Transformation of the subject. That which makes us what we are cannot be put in front of us by us, and that is the only thing that cannot be put in front of us. Alex Jay

How to present yourself to senior management Do you find it difficult to talk about yourself to people in power or who have overtaken you in the career race? Despite your fear, do not forget about the benefits that a superior person could receive if they learn about your proposal. For example, are you ready

"Audit statements", 2006, N 10

When conducting an external audit of financial (accounting) statements, a very important task is the preparation and presentation of the audit results. The article shows the features of presenting information obtained during the audit.

The results of the audit must be presented in two documents: the audit report and information obtained from the audit.

Issues of preparation and presentation of the audit report are discussed in Federal law dated 08/07/2001 N 119-FZ (as amended on 02/02/2006) “On auditing activities” (clause 11, article 10) and Federal Rule(standard) of auditing activities No. 6 "Audit's report on financial (accounting) statements" (hereinafter referred to as Rule No. 6).

In accordance with these regulatory and legislative acts, the following is determined.

1. The auditor's report is an official document intended for users of financial (accounting) statements.
2. This document is drawn up in a certain form.
3. The auditor's report contains the following: in the prescribed form the opinion of the audit organization on the reliability of the financial (accounting) statements of the audited entity and the compliance of the procedure for maintaining it accounting legislation Russian Federation.
4. The auditor's report can be unconditionally positive and modified. The latter includes several varieties (with an attention-grabbing part, with a reservation, negative, refusal to express an opinion).
5. The auditor's report is of a public (open) nature.

The information obtained as a result of the audit is presented to the management of the audited entity and its owner. This information is not clearly regulated, and therefore it is necessary to provide general recommendations regarding the preparation of this information.

Of course, the content of such information in accordance with the federal rule (standard) is more detailed compared to the requirements Russian rule(standard) “Written information to the management of an economic entity based on the results of the audit.” Now information can be presented orally and in writing, requirements for the composition of information have been simplified, etc.

Let's consider the requirements for information that must be presented to the audited entity, contained in Federal Auditing Rule (Standard) No. 22. This Rule was developed taking into account international auditing standards and establishes uniform requirements for reporting information obtained from the audit of financial (accounting) statements , management (managerial employees) of the audited entity and representatives of the owner of this entity.

Information represents information that became known to the auditor during the audit of financial (accounting) statements. Such information, in the opinion of the auditor, is important for the management and representatives of the owner of the audited entity when they exercise control over the preparation of reliable financial (accounting) statements and the disclosure of information therein. The information includes only those matters that came to the auditor's attention as a result of the audit. The auditor is not required to develop procedures during the audit that are specifically aimed at finding information relevant to the management of the entity being audited.

Typically, the auditor must communicate information to management and representatives of the owner of the entity being audited. The management of the audited entity is the persons responsible for the day-to-day management of the audited entity, as well as the implementation of financial and business operations, accounting and preparation of financial (accounting) statements (for example, CEO, financial director, Chief Accountant). Representatives of the owner of the audited entity are persons or collegial bodies that exercise general supervision and strategic management of the activities of the audited entity, and also, in accordance with the constituent documents, can control current activities his leadership.

Organizational structure and principles corporate governance may be different for different audited entities. This makes it difficult to determine the circle of persons to whom the auditor communicates information of interest to the management of the audited entity. The auditor uses his own professional judgment to determine those persons to whom information should be communicated, taking into account the management structure of the audited entity, the circumstances of the audit engagement and the specifics of the legislation of the Russian Federation.

In cases where the management structure of an economic entity is not clearly defined or the owner’s representatives cannot be strictly identified in accordance with the terms of the assignment or the legislation of the Russian Federation, the auditor agrees with the audited entity to whom the information should be communicated.

The audit engagement (audit engagement letter) may clarify that the auditor will only report information of management interest that comes to his attention as a result of the audit, and that the auditor is not required to develop procedures specifically aimed at to search for information relevant to the management of the audited entity. The contract may also specify the form in which the information will be communicated; proper recipients of information; specific audit matters of interest to the entity's management.

Communication will be more effective if there is a constructive working relationship between the auditor and management or representatives of the owner of the entity being audited. Such relationships should be developed taking into account the requirements of professional ethics, independence and objectivity.

The auditor must summarize in information information that is of interest to the management of the entity being audited and communicate it to the appropriate recipients of such information.

Typically, such information reflects:

• the auditor's general approach to conducting the audit, the auditor's concerns about any limitations on the scope of the audit, and comments about the appropriateness of additional requests from the auditee's management;
• selection or change by the management of the audited entity of principles and methods of accounting policies that have or may have a significant impact on the financial (accounting) statements of the audited entity;
• possible impact on the financial (accounting) statements of the audited entity of any significant risks and external factors that must be disclosed in financial (accounting) statements (for example, legal proceedings);
• significant adjustments to the financial (accounting) statements proposed by the auditor - both carried out and not carried out by the audited entity;
• material uncertainties relating to events or conditions that may significantly cast doubt on the entity's ability to continue as a going concern;
• disagreements between the auditor and the management of the audited entity on issues that, individually or in the aggregate, may be significant for the financial (accounting) statements of the audited entity or the auditor’s report. The information provided in this regard should include an explanation of the importance of the matter and whether the matter has been resolved or not;
• expected modifications to the auditor's report;
• other issues that deserve the attention of the owner’s representatives (for example, significant deficiencies in the area internal control, issues related to management misconduct);
• issues the coverage of which has been agreed upon by the auditor and the audited entity in the contract for the provision of audit services (letter of consent to conduct an audit).

If the audit is carried out during the reporting year, the auditor must promptly report information to the representatives of the owner and the management of the audited entity so that appropriate measures can be taken promptly.

In order to timely report information, the auditor should discuss with representatives of the owner and management of the audited entity the procedure, principles and timing for reporting such information. In certain cases, due to the need to resolve an urgent issue, the auditor may report it earlier than previously agreed.

If the audit is carried out one-time, for example after the end of the reporting year, then information is communicated during the process or after the end of the audit.

Forms of communication of information to appropriate recipients may be oral or written. The auditor's decision about the form in which to report information is influenced by:

• size, structure, legal form and technical support of the audited entity;
• the nature, importance and characteristics of the information obtained from the audit that is of interest to the management of the audited entity;
• existing arrangements between the auditor and the auditee regarding regular meetings or reports;
• forms of interaction adopted by the auditor with representatives of the owner and management of the audited entity.

If information of interest to the management of the audited entity is communicated orally, the auditor should document in working papers this information and the reactions of the recipients of the information to it. Such documents may be, for example, copies of minutes of discussions held by the auditor with representatives of the owner and management of the audited entity. In some cases, depending on the nature, importance and characteristics of the information, it is appropriate for the auditor to obtain written confirmation from representatives of the owner and management of the audited entity regarding any oral communications on audit matters of interest to the management of the audited entity.

Usually, the auditor preliminarily discusses with the management of the economic entity audit issues that are of interest to the management of the audited entity, with the exception of those issues that call into question the competence or integrity of the management itself. Preliminary discussions with management of the audited entity are important to clarify facts and issues and to enable management to provide Additional information. If the management of an economic entity agrees to independently (without the participation of the auditor) communicate information of interest to the management of the audited entity to the owner's representatives, then the auditor may not need to re-communicate this information, provided that the auditor is satisfied with the effectiveness and appropriateness of the communication of such information.

If the auditor believes that it is necessary to modify the auditor's report in accordance with the requirements of Rule No. 6, then any other written information provided by the auditor to management or representatives of the owner of the audited entity cannot be considered as an appropriate substitute for the modified auditor's report.

The auditor should consider whether any information obtained from a previous audit may be relevant to the reliability of the financial statements. current year. If the auditor concludes that such information is of interest to the management of the entity being audited, the auditor may decide to redisclose it to the entity's owner's representatives.

It is important that the information contained in the information is, as a rule, confidential. In this regard, the auditor is obliged to comply with the requirements of the legislation of the Russian Federation and the Code of Ethics for Auditors of Russia regarding the confidentiality of information obtained as a result of the audit. In some cases where there may be potential conflicts between ethical and legal obligations auditor's confidentiality and disclosure requirements, it is appropriate for the auditor to obtain legal advice.

Regulatory legal acts of the Russian Federation may establish the auditor's obligations regarding the communication of information of interest to the management of the audited entity. These additional reporting obligations are not changed by Rule 6, but may affect the content, form, and timing of the auditor's communication to appropriate recipients.

In conclusion, we note the following.

It is advisable to prepare written information in at least two copies. One copy of such information is transferred to the representative of the audited entity specified in the contract, the second copy remains in the audit organization and is included in the general working documentation of the auditor. Disagreement of the recipient of the auditor's written information with the contents of its final version cannot serve as a basis for refusal to receive this document.

To transmit oral information, it is advisable to develop a special form of working document “Protocol - coordination of information based on audit results.” In this document, information should be systematized and commented on by the auditor. The document must contain details that indicate that the management of the audited entity is familiar with the information presented.

Thus, both written and oral information is provided to the economic entity regularly during the audit. In this case, the information may contain both new information and information obtained from the results of a previous inspection. This is necessary if the auditor believes that this information may have an impact on the reliability of the financial (accounting) statements of the current year. If the information is of interest for the management of an economic entity, then it can be re-presented to representatives of the owner of the audited entity. Written information is usually stored in an archive file created for the audited entity and can be used in future audits as necessary.

V.I.Podolsky

Professor,

Head of the Department of "Audit" VZFEI

Every enterprise, regardless of the type of activity, needs an audit, which includes a number of important activities.

This article will provide comprehensive answers to all questions.

An audit is independent and involves the collection, evaluation and analysis of data that indicate the functioning and financial position state, commercial or private enterprise (audited entity).

Learn about the list necessary documents To open an individual entrepreneur, you can go into more detail.

The results obtained make it possible to draw final conclusions (conclusion) about how correctly the accounting records are maintained, truthful and reliable.

An independent audit merely provides control over how laws and norms of economic law are observed and whether there are any violations of tax legislation.

There is no targeted detection of errors in the work of accountants(financiers).

Types and purpose of audit

Depending on the purpose and goals There are two main types of audits:

• Mandatory audit- held annually and on mandatory in compliance with current law. Carried out only by audit companies. Regulated by the state or carried out by court decision.
• Initiative or voluntary- carried out at the request of the client, in order to ensure the reliability of accounting and tax accounting, and for assessment financial risks. This will help avoid penalties. But the main thing here is not to make a mistake in choosing audit firm or a private person providing similar services.

The reasons for conducting an audit may also be a change in the owner of the company or a change in the composition of the founders.

See more details about the schedule and procedure for conducting tax audits.

The main purpose of the audit is to:

1. confirmation of authenticity;
2. timely detection of violations and their elimination;
3. obtaining reliable information about the functioning of the enterprise and the state of accounting, maintaining documents.

After the audit, the audited entity is issued:

• conclusion - in case of mandatory audit;
• a report on the audit with the conclusions and recommendations of specialists for improving accounting and activities - during voluntary audits and other types of audits.

Besides, there is an audit:

1. external - carried out by prior agreement between the client and the contractor, and is an independent examination of reliable reporting;
2. internal - carried out by the economic entity’s own resources for management control over activities, increasing economic and financial indicators, receiving recommendations (advice) for improving and managing management efficiency.

Audit stages

The audit procedure takes place in accordance with established rules. Conditional stages of an audit:

• Preparation (organization) and planning. The process is carried out according to current legislation and in accordance with the conditions specified in the service agreement. Based on the drawn up contractual agreement and audit plan, the auditor is provided with all necessary documentation, including accounting and tax reports, allowing you to get full view about all areas of financial and economic activity of the audited entity. Accounting and internal control systems are studied and assessed, the risks of the upcoming audit are determined and an audit plan is drawn up.
• Execution (implementation) of control procedures is to collect audit evidence, namely in testing controls for compliance, conducting substantive testing.

  The result is the formulation of your own opinion about the reliability of the facts and their compliance with the current regulations.

• Completion- preparation and registration working documentation, drawing up a conclusion (final document) on the reliability of the financial statements with a summary of audit evidence. Information obtained from the audit results is communicated to the management of the enterprise.

How is the audit carried out?

A special feature of the audit is the time limit.

That's why a clear organization of the audit is required, which is based on planning and programming. At the initial stage, the main goals and objectives are determined, the objects to be studied and the most effective analytical methods are selected.

During the activities, important evidence is collected, which forms the basis for the conclusion drawn up.

Before the start of the audit, a written request (audit letter) is prepared in compliance with the standard.

Its form and content may have some features, but the purpose and scope of the audit, the responsibility of the management of the audited entity for the preparatory process and the provision of the necessary documentation are unchanged.

Once everything is agreed upon, a bilateral agreement is concluded, which stipulates all the conditions for conducting the inspection.

When is a mandatory inspection carried out?

According to the law mandatory audit is carried out annually. The list of organizations includes:

• open joint stock companies(JSC);
• Insurance companies;
• market participants valuable papers(professional) or organizations whose securities are admitted to trading on trading stock exchanges;
• non-state pension funds or the companies managing them;
• credit organizations;
• gambling organizers;
• issuers of securities;
• enterprises whose revenue for the previous reporting year amounted to over 400,000,000 rubles. or the amount of assets in the previous balance sheet reporting period exceeded 60,000,000 rub.

The exceptions are agricultural cooperatives and unions, state (municipal) unitary enterprises.

Checks are carried out according to the following schemes:

1. in one stage - annual audit;
2. gradually - quarterly, half a year or 9 months.

When conducting an audit step by step, it is much easier to identify violations in maintaining records and preparing reports in accordance with applicable regulations and rules.

This makes it possible to quickly eliminate all shortcomings and errors before the end independent verification and will have a positive impact on the conclusion drawn up by a specialist.

Internal review

The internal audit is regulated by the management of the enterprise. This the event is held for the purpose:

• identifying “gaps” in the activities of the enterprise and finding ways to increase its efficiency and potential;
• determining inconsistencies in accounting and tax accounting with the current provisions;
• identifying risks associated with the control of various services, which result in fines, sanctions, reprimands, warnings, etc., leading to losses Money and image;
• preliminary preparation for external audit.

Conducting an internal audit contributes to the rational use of company resources, optimization of risks, preservation of assets and improvement of management activities.

These factors are an indicator of the confidence of investors and stakeholders.

FAQ

What is a personnel audit?

Very often, work with personnel documents in companies is in a neglected state. The management remembers that it is necessary to put the documents in order when the prospect “shines” control activities; To do this, they promptly organize an audit and correct all detected errors. However, an audit is not carried out only in such cases. About how it is carried out HR audit and what is being checked, you will now find out.

An audit is a check and assessment of an organization’s activities by a professional specialist or an independent organization to identify existing risks of conflict situations, such as a labor dispute or claims from outside parties. State Inspectorate labor.

Personnel documentation in a company plays an important role: it is required by the accounting department to calculate wages, vacation pay, to the employee - for submission to the Pension Fund of Russia or other organizations, for example, to use any benefits. Therefore, such documents must be maintained in strict accordance with legal requirements.

If the company is not big enough to have special unit- internal audit department, you can invite an auditor under a civil contract - a specialist checking personnel documentation submits a report on identified violations, gives recommendations for their elimination and prevention.

In this case, the audit is carried out by a specialist who has good knowledge of labor legislation and has the skill of drawing up personnel documentation. He evaluates:

1. completeness of personnel documentation;
2. documentation registration and storage system;
3. local regulations;
4. employment contracts, additional agreements thereto;
5. procedure for maintaining work books.

Formation of an audit report is mandatory stage carrying out control verification activities on the financial and economic activities of the organization.

FILES

Who conducts the inspection

To conduct an audit, both employees of third-party specialized companies and experts from government supervisory structures, as well as specialists from the enterprise itself can be involved (but not in all cases). In any case, these must be persons with a higher economic or accounting education, serious work experience, and an auditor certificate.

The main purpose of the audit is to assess the “purity” of the accounting financial statements organization and its compliance with the laws of the Russian Federation.

Based on the results of the audit, the auditor issues his conclusion (positive or negative). Moreover, if the inspector believes that he has not received a sufficient amount of documentation and other supporting evidence about the company’s activities, he has the right to refuse to issue an opinion.

Audits can be:

• mandatory, regulated by the legislation of the Russian Federation - usually enterprises working with financial means population;
• voluntary – these are carried out on the initiative of the company’s management.

Also, checks can be one-time or regular (the latter are usually used in large organizations and are effective method control over the work of accounting and financial departments).

How is the check carried out?

Standards for conducting audit activities are prescribed in the legislation of the Russian Federation. In addition, some rules may be contained in accounting policy organizations.

During the verification process, many parameters are taken into account:

• direction of the company's activities;
• personnel qualifications;
• rates of growth;
• financial condition, etc.

Often audit activities take several days, or even weeks - the specific period is negotiated individually and depends on many factors, including the size of the organization, the presence of structural divisions and branches, the duration of the period for which the audit is carried out, etc.

In any case, the audit is not carried out more than once a year.

Which documents are checked first?

Auditors check the entire package of accounting documentation (for a certain period of time), as well as reporting papers: balance sheets, applications, declarations, certificates, notes, etc. At the same time, for a complete and comprehensive analysis, all requested documents must be provided.

In some cases, only certain areas of the company’s activities are subject to audit, for example, in terms of tax payments and other mandatory payments, financial relationships with counterparties, accounting cash transactions, fixed assets, etc.

Drawing up an act, features of the document

There is no unified sample audit report, so it can be written in any form. However, when compiling it, it is important to take into account some features common to all such documents.

In particular, it is necessary to divide the act into sections. There must be at least three of them:

• beginning (the so-called “head”),
• main part,
• conclusion.

The details of the organization in which the inspection is being carried out, as well as information about the person checking, are entered at the beginning, the methods and progress of the inspection are included in the main block, and the conclusions of the experts are included in the conclusion.

The act must be signed by the person or group of persons who carried out the inspection - thus, they indicate that all the information entered into it is correct and they bear full responsibility for it. The act must also contain the auditor's seal.

A document is being drawn up in two identical copies. One of them remains with the auditor, the second is transferred to the customer company. A note about the act should be entered in the enterprise's documentation journal - it is usually kept by the secretary.

Conditions for storing the act

The audit report is subject to mandatory storage as one of the most important control documents. As a storage space, it is best to select a cabinet, access to which is strictly limited. The storage period is determined either by internal regulations or by the legislation of the Russian Federation (but not less than five years).

Sample audit report

At the beginning of the document it is written:

• its name, as well as the date and place (locality) of compilation;
• information about the organization conducting the inspection (TIN, checkpoint, address and telephone);
• auditor data (his full name, certificate number and other identification data);
• information about the company in which the audit is being carried out (also – tax identification number, checkpoint, address, telephone number, full name of the director and chief accountant).

Then comes the main section. It can be divided into several points. You must include here:

• the purpose of control actions;
• the period for which the inspection is carried out;
• verification methods;
• names of documents that were analyzed;
• territory of the event (in the performer’s office or in the office of the customer company);
• a clause on the division of responsibility (i.e., that the auditor is responsible only for his conclusions; everything related to the reliability of the papers, as well as the lack of necessary documents, is on the conscience of the one who provided them or did not provide them).

At the end, the results of the check are indicated. The more detailed this part of the act is described, the better.

The document can be supplemented with any other information (depending on individual characteristics companies). If any additional papers are attached to the inspection report, this should also be noted.

This article was written for a specialized magazine several years ago, but the publication unexpectedly closed. The text has been adjusted in accordance with the new wording of the international standards for the professional practice of internal auditing. It is assumed that it has not lost its relevance today and practical significance regarding issues of presenting internal audit results.

Presenting audit results, or more simply, writing an audit report, often turns into a real test for internal auditors. Requirements for the presentation of material, report formats, and the list of recipients are individual for each company. The company itself decides what the report of its internal audit service should be. For one company, in the audit report, it is enough to indicate in one sentence that such and such internal regulations have been violated, and the culprit will be dismissed from work. For the other, a well-founded argument is required that it is as a result of identified control deficiencies that the company loses profits, assets, does not fulfill plans, etc.

So, the initial data: two large oil companies– public American (let's call it WorldWideOil, abbreviated WWO) and Russian (we'll call it PetrolUnion, or PU). Both operate around the world, both strive for capitalization growth and expansion of activities. The American company's securities are listed on the New York Stock Exchange. stock exchange(NYSE), Russian shares - on London (LSE). Both companies have approximately equal numbers of internal audit services. The PU Internal Audit Service was formed in 2002. The WWO Internal Audit Service is much older, but in the same 2002, as a result of major mergers carried out by WWO, its internal audit service underwent significant changes and was actually created anew.

Reporting on internal audit activities

International professional standards for internal auditing. Standard 2060 Reporting to Senior Executive Management and the Board

The chief audit executive must periodically report to senior management and the board on the objectives, powers and responsibilities of internal audit, and progress in implementing the work plan. The report must also contain information about significant risks and control issues, including fraud risks, corporate governance issues, and other information required by senior management and the Board.

Ideally, it is believed that the internal audit service should have dual accountability: functional – to the board of directors, more precisely, its audit committee, and administrative – to the head of the organization or another manager (financial director, controller...) with the appropriate level of authority in order to ensure daily activities of the internal audit service. It is generally accepted that accountability to the board's audit committee ensures the independence of the internal audit function.

In the companies under consideration, things are as follows.

Administrative Accountability:

WWO: The auditor general (as the head of internal audit is called) reports to the senior vice president for finance (CFO). That is, all issues related to the daily activities of the internal audit service are resolved through the CFO.

PU: The vice president (head of the internal audit service) is subordinate and accountable directly to the president of the company.

Functional Accountability:

Through this line of accountability, the internal audit functions of both companies report periodically to their respective audit committees. In addition, the head of the PU internal audit service quarterly reports on the results of work to the company's board.

Both companies are trying to follow the requirements of the 2060 standard. In PU, the frequency of reports to the audit committee is not established, it is arbitrary, and completely depends on the committee’s work plan, which indicates the number and timing of consideration of issues related to internal audit. A special standard report form has not been developed. Reports contain general information the nature of the deficiencies identified, including significant risks and control issues, as well as information on the number of audits performed.

The WWO General Auditor reports to the Audit Committee regularly throughout the year: 5-6 times during the year reports are submitted on the progress of the annual plan (in the form of a diagram - status report) and once - a report on the work of the internal audit service for the year (in the form of a report ).

The report on the work of the internal audit service for the year contains information:

• on the strategy and goals in the field of working with the personnel of the internal audit service;
• personnel qualifications;
• results of internal audit quality assessment;
• internal audit budget;
• implementation of key performance indicators and metrics by the internal audit service;
• annual audit planning process;
• implementation of the current year's audit plan;
• updating the internal audit strategy;
• justification of the plan for the next year.

Reports on the progress of the annual audit plan are presented in the form established by the internal audit service and agreed upon with the audit committee. They contain information:

• about the audits performed;
• on the assessment of internal control;
• about management plans to eliminate deficiencies, as well as the progress in implementing these plans.

Schematically it looks like this:

The status provides three states: completed, in progress, and the due date has expired. In the report, these states are reflected in the “traffic light” colors, respectively: green, yellow and red dots.

Information for progress reports on the annual audit plan is collected from reports on the results of specific audit engagements. The information shown is objective, but at the same time “dosed”. What does it mean? This means that everyone involved in the process, including board members, should not be embarrassed; information about shortcomings is not inflated to the size of a “universal catastrophe” (as, for example, modern Russian television likes to do), negativity is not intensified. Everything is businesslike: we have discovered something, we are planning to do something to improve it, something has already been done or something has not been done.

You can recall the case when one day, the head of the internal audit service of PetrolUnion, his subordinates prepared a report to the audit committee in the form in which a report is usually made at a board meeting: biting phrases about the outrages that are happening, predicting the consequences of exaggerated proportions - in a word, a picture of a real Apocalypse.

There is no need to explain this.

It’s one thing to convey information in this form to board members ( executive body companies), which are obliged to adequately respond to signals from internal audit, and therefore, “the worse the story, the calmer the audit conscience,” and another thing - to the members of the audit committee, who are called upon to carry out supervisory, but not administrative functions.

Reporting on inspection results: form, content, deadlines, recipients

Group of standards 2400-2440 “Communication of results.”

Internal auditors must report the results of completed engagements.

Results communications should include definitions of the objectives, scope and content of the engagement, as well as associated conclusions, recommendations and action plans.

Communications must be accurate, clear, objective, clear, constructive, concise and timely.

The head of internal audit must communicate the results of the engagement to the appropriate parties.

WWO's standard audit report format has changed at certain stages in the development of the internal audit function. Now it is defined by the corporate internal audit regulations and the audit report looks like this:

Rice. 1. Audit report of oil and gas production subsidiary of WorldWideOil

In fact, the report is the conclusion of WWO’s internal audit on the state of the internal control system of those areas of the enterprise or structural unit that were audited. The conclusions are presented briefly.

The audit report itself usually takes up one page. The audit report must include three appendices:

A. Assessing controls in each area special attention(see Fig. 2);
IN. List of control deficiencies identified as a result of the audit;
WITH. Description of control deficiencies and management action plan to eliminate them (see Fig. 3).

Rice. 2. Appendix A to the audit report of the oil and gas production subsidiary of WWO

Explanation for Fig. 2 (Appendix A). WWO internal audit uses four control assessments: positive – effective, reliable; negative – in need of improvement, weak. For each assessment, relevant criteria are defined. For example, the “reliable” rating corresponds to the level of control that can provide protection from material losses, distortions and errors, and non-compliance with company policies. In this case, control can be assigned the highest positive rating, even if audit testing reveals certain deficiencies in it, but only on the condition that these flaws do not lead to distortion of reporting and do not violate the security of the information systems used.

Control is assessed as “weak” if its shortcomings are significant: important control procedures are ignored, not performed, or audit objects are not identified by management at all, which leads to high risks financial losses, leakage of confidential information, failure to comply with company policies.

Appendix B is actually the contents of Appendix C, i.e. it simply lists, in order, all identified control deficiencies.

Rice. 3. Appendix C to the Audit Report of WWO's Oil and Gas Producing Subsidiary.

Appendix C When describing control deficiencies, internal auditors are guided by the WWO Internal Audit regulations, according to which the description of “weaknesses” must be brief and precise (usually 2-3 sentences for each example). Irrelevant comments are not included in the report. It is necessary to indicate what control procedures must be carried out, what risks the identified shortcomings lead to, what specific WWO internal control standards and provisions of other local regulations of the company are not fulfilled. The draft audit report is prepared by the head of the audit (working) group (Lead Auditor, Auditor In-Charge). Deadline - to last day checks “in the field”, to holding a final conference with the audited object. The draft report is sent to the auditee's management for final approval and inclusion in Appendix C of the Management Action Plan, in which managers outline actions to correct the situation. This part of the audit report must also be clearly stated. It indicates responsible persons for performance and deadlines for eliminating deficiencies. The implementation of the Plan is monitored by the internal audit service, including during subsequent audits.

Due to the fact that information on measures to eliminate deficiencies has been agreed upon with the management of the audited object and included in the audit report, no administrative documents based on the audit results (orders, instructions, including at the corporate level) are not issued.

The deadline for preparing the final version of the audit report in WWO is one of the indicators (metrics) for assessing the work of the internal audit service. The goal is 14 days, but in fact, the final versions of the reports are ready on average ten days after the completion of the review!

The audit report can be generated using a special computer program(for example, TeamMate), which allows you to automatically group auditors' comments into an audit report form. But in practice, the wording of comments and their composition are largely determined by the internal audit manager in the company’s area of ​​activity, based on the results of meetings and the opinions of all members of the audit team. Comments not included in the report are included in the audit discussion memorandum, which is also considered at the final conference with the managers of the audited object. All deficiencies noted both in the audit report and in the memorandum are subject to unconditional elimination.

The WWO Internal Audit Regulations define the list of recipients of audit reports. These are:

• internal audit managers (by area of ​​activity);
• auditor general;
• First Vice President of Finance (CFO);
• Vice President of Controlling/Chief Accountant;
• Executive Vice President, Business Line;
• external auditor.

By decision of the head of the audit team, managers of all levels, including vice presidents and executive vice presidents with relevant functional responsibilities (finance, information technology, logistics, etc.), may also be included in the mailing list.

Only those audit reports based on the results of which control is assessed as “weak” are sent to the first head of WWO! Before this, they are necessarily reviewed by the Auditor General.

In other cases, responsibility for the quality of the report lies with the managers of the internal audit service.

PU: PU, like WWO, has developed internal audit regulations. These are corporate internal audit standards and standards (at the level of methods) for conducting audits in areas of activity (business segments), which also contain requirements for the preparation of an audit report. For example, according to the corporate standard, the statement of the results of the audit engagement must include observations, conclusions (opinion), recommendations and an action plan. Observations should represent facts relevant to the audit engagement. Observations necessary to explain (prevent misunderstanding) the internal auditors' findings and recommendations should be included in the final presentation of the audit engagement's findings.

PU audit reports are very voluminous, have a lot of attachments, and essentially document the progress of the audit engagement. It’s not easy to read them, let alone write them!..

Another difficulty lies in the fact that the PU internal audit service includes recommendations for eliminating deficiencies in the report, including to the company’s top managers. These recommendations are formalized in administrative documents (orders, instructions), which require an approval procedure within the company and have a significant impact on the duration of the process of preparing the final report.

The requirements for the quality of audit reports made by the head of the PU internal audit service are also clear: the president will read them! In fact, each report is the “face” of the service. (Very responsible.)

In conditions where any internal audit service cannot objectively be 100% staffed with highly qualified specialists, the quality of the audit report is directly dependent on the amount of time spent on its writing. There is no need to talk about 10 days for a report! Sometimes the process drags on for several months, and one of the main qualities of the audit report is lost - its timeliness.

However, is it worth pointing at PetrolUnion when a similar situation was quite recently typical of the internal audit services of very large international companies.

All audit reports are sent to the president of the company, since the head of the internal audit service is subordinate and accountable directly to him. After consideration, the president decides to distribute the audit report, i.e. determines the circle of persons to whom the results of the audit engagement are communicated.

Which report presentation option is better? You'll have to decide for yourself. The statistics are as follows: having approximately the same number of objects in the audit database (over 500 for each company), the internal audit service of WorldWideOil conducts about 120 audits per year, the internal audit service of PetrolUnion - a little more than thirty. And the deadline for preparing the final version of the audit report is, of course, not the only one, but very important factor to explain this difference. It would seem that the conclusion is obvious - urgently change the procedure for presenting audit results, simplify the structure of the report and not send it to the company's chief executive (or send it only in exceptional cases). But here it is worth thinking about one sensitive point.

Let’s imagine the work of internal audit in conditions of a more or less well-functioning system of internal control, risk management, and corporate governance. This is when the comments in the audit report may sound something like: “there is no evidence provided that the reconciliation of the accounts for March was carried out in the prescribed manner.” In fact, this is a serious violation for the internal control system, and managers at various levels understand this very well. And the strictest measures will be taken against the culprit. But this is... a working moment. It is inconvenient to go to the very top with such comments. And what happens? The work could not be better organized, but this is not appreciated, since meetings with senior management are extremely rare, and, as they say, over time, “falling out of the picture” occurs. Therefore, there is a paradox: the better the results of the work, the more clearly the whole mechanism works, the more vulnerable the position becomes over time, and this means a loss of authority and far-reaching conclusions.

Sometimes, apparently, this actually happens. True, this does not apply to the above-mentioned companies.

And in conclusion. Theoretically, the processes for generating and presenting the results of a completed audit assignment in PetrolUnion and WorldWideOil do not have fundamental differences, because internal audit in both companies it complies with International professional standards. In practice, these differences are significant. The reason lies in the different tasks facing internal audit services at the current stage of development of companies.

The primary task of PetrolUnion internal audit is to create modern system corporate governance through recommendations (including to top management) developed based on the results of audits, and systematic monitoring of their implementation.

In WorldWideOil the situation is as follows. The external environment (and, first of all, the securities market) contributed to the development of the company’s corporate governance, formalization of risk management processes, and internal control. How? First of all, the presence of appropriate legislation. Internal audit today mainly checks the compliance of the control actions of managers and performers with accepted regulations, which is fully consistent with the requirements of the Sarbanes-Oxley Act. In such conditions, it is easier to standardize both the audit process and the process of reporting audit results. WWO internal audit does not provide recommendations based on the results of the audit. Correspondence International standard 2130 is achieved by providing subsidiaries and structural divisions consulting services, i.e. conducting analysis to develop recommendations. However, the number of such projects per year is very small, and now the WorldWideOil auditors themselves are complaining about a decrease in efficiency, about the inability, due to lack of time, to pay more attention to identifying new risks and preparing recommendations aimed at increasing the company’s efficiency.

Obviously, there is no single recipe, but there is a main principle: do not stop there, constantly strive to improve and improve methods and processes.