Go from boring to brilliant. How to deliver audit results.

1. System Findings and the
Audit Report
Dennis R. Arter, CQA
October 2013

2. What will we cover?
Audit steps and rules
 Definition of a Finding
 How to write a Finding
 Purpose of the audit report
 How to write an audit report
 Improve performance through audit


3. What is an audit?
Requirements
Findings
Observations
Observations
Observations
Findings
Findings
Conclusions
Evidence
Findings

4. Four Phases of the Audit
 Preparation
(25% of the audit)
 Performance (50% of the audit)
 Reporting (15% of the audit)
 Closure (10% of the audit)

5. First Rule of Auditing:
1. Audits provide
information,
about the future,
to decision-makers

6. Second Rule of Auditing:
2. Auditors must be
capable of doing
their job.

7. Third Rule of Auditing:
3. Audits measure
to agreed criteria

8. Fourth Rule of Auditing:
4. Conclusions are
based on facts

9. OK, so now what?

We have all this good information. What
should we do with it?

10. The reporting process
Requirements
Problem
Bad facts
Bad facts
Bad facts
Problem
Problem
Conclusions
Evidence
Problem

11. Definitions

Finding
“An audit conclusion which identifies a condition
having a significant adverse effect on the quality of the
activity under review.” (Arter)

Nonconformity
“Non-fulfillment of a requirement” (ISO 9000:2008)
Observation (No longer in use)
 Positive Practice

“An audit conclusion which identifies a condition of
exceptional merit.” (Arter)

12. Do the Data Dump
GOOD
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque auctor. Vivamus volutpat
ipsum at metus.

Curabitur non lectus rutrum eros suscipit interdum. Vivamus mattis. Ut porttitor, dui
malesuada commodo vehicula, purus nisi imperdiet nibh, et posuere erat dui eu dolor.

Praesent et velit a urna faucibus ornare. Ut nec justo ut velit consectetuer tincidunt. In
gravida lectus et ante. Nullam eros. Ut bibendum purus non magna.
BAD
Fusce fermentum. Morbi tincidunt. Vivamus interdum mi vitae orci. Quisque ut nunc ut nibh
vehicula tempus. Nam arcu. Etiam lacus.

Vestibulum non diam. Sed dictum tincidunt lacus. Aliquam sagittis, diam non volutpat
tempus, neque augue viverra augue, vitae condimentum lorem nulla quis felis.

Donec quis erat. Morbi auctor felis. Nulla diam eros, lobortis vel, rhoncus sed, placerat ac,
nulla. Fusce porttitor dui condimentum justo. Vestibulum dolor lacus, consequat blandit,
feugiat ac, varius nec, augue. Aliquam et tortor quis quam adipiscing vehicula.


Nam molestie. Praesent pretium orci in purus. Phasellus massa dui, tincidunt a, dictum
sed, posuere vel, lorem. Maecenas et quam. Nullam mi. Proin ac eros.


Praesent malesuada nunc non risus. Praesent fermentum vehicula libero. Curabitur libero.
Ut molestie massa. Suspendisse urna. Vestibulum ante ipsum primis in faucibus orci luctus
et ultrices posuere cubilia Curae; Sed nulla.

Duis in turpis. Nunc lobortis. Ut massa nisl, rhoncus imperdiet, faucibus et, semper et,
lectus. Lorem ipsum dolor sit amet, consectetuer adipiscing elit. In hac habitasse platea
dictumst.

Mauris quis nulla sed mauris scelerisque pellentesque. Donec sit amet sem. Proin quis
velit. Ut ut erat ut mi viverra adipiscing. Sed sed ante. Integer at dolor. Vivamus porttitor est
et dui. Phasellus id dui.

Integer nonummy. Fusce justo magna, ultricies pretium, rutrum ac, ultrices a, ante. Morbi
gravida massa quis elit. Etiam nulla. Cras congue nibh eget metus. Integer varius nulla eget
nibh.
Ut at sem sit amet ipsum gravida viverra. Quisque dignissim ultricies metus. Fusce
ullamcorper. Nullam nec nisl eget nibh convallis molestie.
Aliquam commodo accumsan leo. Cras ligula. Sed elit ligula, faucibus sit amet, semper et,
accumsan quis, neque. Etiam in augue ut nunc tristique consectetuer.


Ut cursus aliquet eros. Aenean sit amet tortor eget ipsum bibendum bibendum. Nunc vel
justo sagittis libero iaculis bibendum.
Donec felis erat, egestas nec, posuere ut, tempor malesuada, quam. Donec arcu nibh,
blandit vitae, ullamcorper eu, posuere non, eros.



Curabitur dapibus euismod nulla. Class aptent taciti sociosqu ad litora torquent per conubia
nostra, per inceptos hymenaeos.

Fusce vehicula erat id ante. Aenean non libero ut tellus scelerisque ultricies. Aenean ac leo
fermentum pede porttitor varius. Donec et justo quis nisl faucibus ultricies. In odio.
Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis
egestas

Vivamus eu eros vestibulum sapien nonummy ullamcorper. Aliquam congue est sed turpis.

Nullam suscipit lobortis dui. Nam ipsum.
Fusce fermentum. Morbi tincidunt. Vivamus interdum mi vitae orci. Quisque ut nunc ut nibh
vehicula tempus. Nam arcu. Etiam lacus.

Vestibulum non diam. Sed dictum tincidunt lacus. Aliquam sagittis, diam non volutpat
tempus, neque augue viverra augue, vitae condimentum lorem nulla quis felis.

Donec quis erat. Morbi auctor felis. Nulla diam eros, lobortis vel, rhoncus sed, placerat ac,
nulla. Fusce porttitor dui condimentum justo.


13. Do the Data Chunk
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Fact
Problem
Problem
Problem

14. Bank audit example
Equip. maintenance
Teller competencies
Network down
 Backup server data
 Bill sorting machine
 Doors, locks, and keys
 Cash machine jams
 False security alarm



Debit and credit
reversed
Cash drawer daily audit
No pattern


Key-in entry mistake
Coins falling out of
rabbit

15. Step 3 – Identify the pain
Cost
 Production
 Risk


16. Step 4 – Put them together
Problem
+
Finding
Pain

17. Step 5 – Turn piles over
Statement of the system control problem
◦
◦
◦
◦
Bad fact
Bad fact
Bad fact
Bad fact

18. Finding
Lack of equipment maintenance is causing higher
operating costs.

Computer network was down for a total of 25 minutes during the
month of July.

Backup server was loaded with out of date data files on July 12.

Hill Street branch experienced 3 cash machine paper receipt jams in
June.

Bill sorting machine malfunctioned on July 3 and again on July 9.

Three branches experienced entry door lock jamming this year. One
resulted in a key breaking.

Oak Lawn branch experienced a false security alarm on July 20. Police
responded.

19. Cause and effect?
Whoa! That’s much too hard
(and my firm is not ready to
accept this approach)!
Is there a simpler way?

20. Finding
Non-conformances are not being identified
throughout the company.
◦ Only receiving inspection is presently using the NCR
Form (#278).
◦ Operators filling boxes often have to bend pigtails to get
the components to fit in the box.This is not being
recorded.
◦ Observed pigtail variance on line 3 averaged 1/2 inch on
Tuesday during the audit.
These are called finding sheets

21. Can we say good things?
These are called Positive Practices
 Constructed just like negative Findings,
except use good facts rather than bad
facts.


22. Write the Summary

Overall evaluation of the management
controls
◦ One or two paragraphs
◦ Very subjective (by design)
Is the operation safe? Efficient?
 Is there reason to believe that controls
will continue?
 Are there any regulatory risks?


23. Focus on the system

System: grouping of
interrelated processes
designed to achieve a
common objective.

To have lasting effect
(improvement),
stakeholders must have
a desire to change the
system

24. Now, let’s tell someone
Informal report (closing meeting)
 Formal report (paper or virtual)


25. Informal report
Closing meeting always required
 Present the overall summary first
 Pass out draft Findings and Positive
Practice sheets
 Leave promptly


26. Written report

Background material
(what, why, who)

Overall summary

Highlight of problems

Highlight of strengths

Two pages plus attachments

27. Audit report
Finding 3
Finding 2
Finding 1
Audit Report
1. Background
2. Summary and
Conclusions
3. Any Deficient
Areas
Lead Auditor
Date

28. Report distribution
You work for the audit boss
 Audit team writes report
 Team leader drafts cover letter

◦ Background
◦ Executive summary
◦ Request for corrective action
Audit boss sends report out (internal)
 Buyer sends report out (external)

Auditors
Audit Boss
Buyer
Auditee

29. What next?
Audit Finding
Corrective
Action Request
Output of audit becomes input to corrective action.
(But that’s a topic for another speech!)

30. Questions?

31. Summary: Phases of the Audit
Preparation
 Performance
 Reporting
 Closure


32. Summary: Value of the Audit

Audits provide confidence:
◦ Controls are present
◦ Controls are used
◦ Controls really work
◦ Controls will continue

33. Summary: Rules for the Auditor
You must be prepared
 You must dig for threads and
patterns
 You must look for cause and
effect
 Managers understand the
language of business (cost,
production, risk)


34. Summary: Rules for the Audit
1.
Audits provide information
2.
Auditors must be qualified
3.
Audits measure to agreed criteria
4.
Conclusions are based on facts

35. Improved performance

36. Thank you!
Dennis R. Arter, CQA
 Columbia Audit Resources
 Kennewick, Washington
 (509) 783-0377
 Dennis@Auditguy.net
 Web site: http://Auditguy.net
 Blog site: http://Auditguy.blogspot.com
