control, and governance
According to The IIA’s Practice Advisory 2410-1: Communication Criteria, engagement observations and recommendations emerge by comparing criteria (the correct state) with condition (the current state). The observations — and recommendations, if developed — are based on four attributes: criteria, condition, cause, and effect. These four attributes comprise a finding.
Criteria represent the laws, regulations, standards, specific requirements, measures, expected performance, policies, and procedures against which performance is compared or evaluated. Criteria identify the required, expected, or desired state or expectation and provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations included in
The condition explains “what is.” Auditors should ensure the condition statement is concise and focused, adheres to the facts, and refers to supporting evidence.
The cause statement must address the root cause. Moreover, the statement should be based on facts, not speculation. The cause identifies the reason or explanation for the condition or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria).
Writing the effect statement requires thoughtful preparation. While an auditor may merely state that an audit client is not complying with a particular law, regulation, or policy, it is advisable to specify the actual or potential effect of the noncompliance.
The recommendation statement should be clear and directly address the cause statement by describing the necessary corrective action. If the recommendation leaves room to doubt how it relates to the cause, then the recommendation likely is poorly written.
When writing a finding for workpapers or a report, auditors should understand the four elements of a finding and how they relate. Each of these elements must come together to make a cohesive and persuasive set of facts that merit the audit client’s attention. When presenting the finding, it is best to begin with the condition (what is) and then lay out the criteria (what should be), followed by a discussion about the effect and then the cause.
Adapted from “Audit Finding Fundamentals," by Benice Lemaire (Internal Auditor, "Back to Basics," October 2012).
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.