How to Write an Internal Audit Report that drives Meaningful Action

You’ve finished your audit fieldwork. You’ve identified your findings. But now what?

How do you, as the internal auditor, make sure that management takes action and addresses the issues?

Communicate the results of your audits in the wrong way, and you risk your recommendations being written off as just more work that management doesn’t have the time or resources to undertake.

That, or your reporting ends up gathering virtual dust in inboxes around the company, when no one even bothers to read it.

But a well-written audit report can help the organization to see internal audit as a strategic partner, providing useful insights for managing risk, preventing fraud, improving efficiency, and streamlining operations.

What Is an Internal Audit Report?

The Institute of Internal Auditors’ (IIA) Standard 2440 – Disseminating Results, states that “the chief audit executive (CAE) must communicate the results of an internal audit to the appropriate parties.”

An internal audit report is a formal document that allows the CAE to effectively meet this requirement, by clearly presenting the findings from the internal audit, providing an independent assessment of what those findings mean for the organization, and making recommendations for meaningful improvements.

An internal audit report is an auditor’s most effective tool in:

• Providing insight into processes
• Identifying risk exposures
• Exposing opportunities for fraudulent behavior
• Explaining best practices
• Offering realistic, actionable ways to improve performance, and
• Driving positive change

Most internal audit reporting tends to follow a similar structure, but there isn’t a one-size-fits-all format that will work for every company. Internal audit reports should be tailored to your organization and to the needs of your audience.

How Do You Write an Internal Audit Report?

By the time you're at the point in your internal audit process where you’re ready to write your report, you've already got all the information you need from your fieldwork. And if you're using internal audit software like Supervizor's audit analytics platform, that information is based on continuous monitoring and 100% population testing, meaning you have full confidence in the quality of your findings and the level of assurance you can provide.

So, how do you take all that information and turn it into a report that is (as required by IIA Standard 2420 – Quality of Communications) “accurate, objective, clear, concise, constructive, complete, and timely”?

To present everything your audience needs to know while following established internal audit frameworks, your internal audit report will need to contain some variation of the following sections:

• Executive summary: Usually less than a page, the executive summary provides a high-level overview of the audit and is designed to give stakeholders an understanding of the key audit findings, recommendations, and conclusions, without needing to read the entire report.
• Objectives: These define the purpose of the audit (for example, you may be looking to confirm whether a process is in compliance with regulatory requirements, or to identify efficiency improvement opportunities).
• Scope: This defines the parameters of the audit – details determined through thorough internal audit planning]—and provides specifics of what activities were completed, the type of work performed, anything that was specifically included or excluded, and any limitations to the audit work. For example, the scope of an audit could be limited by date, type of transaction,
• Background: This provides a brief description of the process being audited and may include an explanation of why the audit is being performed (for example, the process may have significantly changed since it was last audited, or management may have requested an audit based on concerns they have around the current process).
• Observations: This section explains the issues identified during the audit and provides practical suggestions for improvements. The Chartered Institute of Internal Auditors recommends using the Five Cs to present observations (also known as findings) and recommendations clearly and comprehensively:

1. Criteria: This defines the standards or benchmarks (internal or external) against which observations are being measured. It sets the expectations for how things should be done.
2. Condition: This paints the picture of the current state of the process or area under review and gives the details of what internal audit found during the audit process. This often includes data and evidence to support the audit findings.
3. Cause: This considers the underlying factors that are contributing to the identified issues. It looks at the root cause of the issue and explains why the problem exists.
4. Consequence: Consequence: This explains the potential impact of the identified issues, and quantifies the financial, operational, or reputational risks that exist if no changes are made, or if changes take too long to implement. This should include some form of risk ranking of each observation (e.g. high/medium/low, red/yellow/green). Many auditors use audit analytics software to support risk quantification and trend analysis.
5. Corrective Action: This recommends specific, actionable solutions to address the issues identified. These recommendations should be practical, realistic, and clearly linked to the root causes.

• Management’s action plan: This should include specific details of the action that management plans to take to address each observation, who is responsible for the action plan, and a target date for completion.
• Opinion: This provides internal audit’s opinion on the overall risk and control environment of the process or business activity under review. This could just be a statement, or you could provide an overall risk ranking of the process based on the rankings of the individual observations when considered as a whole.
• Conclusion: This wraps up the report by summarizing the findings, reinforcing the significance of those findings, and highlighting the urgency of corrective actions.

Example of an audit observation

❌ Before (vague, judgemental, not actionable)

 

The purchasing process is poorly controlled. Several invoices were processed incorrectly, and staff don’t seem to understand the procedures. Management should ensure that employees follow the policies.

 

✅ After (specific, factual, aligned with the Five Cs)

 

Internal audit noted that 18 out of 60 (30%) purchase orders tested were approved after the related goods were received. However, Procurement Policy PR-02 requires approval before commitments are made.

 

The current purchasing system allows goods receipts to be recorded without an approved purchase order, and no automated control prevents retrospective approvals.

 

As a result, the company is exposed to an increased risk of unauthorized commitments and budget overruns. In the last 12 months, late-approved purchase orders amounted to $2.4 million (12% of total spend in the sample period).

 

Internal audit recommends configuring the purchasing system to prevent goods receipts without an approved purchase order and implementing monthly monitoring of late approvals, with exception reports provided to the Procurement Manager.

How Do You Effectively Convey Your Message to Internal Stakeholders and to the Audit Committee?

This is where we come back to the importance of tailoring your internal audit report to the needs of your audience. And the fact that you have more than one audience to consider.

Management is responsible for implementing corrective actions, so you need to make sure you are providing the information they need to fully understand and address the issues. Management needs enough detail to understand what the operational impact of the findings and recommendations are (for example, the time, resources, and budget that it might take to make system or process changes).

But internal audit ultimately reports to the Board of Directors, through the Audit Committee (AC), so you need to provide a report to them too. The AC doesn’t need the specifics of what you tested or didn’t test or how many samples you looked at. They want to know what issues you identified and how serious they are, what the implications of those issues are at a strategic level, and how management plans to address the issues.

When writing your report, think of the executive summary as your report to the AC. At some companies, the executive summary is the only part of the report that the AC receives, so it should be able to stand on its own and summarize the entire audit.

Example of an Executive Summary

Internal Audit has reviewed the Order-to-Cash process, covering the period January 1 to June 30 2025. Overall, we have determined that the control environment ‘Needs Improvement’.

 

We identified three high, two medium, and one low risk observations. The high-risk issues relate to:

 

• Inadequate credit limit reviews for high-value customers,
• Delays in issuing credit notes and resolving disputed invoices, and
• Weak segregation of duties in the manual override of discounts.

These issues expose the company to a potential annual revenue loss of approximately $3–$4 million and may impact working capital by increasing days sales outstanding (DSO) by an estimated 5–7 days.

 

Management has agreed to all recommendations and has committed to implement the key actions by 31 December 2025. Internal Audit will perform a follow-up review in Q1 2026 to confirm implementation and assess effectiveness of process improvements.

But that doesn’t mean the rest of the report shouldn’t also be clear and concise.

While the actual format and design of the report can vary to align with your corporate communications standards, your report should always:

• Be structured for clarity. Make your report easy to read, easy to understand, and easy for the reader to find the important information.
• Use objective, neutral, and factual language. Audit provides an opinion as part of the report, but that option should always be based on an assessment of the facts, not on a feeling or a judgement.
• Avoid jargon, buzz words, acronyms, and abbreviations. Assume your report is being read by someone with no prior understanding of your business and its internal language.
• Be as short as possible to convey the message adequately. Don’t add extra words if they aren’t necessary.
• Use visuals wherever possible. A picture, or in this case, a table or a chart, really is worth a thousand words when it comes to presenting data.

Why Is a Well Written Internal Audit Report so Important?

The point of internal audit reports is not to make your team look good, to shout about all the problems you found around the company, or to check the boxes to say you finished the audits.

Instead, you should be focusing on providing value by identifying opportunities to improve compliance, efficiency of processes, strategic decision-making, and overall corporate performance.

Your report allows you to take often-complex business processes and explain them to stakeholders in a way they can understand, without needing to comprehend the day-to-day activities that make aup those processes.

The best internal audit reports keep it simple. Clear, concise, factual, and insightful.

Issue a report that makes it as easy as possible for management to take meaningful action.