entity for final approval and inclusion in Appendix C of the Management Action Plan (Action Plan), in which managers outline actions to correct the situation. This part of the audit report should also be clearly articulated. It indicates the persons responsible for the execution and the deadlines for eliminating the deficiencies. The implementation of the Plan is monitored by the internal audit service, including during subsequent audits.

Due to the fact that information on measures to eliminate deficiencies is agreed with the management of the audited object and is included in the audit report, no administrative documents based on the audit results (orders, instructions, including those of the corporate level) are issued.

The deadline for preparing the final version of the audit report in WWO is one of the indicators (metrics) for evaluating the work of the internal audit service. The target is 14 days, in fact, the final versions of the reports are ready on average ten days after the completion of the check!

An audit report can be generated using a special computer program (for example, TeamMate), which allows you to automatically group the auditors' comments into the form of an audit report. But in practice, the formulation of comments, their composition is largely determined by the manager of internal audit in the direction of the company's activities, based on the results of meetings and the opinion of all members of the audit team. Comments that were not included in the report are included in the audit discussion memorandum, which is also considered at the final conference with the managers of the audited entity. All deficiencies noted both in the audit report and in the memorandum are subject to unconditional elimination.

The WWO Internal Audit Regulations define the list of recipients of audit reports. These are:

  • internal audit managers (by line of business);
  • general auditor;
  • First Vice President of Finance (CFO);
  • VP Controlling / Chief Accountant;
  • Executive Vice President, Business Line;
  • external auditor.

By the decision of the audit team leader, managers of all levels may also be included in the mailing list, including vice presidents and executive vice presidents with relevant functional responsibilities (finance, information technology, logistics, etc.).

Only those audits are sent to the first head of WWO, according to the results of which the control is assessed as "weak"! Before that, they are compulsorily considered by the general auditor.

Otherwise, the responsibility for the quality of the report rests with the internal audit managers.

PU: The PU, just like WWO, has developed internal audit regulations. These are corporate standards for internal audit, and standards (at the level of methods) for conducting audits by areas of activity (business segments), which include, among other things, requirements for the formation of an audit report. So, for example, according to the corporate standard, the statement of the results of the audit engagement should include observations, conclusions (opinion), recommendations and an action plan. Observations should present facts relevant to the audit engagement. Observations necessary to clarify (prevent misunderstanding) the conclusions and recommendations of the internal auditors should be included in the final presentation of the results of the audit engagement.

PU audit reports are very voluminous, have a lot of attachments, essentially document the progress of the audit engagement. It's not easy to read them, let alone write them! ..

The difficulty also lies in the fact that the PU internal audit service includes recommendations for eliminating deficiencies in the report, including for top managers of the company. These recommendations are formalized by administrative documents (orders, instructions), which require going through the approval procedure within the company and have a significant impact on the duration of the process of preparing the final report.

The requirements of the head of the PU internal audit service to the quality of audit reports are also clear: the president will read them! In fact, each report is the “face” of the service. (Very responsible.)

In conditions when any internal audit service objectively cannot be 100% staffed with highly qualified specialists, the quality of the audit report directly depends on the amount of time spent on its writing. There is no need to talk about 10 days per report! Sometimes the process is delayed for several months, and one of the main qualities of the audit report is lost - its timeliness.

However, is it worth nodding to PetrolUnion, when a similar situation until recently was characteristic of the internal audit services of very large international companies.

All audit reports are sent to the president of the company, since the head of the internal audit service reports and reports directly to him. After consideration, the President decides to send the audit report, i.e. determines the circle of persons to whom the results of the audit engagement are communicated.

What is the best way to present the report? You will have to decide on your own. The statistics are as follows: having an approximately equal number of objects in the audit base (more than 500 for each company), WorldWideOil's internal audit service conducts about 120 audits per year, and PetrolUnion's internal audit - a little more than thirty. And the time frame for preparing the final version of the audit report is, of course, not the only, but very important factor in explaining such a difference. It would seem that the conclusion is obvious - to urgently change the procedure for presenting audit results, simplify the structure of the report and not send it to the first person of the company (or send it only in exceptional cases). But here it is worth thinking about one scrupulous moment.

Imagine the work of internal audit in a more or less well-functioning system of internal control, risk management, corporate governance. This is when the remarks in the audit report may sound something like this: "there is no confirmation that the reconciliation of accounts for March was carried out in accordance with the established procedure." In fact, this is a serious violation for the internal control system, and managers of different levels are well aware of this. And the most stringent measures will be taken against the culprit. But this is ... a working moment. It is inconvenient to go to the very top with such comments. And what happens? The work is better than ever, but it is not appreciated at its true worth, since meetings with top management are extremely rare, and, as they say, over time there is "falling out of the cage." Therefore, the paradox: the better the results of the work, the clearer the whole mechanism works, the more vulnerable the position over time, and this is a loss of authority and far-reaching conclusions.

Sometimes, apparently, this is what actually happens. True, this does not apply to the aforementioned companies.

And finally. Theoretically, the processes of formation and presentation of the results of the performed audit assignment in PetrolUnion and WorldWideOil companies do not have fundamental differences, since internal audit in both companies complies with International Professional Standards. In practice, however, these differences are significant. The reason lies in the different tasks facing the internal audit services at the current stage of companies' development.

The primary task of PetrolUnion's internal audit is to create a modern corporate governance system through recommendations (including to top management), developed based on the results of audits, and systematic monitoring of their implementation.

In WorldWideOil, the situation is as follows. The external environment (and, first of all, the securities market) contributed to the development of the company's corporate governance, formalization of risk management processes, and internal control. How? First of all, by the availability of relevant legislation. Internal audit today, basically, checks the compliance of the control actions of managers and executors with the adopted regulations, which is fully consistent with the requirements of the Sarbanes-Oxley Act. In such an environment, it is easier to standardize both the audit process and the process for reporting audit results. WWO's internal audit does not provide recommendations based on the results of the audit. Compliance with International Standard 2130 is achieved through the provision of consulting services to subsidiaries and structural divisions, i.e. analysis to make recommendations. However, the number of such projects per year is very small, and now the WorldWideOil auditors themselves complain about the decrease in efficiency, the impossibility, due to lack of time, to pay more attention to identifying new risks and preparing recommendations aimed at increasing the company's efficiency.

Obviously, there is no single recipe, but there is a main principle: do not stop there, constantly strive to improve and improve methods and processes.

To share with friends:
Similar publications
© 2021 com-roseltorg.ru Popular articles about banking services