Audit Report WritingVERITA TRAINING SESSIONMARCH 09 2013By CA Huzeifa Unwala
Training topics• Session Objectives & Expectations• Client Reporting• Nature of Users• Key Reporting Standards• From Query to Reporting• Examples of reporting improvements• General Tips• Practical exercises
Basic elements of the audit report Layout of the internal audit report includes:• Titles, Addressee, Report distribution list,• Period of coverage of the report, Opening or introductory paragraph, Objectives paragraph, Scopeparagraph,• Executive summary, Observations, findings and recommendations,• Action taken report• Date of the report, place of signature and Membership number.Auditor should excise due professional care Ensure that internal audit report is:• Clear and Factual,• Specific and Concise,• Unambiguous and Timely,• Complies with generally accepted audit procedures in India.Communication to management• Different stages of communication are:• Discussion of draft,• Exit meeting,• Formal draft• Final reportLimitation on scope and restriction on usage & circulation• Describe the limitation• For intended purpose and limited to distribution listICAI SIA 4 Reporting
Basic elements of the audit report Layout of the internal audit report includes:• Titles, Addressee,• Opening or introductory paragraph (identification of Financial statements audited and statement ofresponsability of the management and auditor)• Scope para describing the nature of audit and reference to accounting standards, regulatory sectionsthat govern the audit and description of work performed• Opinion para giving reference to financial statement framework used for preparation the financialstatements and expression to opinion• Date of the report, place of signature and Auditor’s signature.ICAI SA 700 The Auditor’s Report on Financial StatementsDebate:• Auditor’s commentary• Going concernSignificant uncertainty:“Without qualifying our opinion, we draw attention to Note X of Schedule…. Theentity is the defendant in a lawsuit alleging infringement of certain patentrights……the ultimate outcome of the matter cannot be presently determined, and noprovision for any liability that may result has been made in the financial statements”“in our opinion…………”
Query to be thoroughly investigated to unearth the factsAudit findings, as discussed with Client Management and / or the audit sponsor at the closure meeting should bedocumented in clear, succinct language. For each issue, the following information should be communicated (known as the ‘sowhat factor’):• Description – what is the issue? This should be factual and free of interpretation.Example: We reviewed twenty-five payments and found ten of the payments were not approved inaccordance with the organisation’s policy.• Cause – what is the root cause of the problemExample: This has been caused by a lack of training for new accounts payable personnel. The cause should bediscussed with the client prior to writing the report.• Impact – what is the impact on the organisation? You may consider:What is the risk?Why should management be concerned?Does this issue have the potential to impact the organisation’s strategic objectives?Could this lead to a material misstatement in the organisation’s financial statements?Could this lead to a loss of reputation?Findings should be rated and prioritised in order of importance to assist the client understand the relativeimportance of the issues. The ratings also allow Client Management and the Audit Committee to compare thecriticality of issues across internal audit reports.From Query to Reporting
Our responsibility is to turn up, tick afew things and express an opinion onthe site based on our audit.We conducted our audit in accordancewithadmittedly-not-quite generallyaccepted auditing standards.
Rating Financial impacton businessImpact on customer Strategic Regulatory Management effort Publicity &reputationPeopleSEVERE> Rs. 2 milliondamage or lossMaterial impact for manycustomersFailure to achievetwo or more goalsLoss of key businesslicenceCriminal offence bydirector or managerRegulatory censureAn event so severe innature it leads to achange in themanagementstructure of A. Theevent may lead to acollapse of thebusinessDramatic loss ofstakeholderconfidenceundermining businessviabilityExtensive negativepublic exposureMultiple fatalities,permanent disabilityA large number of keyexecutives ordirectors resignMAJOR> Rs. 1 milliondamage or lossImpact for manycustomersFailure to achieveone of more goalsConditions imposed onbusiness licenceCivil offence by directoror managerRegulatory censureA critical event whichwith propermanagement can beendured. May involvesome managementchangesNegative publicexposure withsignificant impactSingle fatality orpermanent disabilitySome key executivesleave company (notperceived asemployer of choice)MODERATE> Rs. 0.5 milliondamage or lossPotential impact for somecustomersModerate implicationfor business licenceCivil offence bycompanyIncreased regulatoryoversightA significant eventwhich can bemanaged undernormal circumstancesConcerns becomingbroader and morevocalised within theindustrySerious multipleinjuriesPoor reputation as anemployerKey employee leavesMINORRs. 0.2 milliondamage or lossNo impact Minor implications forbusiness licenceCivil offence byemployeePotential review byregulatorAn event, theconsequences ofwhich can beabsorbed butmanagement effort isrequired to minimisethe impactSerious segmentedstakeholder concerns/incidentsModerate injury orillnessGeneral staff moraleproblemsHigh staff turnoverINSIGNICANT> Rs. 2 milliondamage or lossNo impact Minor breach of lawMinor sanction orpenaltyPotential review byregulatorAn event, the impactof which can beabsorbed throughnormal activityMinor isolatedstakeholderconcerns/impactsMinor injury or illnessIncreased staffturnoverAssessing the Impact of Risk
• What has gone wrong?• What has been violated?• What is the consequence/ reputation/ financial/ compliance exposure?• What is the remedy?• What is the alternative remedy?• What is the best remedy? Is it complying with laws?• How the situation can be corrected? What is the time and cost for correcting the situation?• Is there a cause/ root cause which can be addressed?• Is your observation independent of your client relationship?• Are you making a constructive/ positive case for change or embarrassing auditees?• How will your view affect the client?Audit Observation & Opinion Building
Analyzing the Audience• Who will be the most important readers of the report?• How much do they know about the subject?• How do they plan on using the report?• How interested are they in the report?• What’s their reaction going to be to the report’s message?
Demonstrate the procedure adopted for undertaking physical verification of inventory (Give brief details w.r.t.description of items verified, names of persons involved in verification, manner of verification of physical stockand of comparison with the book stocks, methodology adopted in the count etc.)“The difference between the physical balances and the book balance in respect of theExhibited items have been identified. The difference is Rs. XXXX implying that theinventory position has been under/ over reported in the year end unaudited financials.Subsequent to our verification the differences were adjusted in the books and thebook (quantity) balance were brought in line with the physical balances. Thequantities included in the year-end audited financials represent the so adjusted bookbalances. To adjust the differences, the following entries were passed in the books ofaccounts…………………………. ”Reporting Significant deviation in Physical VerificationExample
Approvals for waiver of charges were documented through e-mails, however, instanceswere also identified wherein charges were reversed by ABC, for which specific waiverswere not on record.We were informed, these charges were not leviable considering the nature of theproduct, however, possibility of such waivers being recorded without approval cannot beruled out in the absence of System controls.Reporting on Out of System ApprovalsExample
Page 20Insert Organization LogoHereInternal Audit Report[Name of Entity][Name of Audit Area / Location / Period Covered]Date:DistributionFor action For informationInsert name or business unit/group [Insert title] Insert name or business unit/group [Insert title][Insert name] [Insert title] [Insert name] [Insert title][Insert name] [Insert title] [Insert name] [Insert title]
SCOPE OVERVIEWSummary of objective and scope[Sample text: An internal audit of [insert organization name] [insert process name] was performed in [insert month and year] and covered [insert business unit(s)].The overall objective of the internal audit was to determine the effectiveness of key controls as identified with Management and compliance with current policies andprocedures relating to [insert process name], and to identify any improvement opportunities. The internal audit did not cover [insert any specific areas not covered andany significant limitations].The specific objectives, scope and approach of the internal audit were agreed with [insert organization name] Management.Responsibilities of the Management and Internal AuditorsThe internal audit procedures rely on information and representations made available to the internal auditor by the management of the Company and compriseinquiries and observations and limited tests of transactions on a sample basis, covering the detailed assessment objectives. Accordingly, the internal audit proceduresmay not detect fraud, defalcations and irregularities.Internal auditors work does not in any way diminish the responsibilities of the Company’s management. The design, development, implementation and operation ofinternal control systems are the responsibility of the respective Company’s managers. They are accountable for ensuring that adequate controls exist in the areas oftheir responsibility and should not rely solely on periodic visits as a means of monitoring the adequacy and integrity of controls.Linkage to your risk assessment study[Sample text – option 1: This report delivery is planned in the Internal Audit Plan of [year] as approved by the Audit Committee. The scope areas have been riskassessed in the Risk Assessment Plan [insert title/reference] provided to our team during the internal audit planning stage, however, it is important to note that thislinkage does not indicate full coverage of enterprise risks which are managed through a number of business processes and control procedures.][Sample text – option 2: This internal audit has been performed at the request of the [insert title e.g. Audit Committee/CEO/CFO] of [insert organization name]. Thisad hoc internal audit is in addition to the internal audits set out in the 201X/201X Internal Audit Plan.]
METHODOLOGY:INTERNAL AUDIT APPROACHAPPROACH[Sample text: The internal audit of [insert organization name] [insert process name]was performed using the following approach:•[insert nature of specific procedures and testing performed to meet theobjectives of the internal audit, for example:• names and titles of organization management/personnel interviewed• details of information and documentation provided• processes/systems documented• areas and time period of walk-throughs, and observation and enquiryperformed• areas, extent (i.e. sample sizes) and time period of items selected for testing• the use of any third party subcontractors, where agreed with theorganization].]INTERNAL AUDIT TEAMPrepared by:Name: Signature:Reviewed by:Name: Signature:
Executive SummaryImplementation Summary of Previous ReportRating Process /SubProcessReport Period/ ReferenceManagement ActionPlanResponsibility & Date Implementation Status
Overall Report GradingExecutive Summary (Contd.)Level of assuranceHighMediumLowKey Conclusions Top Root Causes
Key findings and recommendations[Sample text: The findings identified during the course of this internal audit are illustrated in the summary below. A full list of the findings identified and therecommendations made is included in this report. Classifications of internal audit findings are detailed in Appendix X to this report.These findings and recommendations were discussed with [insert organization name] Management responsible for the operations of [insert process name].Management has accepted the findings and has agreed action plans to address the recommendations. This report also includes any findings and recommendationswhere Management has implemented the action plans to date.The management action plans will be included in the tracking of internal audit recommendations maintained by [insert name of the function responsible for internalaudit]Executive Summary (Contd.)Sr. No. Risk Rating Observation Headline / Title Observation Summary Recommendation Summary DetailedObservation #1. High2. Medium3. LowSr.No.Report Number ofObservationsNumber of High ratedObservationsImplemented Direct Financial Benefits1.2.3.
Observation<Observation in detail>Risk/ Implications• <Risk / Implication in detail>RecommendationManagement Response/Proposed action steps Responsibility & TimelineRoot Cause1. <Recommendation 1 in detail>2. <Recommendation 2 in detail>1.1 <Proposed action steps for Recommendation 1>1.2 <Proposed action steps for Recommendation 1>2.1 <Proposed action steps for Recommendation 2>1Mr. XYXYXYGM - Production (Shafts)February 15, 20122Mr. XYXYXYGM - Production (Shafts)April 1, 2012Sr. No. # : Title of ObservationDETAILED OBSERVATION
The individual risk within the areas are reviewed and an overall rating of High, Medium or Low is assigned based on the following definition:High A weakness where there is substantial risk of loss, fraud, impropriety, poor value formoney, or failure to achieve organisational objectives. Such risk could lead to an adverseimpact on the business. Remedial measures must be taken urgently.Medium A weakness in control which, although not fundamental, relates to shortcomings whichexpose individual business systems to a less immediate level of threatening risk or poorvalue of money. Such a risk could impact on operational objectives and should be ofconcern to senior management and requires prompt specific action.Low Areas that individually have no significant impact, but where management would benefitfrom improved controls and/or have the opportunity to achieve greater effectivenessand/or efficiency.RISK GRADING RATIONALE (INDIVIDUAL RISKS)
GAPNo.Internal control weakness/Process ImprovementCOSO Category ofControlImpact RecommendationSelection and Analysis of Broker The company has not followed appropriate processwhile selection of brokers for equity shares. Thecriteria for the broker is not defined anddocumented. Brokerage comparative statement andother benefits are not documented for selection ofbrokers for investment in equity shares. The effective brokerage rate analysis was done andit was observed that company has done its 68% ofinvestment through A Stock Broking whose rate ismore than B in XYZ Ltd. Effective brokerage rate analysis was done for ABCportfolio wherein the 44% of total transaction (invalue) are done through A Stock Broking whoserate was more than S and C. Risk of incurring excesscost due to absence ofcompetitive analysis Broker wise analysismust be carried out toensure better serviceand low transaction costManagements CommentsØ Process Owner:Ø Comment:Operational Weakness – During Investment Function (Eq Shares)
GAPNo.Control deficiency/ Audit ObservationCOSO Categoryof ControlImpact RecommendationBroker Selection and Evaluation Procedures There is no written procedure for selection andevaluation of equity brokers as a result the equity dealteam has not followed consistent broker selectionprocess.Higher Equity Brokerage Payout to A Stock Broking Effective brokerage rate analysis reveals that thecompany has executed 68% of investmenttransactions through A Stock Broking. Despite ahigher share of business to A the brokerage rate of Ais more than B. The quantum of excess payout isestimated at @@@. Absence ofdefined normsleading toprocessinefficiencies andfinancial losses Absence ofmonitoringchecks leading toprocessinefficiencies andfinancial losses Broker selection andevaluation proceduresshould be framed by thefront/mid office team andadopted by the Board. Theprocedures should includethe broker selection criteria,value added benefitsexpected from the brokerand quantum of tradinglimits. Periodical monitoring checkssuch as Broker wise analysismust be carried out to lowertransaction costs andimproved service levels.Managements CommentsØ Process Owner:Ø Comment:Higher Equity Brokerage Payout
Inventory Turnover and Finished Goods Turnover analysisObservations Inventory Turnover Ratio:- The inventory turnover ratio of 3.16 which is very low implying thatthe company is carrying its stock for a very long period and are notmanaging its inventory efficiently. It has been observed that these products are hazardous andcompany takes 116 days to convert raw material into sales, so it isvery risky to hold such high inventory. Finished Goods Turnover Ratio:- Finished goods turnover ratio of 11.84 implies that the company isable to convert its finished goods stock 11.84 times. In 31 days it is able to sell the finished goods manufactured.Root Cause Absence of defined control procedures Poor implementation of defined / not defined job responsibilityRecommendation A complete assessment of inventory on terms of quantity andvaluation is essential. High value and risky material needs to be stored in proper conditionsand required quantity.Management Action PlanParticulars Rs.(lacs)Cost of Goods Sold 1614Opening Stock as on 1/4/2012 400Closing stock as on 31/12/2012 621Average Stock 511Inventory Turnover Ratio 3.16Inventory Turnover Ratio in no of days 116Particulars Rs.(lacs)Sales (Export and Local) 1932Opening Stock as on 1/4/2012 ( FG) 72Closing stock as on 31/12/2012( FG) 253Average Stock (FG) 163Finished Goods Turnover Ratio 11.84Finished Goods Turnover in no of days 31Inventory Turnover Ratio: - Finished Goods Turnover Ratio: -
CARO Para 4 (ii) (a)Whether physical verification of inventory has been conducted at reasonable intervalsby the management.ObservationPractice of conducting physical verification of inventory is not carried out by themanagement at regular intervals. However, physical verification has been carried outin the month of July 2012 and reverse calculation was done to arrive at 31st march2012 stockCARO Para 4 (ii) (c)Whether the company is maintaining proper records of inventory and whether anymaterial discrepancies were noticed on physical verification and if so, whether thesame have been properly dealt with in the books of accountObservationStock prior to April 2011 was maintained at AB location and these stocks werebrought in the books by passing stock transfer entry. While passing transfer entry,reconciliation of these stocks with warehouse stock was not carried out and as aresult discrepancies were noticed. No relevant supporting documents were madeavailable for such adjustment. As of date of audit i.e. 20th July, 2012 re-conciliation isin process.SummaryHighCARO Para 4 (ii) – Inventory Management• Inventory records should be maintained properly in the books of accountson real time basis• Reconciliation with warehouse stock should be done on monthly basis.Monthly report of reconciled stock should be submitted to seniormanagement• Physical verification should be conducted half yearly by independent partyRecommendationManagement Action Plan Awareness MonitoringAuditee Response: Post physical verification of stock by internal auditor, thestock records will be reconciled and thereafter it will be maintained properlyby the company.Timeline:Process Owner:
CARO Para 4 (iv) (a)Is there an adequate internal control procedure commensurate withthe size of the company and the nature of its business, for thepurchase of inventory and fixed assets and for the sale of goods.Whether there is a continuing failure to correct major weaknessesin internal control?ObservationCompany does not have adequate system control in relation topurchase and sales of inventory & fixed assets. For instance;i) Tally (Accounting System) allows passing of sales entry evenif there is no stock with the company and as a result stockreport is showing negative stock. This lapse in system controlis highly prone to error.ii) Competitive rate analysis for fixed assets procurement is notdoneiii) Sales price list is not maintained in system to ensure that allproducts are sold at defined priceIs there an adequate internal controlsystem commensurate with the size of thecompany and the nature of its business,for the purchase of inventory and fixedassets and for the sale of goods andservices. Whether there is a continuingfailure to correct major weaknesses ininternal control system;
Storage FacilityOn verifying the storage facility, it was observed that bins and pallets were allocatedwithout proper spacing and stacking of products. Many of the bins were kept empty andsome bins & pallets were not utilized fully.• As per the agreement with Aramex, Inward Process Point no.5.2 - Di representativeto be present during barcode pasting when no barcode are there on the products onreceipt, however on discussion it was learned that Aramex staff did bar code pastingon their own and they were never accompanied by Di staff during this process.• It was observed that practice of affixing preprinted system generated barcodes onthe material boxes is not in place and handwritten codes are affixed on the samewhich are highly susceptible to errors. Also if any box has got empty and newmaterial is store in it, previous label code is not removed and new label code is affixon the same. Thus 2 codes are reflected on the same box.• 27 cases have been observed where location is incorrectly defined in the Optilog.This makes tracking of materials difficult in case of emergency. [Refer Annexure VIIfor details]• As per agreement with Aramex, all rusted/corroded fittings to be isolated fromsaleable inventory, however it was observed that many of the rusted materials werestill stored along with good quality materials and this can affect the quality of non-rusted materials.• Also as per agreement, rubber hose should be securely stretch-wrapped and storedin warehouse, however during verification it was observed that some hose were lyingunwrapped.• Cameras and smoke detectors at bin storage area on 2nd floor were not in workingcondition.All the operational gaps to be filled in by taking utmost care and using due diligencefor a better and smooth functioning business operation. Detailed list ofrecommendation as per next slide.Recommendation• Auditee Response:• Timeline:• Process Owner:ObservationManagement Action Plan Awareness Monitoring• Operation ineffectivenessRoot causeOperationalIneffectivenessSystemDeficiencyExternalDesignDeficiency HighRisk Implication Operational Control Compliance• Financial loss to Dixon due to overcharging by Aramex.• Handwritten codes are susceptible to errors• Incorrect geographical mapping may lead to unfulfilled sales order due to misplaced items.• Rusted/corroded items to be separated to avoid damage to other good products.• Rubber hoses to be covered to avoid getting it dirty and its appealing looks may get diminished.• Non-functioning Cameras, no audit trail in case of theft. Insurance claim may be denied.Root cause
ObservationRiskImplicationsCriticality ProbabilityExistingMaturityRecommendationDesiredMaturityNon Compliance with SEBI Regulation• Outstanding clients review – funding violationW.r.t. the Exchange circular no. NSE/MEMB/261 dated May27, 1997 regarding clarification given by SEBI onapplicability of Rule 8(1)(f) and 8(3)(f) of Securities Contract(Regulation) Rules, 1957, relating to fund based activities ofbrokers and as per clarification vide NSE Circular Ref.No:136/2012 dated 26th April, 2012 - If debit balances arise outof client’s failure to pay such amount for more than fifthtrading day reckoned from date of pay-in, and furtherexposure is granted to client it would be construed as afunding violation even if fully paid collaterals are available formargins.On review of long outstanding client positions (more thanT+5day) for the period 01st April 2011 to 31st May 2012, itwas observed that clients were being funded for debits intheir account and for the same they were being chargedDelayed payment Charges (DPC), as sufficient collateralswere available in client’s account.• NonCompliancewith SEBIRegulationVery High Very HighRepeatable• Funding violation to beavoided, by adhering toexchange guidelines.• A complete compliancemanual needs to be definedwhich indicate checkpointsfor all the applicablecompliances and itsadherence with a featureenhancement in RiskManagement Software for arisk and self-certificationprocessManagedNon Compliance with SEBI Regulation• Simplify the start• Full review to unearth the extent of non-compliance• Recent Penalties & Reputation• Level of exposure client category wise and ageing
Unhelpful Client Communication Practices• Issuing client communication prior to Superior & Partner review• Asking too many questions at once.• Saying you understand when you don’t!• Arguing.• Criticising individuals.• Taking sides.
• Headlines grab attention• First impression matters• Story telling – follow a theme• Concise - word count helps• Big picture and detailing – both are equally important• Self review, superior review and partner review• Use graphics, photo graphs (where presented as evidence)• Avoid repetition of phrases, words• Cut prepositions• Adopt a positive• Write while auditingTips for success
Scenario 1:• Unbudgeted capex spending of INR 5 million• Uninsured Material in warehouse of the company
Scenario 2:• 100% depreciation charged on low value assets• Assets recorded at zero value
Scenario 3:• Procurement Policy states that purchases should be made only againstvalid contracts. Material purchased without any underlying contract• There is a trend of delay in receipt of material
Scenario 4:• You are a Statutory Auditor of a Listed company and have completed yourannual review. You have to frame a management letter to the CFOhighlighting weaknesses in Fixed Assets, Revenue Recognition, Inventorycontrols and failure to implement internal auditor recommendations.