Materials | Hints for Reading Audit Reports

All audit reports should be read with an inquiring perspective, meaning you should read them with a critical eye. Some areas to focus your attention when reviewing a report include:

the audit rating,
the date of the audit,
the scope of the audit,
the rating from the risk assessment, and
the component ratings, if any.

The following provides some matters to consider as you review each of these areas.

The audit rating:

What was the previous audit rating? Is the new rating better or worse?
If this rating and the previous rating for this audit are compared to other audits for the period, do they form a pattern or trend? For example, have all ratings improved from one period to the next? That might indicate less rigor in audits performed or possible staffing changes that reduce the audit function’s experience level.
Is it clear from reading the report why the rating was changed?
Have there been any significant changes in this auditable unit that account for the ratings change?
Does management of the auditable unit agree with the rating? Why or why not?

The date of the audit:

How long has it been since the previous audit?
Was the interval short because there were previously identified problems?
Was the interval long because there were no previous problems or because the audit was deferred for some reason?
Was this audit scheduled because someone suspected a problem or was it scheduled as a result of the annual assessment?
Did the field work take longer than was projected? What was the cause? Were unanticipated problems found which required more audit staff time?
How long did it take to write the report? Is the time taken roughly similar to that for other audit reports? If the time interval appears long, what caused the delay?

The scope of the audit:

Most audits should be full-scope audits. If the scope is anything less than full scope, there should be an acceptable (by policy) reason.
Would the opinion have changed if the scope was changed?
Should the auditors have considered expanding the scope? Did the auditors find something that triggered expanding the scope of the audit?

The rating from the risk assessment:

Did the management doing the risk assessment look at the inherent risk (the risk in an activity without the presence of controls) in this auditable unit?
How much is the risk of loss and what is the probability loss will happen?
Is this a poor rating in a high-risk area or a good rating in a low-risk area? The answer to this determines the strength of your reactions to the findings. For example, if it is a poor rating in a low-risk area, you may not be as concerned as you might be if the reverse were true.