Internal Audit Reports

The audit team leader prepares an audit report that is a complete, correct, concise, and clear record of the audit. The written report may include the topics described below. Some topics may not be applicable for your organization and the topics may be included in a different sequence.

The asterisked (*) items are the minimum set of topics suggested by QE19011S:2008 for an internal audit report.

Audit Objectives (*): Identify the goals of the audit, e.g., to verify conformity, evaluate effectiveness, and identify opportunities for improvement.

Audit Scope (*): Define the extent and boundaries of the audit, e.g., a description of the physical locations, organizational units, processes, and activities addressed by the audit.

Audit Client: Identify the organization or person that requested the audit. In the case of an internal audit, the client is typically the audit program manager that schedules the audits.

Audit Team (*): Identify the auditor(s) that conducted the audit, including the lead auditor.

Auditee Representatives: List the managers, supervisors, and employees that were interviewed during the audit. Use titles instead of names.

Audit Date (*): Include the date(s) of the audit, as well as, the audit duration.

Report Date (*): Identify the issue date of the audit report.

Audit Location (*): List the site(s) that were audited.

Audit Criteria (*): Identify the applicable requirements against which the audit evidence was compared.

The audit criteria includes Legal, Organization, Customer, and Standard requirements. Use the “LOCkS” acronym to remember the requirement types.

Audit Summary: Provide a summary of the audit results in terms of strengths and weaknesses. Include the individual observations and nonconformities at the end of the report.

Audit Findings (*): Include the results of the evaluation of the collected audit evidence against the audit criteria. These audit findings may indicate conformity or nonconformity.

Audit Evidence: Describe the records, statements of fact, or other information, which were relevant to the audit criteria and verifiable. Audit evidence is part of the audit record and included in nonconformity reports.

The audit evidence includes Documents, Observations, Records, and Statements. Use the “DOoRS” acronym to remember the evidence types.

Audit Follow-up: Indicate any nonconformities closed from the prior audit of the area. Ensure the corrective actions were effective in removing the causes and preventing recurrence.

Audit Conclusions (*): Describe the outcome of the audit after consideration of the audit objectives and all audit findings, e.g., extent of conformity, effectiveness of practices, and recommended improvements.

Audit Plan: Describe the activities and arrangements made for the audit. The plan may include an audit agenda with the areas that were audited and the auditor assignments.

Audit Process: Describe the audit methodology used, e.g., interview personnel, review documents, watch operations, and examine records.

Audit Disclaimer: Explain the uncertainty caused by sampling. State there may nonconformities beyond those reported due to it being a limited sample taken during a brief time period. Or, state that just because there were no nonconformities reported, that doesn’t mean there were no nonconformities.

Objectives Confirmation: Confirm that all the audit objectives were met. If not, explain why not and identify the actions needed to complete the audit as planned.

Obstacles Encountered: Identify any situations that took place during the audit that could decrease the reliability of the conclusions, e.g., lack of access or unavailability of personnel.

Areas Not Covered: Identify the functional areas or processes in the audit plan that were not addressed. Identify the areas and explain why they were left out.

Unresolved Opinions: Include any diverging opinions on audit findings or conclusions that were not resolved. Record the auditee issues and explain the escalation process.

Improvement Areas: Identify processes that could be improved. Note that suggestions are not binding.

Agreed Actions: Identify any actions resulting from the audit, e.g., corrective actions agreed to for the reported nonconformities.

Audit Confidentiality: Assure the reader that the audit results will be kept in strict confidence.

Thank You: Thank the auditee for their hospitality, cooperation, and openness.

Next Steps: Remind of due dates for corrective actions and highlight any issues needing further attention.

Distribution List (*): List the audit report recipients.

Issue the audit report within the agreed time period. If not possible, communicate the reasons for the delay to the audit client and agree on a new issue date. Timely audit reports are critical to obtaining timely and thorough corrective actions.

Schedule time on the audit agenda to prepare the report so it is available at the closing meeting. Or, issue the report shortly after the closing meeting. Follow the audit procedure.

Send a copy of the report to the recipients designated by the audit client. All audit team members and report recipients should respect and maintain the report confidentiality.

See clause 6.6 in ISO 19011:2002 and QE19011S:2008, clause 6.6, on audit reporting.

Sample Report

The report we use for internal audits begins with an Audit Summary page that identifies the audit and describes its results. The next page is an Audit Matrix with columns for the audited processes and rows for the applicable clauses (requirements) of the standard.

The third page begins the Audit Record section with evidence listed for each audited area:

  • Persons Interviewed:
  • Documents Reviewed:
  • Activities Observed:
  • Records Examined:

This part is repeated for each area included in the audit scope and, depending on the audit scope, may require multiple pages to complete the sampling record. The final Audit Issues section reports any observations and nonconformities.

If you’d like a copy of our audit report, send an email to (larry@whittingtonassociates.com).