What are types of Internal Audit reports? What contents that are presented? To whom it is submitted?
Pursuant to the Articles 16 and 17, Decree 05/2019/ND-CP dated January 22nd, 2019, there are some types of internal audit report as follow:
Engagement Report, presenting the following contents:
- Audit subjects;
- Scopes of work;
- Audit findings and conclusions related to the audit subjects and supporting arguments for the findings and conclusions;
- Weaknesses, unresolved issues, defects, violations and according recommendations;
- Proposal of solutions to improve business processes;
- Recommendations (if any) to help the client to optimize the risk management policies and organizational structure of (if any);
- Comments and responses of the client’s management about the audit report. In case of conflict opinions, reasons should be clearly presented.
- The signatures of the engagement auditor in charge.
In case of outsourcing, audit reports must be signed by the legal representatives or authorized persons of the service provider. Besides, there may be signatures of subordinate service providers if any.
Interim report: is the report that will be issued upon request or when auditors noticing signals of serious issues/ risks. Interim report will also have similar contents as above.
Annual report is the report that consolidate results of all engagement reports implemented in a year, with following contents:
- The annual audit plan;
- Numbers and description of audit engagements implements;
- Significant findings;
- Solutions proposed by internal auditors;
- Evaluations of the internal control processes relating to the audited activities and recommendations for improvement;
- Status of the implementation of solutions and recommendations proposed by internal audit.
- Signatures of the Chief Audit Executive.
According to the International Standards for the Professional Practice of Internal Auditing - Standards issued by the Institute of Internal Auditors: the above reports are not specifically mentioned, but there are guidelines for reporting as follows:
- 2400 - Communicating Results
- 2410 - Criteria for Communicating;
- 2420 – Quality for communication;
- 2421 - Errors and omissions;
- 2430 - Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”;
- 2431 - Engagement Disclosure of Nonconformance;
- 2440 - Disseminating Results;
- 2450 - Overall opinions.
Internal audit reports of an enterprise are sent to: (1) direct superiors (for listed companies, it is the Supervisory Board or the Board of Management (with independent and non-executive members), (2) Executive management (Company President, General Director / Director), (3) others according to the internal audit regulations of the enterprise (Refer to Article 16, Decree 05 / 2019 / ND-CP January 22, 2019 for more detail).