An audit report follows a structured format that presents your opinion on what was audited, what you found, and what should change. Whether you’re writing a financial statement audit for a public company or an internal operational audit, the core principles are the same: state your scope clearly, organize findings with supporting evidence, and write in plain language that management can act on. Here’s how to build one from start to finish.
Start With the Right Header Elements
Every audit report opens with a few standard pieces of information before you get into substance. For a financial statement audit of a public company, PCAOB standards require the title “Report of Independent Registered Public Accounting Firm,” addressed to the shareholders and board of directors. For internal audits or operational reviews, you still need a clear title that identifies the type of audit, the entity or process being audited, and the period covered.
Your header section should include:
- Report title identifying the audit type and subject
- Addressee(s) such as the board, audit committee, or management team responsible for the area under review
- Date of the report and the period the audit covers
- Name of the auditor or audit firm issuing the report
Write the Executive Summary First
The executive summary is often the only section that senior leadership reads in full, so treat it as a standalone document. It should provide a concise overview of why the audit was performed, what was examined, and what you concluded. According to guidance from the Institute of Internal Auditors, the executive summary should not contain technical jargon or internal audit methodologies. Focus on delivering the critical information with a clear, well-substantiated key message.
Keep this section to one page or less. Summarize the most significant findings and their business impact. If you issued an overall opinion or rating, state it here. A reader who stops after the executive summary should still walk away understanding the audit’s purpose and its most important results.
Define Your Scope and Objectives
The scope section tells the reader exactly what you looked at and, just as importantly, what you didn’t. Specify the business unit, process, system, or set of financial statements under review. Include the time period covered and the standards or framework you audited against, whether that’s generally accepted accounting principles, internal company policies, or regulatory requirements.
For a financial statement audit, this section (called “Basis for Opinion” under PCAOB standards) explains that the audit was conducted to obtain reasonable assurance about whether the financial statements are free of material misstatement, meaning errors or fraud large enough to influence a reader’s decisions. It also describes what the audit involved: assessing risks, testing evidence on a sample basis, evaluating management’s accounting estimates, and reviewing the overall presentation of the financials.
For an internal or operational audit, state your objectives more specifically. Were you testing whether expense approvals followed company policy? Whether a vendor selection process complied with procurement rules? Defining the objectives up front anchors every finding that follows.
Structure Each Finding With Five Elements
The findings section is the heart of the report. Weak findings read like vague complaints. Strong findings follow a five-part structure that the U.S. Government Accountability Office has long recommended: condition, criteria, cause, effect, and recommendation.
- Condition is what you observed. This is the factual description of the current state. For example: “12 of 50 sampled purchase orders lacked documented supervisor approval.”
- Criteria is the standard being measured against. What should be happening? This could be a company policy, a regulatory requirement, or an industry benchmark. Example: “Company policy requires supervisor approval for all purchase orders exceeding $500.”
- Cause explains why the gap exists. This is the underlying reason things went wrong, and it forms the basis for your recommendation. Example: “The approval workflow in the procurement system does not enforce a hold for orders above the threshold.”
- Effect is the consequence, either actual or potential. This is what makes the finding matter. Example: “Without approval controls, the company faces increased risk of unauthorized spending. The 12 unapproved orders totaled $47,000.”
- Recommendation is your proposed fix. It should be specific, actionable, and directed at the person or department responsible for making the change. Example: “IT should configure the procurement system to require supervisor sign-off before any purchase order above $500 can be submitted to a vendor.”
Not every finding needs all five elements at equal length. Minor observations might warrant a sentence or two for each. Significant findings deserve full paragraphs with supporting data, sample details, and quantified effects. The key is that every finding ties what you saw back to what should have happened, explains why it matters, and tells someone what to do about it.
State Your Opinion Clearly
For financial statement audits, the opinion is a formal, standardized conclusion. There are four types, and using the right one is critical:
- Unqualified (clean) opinion: The financial statements present fairly, in all material respects, the company’s financial position. This is the best outcome and the most common.
- Qualified opinion: The financials are fairly presented except for a specific issue. You use this when there’s a material misstatement or a limitation on your audit scope, but it’s confined to one area and doesn’t affect the overall picture.
- Adverse opinion: The financial statements do not present fairly. This signals pervasive, material misstatements. It’s rare and serious.
- Disclaimer of opinion: You were unable to obtain enough evidence to form any opinion at all. This typically happens when your access to records was severely restricted.
For internal audits, the opinion format varies by organization. Many internal audit teams use a rating scale (satisfactory, needs improvement, unsatisfactory) or a color-coded system. Whatever format your organization uses, the opinion should flow logically from the findings. If you documented three high-risk findings with significant financial exposure, a “satisfactory” rating will confuse readers and undermine your credibility.
Include Management’s Response
A complete audit report gives the audited party a chance to respond. After you share the draft findings, ask management to provide a written response for each one. Their response should indicate whether they agree or disagree with the finding, what corrective action they plan to take, who is responsible for implementing it, and when it will be completed.
Including management responses serves two purposes. It signals that the findings were discussed, not issued in a vacuum. And it creates accountability by documenting a commitment to fix the issue, complete with a name and a deadline. If management disagrees with a finding, include their explanation alongside your response. Transparency strengthens the report.
Writing Style That Gets Read
The IIA’s guidance on audit report writing centers on one principle: the tone should be constructive, not adversarial. You’re reporting facts and recommending improvements, not assigning blame. Use language like “we observed” or “testing revealed” rather than “management failed to” or “the department neglected.”
Keep sentences short and free of unnecessary jargon. If a detail doesn’t support one of your findings or conclusions, leave it out. Use consistent terminology throughout the report. If you call something a “deficiency” in one finding, don’t switch to “weakness” or “gap” in the next unless you mean something different. When precision matters (and it always does in audit reports), choose words deliberately.
Craft section titles and finding headlines that communicate the main point. “Vendor Payment Controls” tells the reader nothing. “Duplicate Vendor Payments Totaling $23,000 Went Undetected” tells them exactly what happened and why they should care. Front-load the most significant findings. Readers pay the most attention to what comes first, so put your highest-risk observations at the top.
Format for Easy Navigation
Audit reports often run 10 to 30 pages for internal engagements and longer for complex financial audits. Good formatting helps readers find what they need without reading cover to cover. Number each finding so it’s easy to reference in follow-up discussions. Use tables to present sample results, showing how many items you tested, how many exceptions you found, and the dollar value involved. Include a summary table at the beginning that lists every finding, its risk rating, and the page number where the full detail appears.
Attach supporting schedules, sample selections, or detailed test results as appendices rather than embedding them in the body of the report. The main text should tell the story. The appendices should provide the proof for anyone who wants to dig deeper.
Review Before You Issue
Before the report goes out, review it against a short checklist. Does every finding include the condition, criteria, cause, effect, and a recommendation? Are the recommendations specific enough that someone could act on them without calling you for clarification? Does the opinion align with the severity of your findings? Is the scope section accurate and complete? Have you removed any language that sounds accusatory rather than factual?
Have a colleague who wasn’t involved in the audit read the draft. If they can’t understand a finding without additional explanation, the writing isn’t clear enough. The best audit reports communicate complex issues so plainly that a board member with no audit background can grasp the problem, its impact, and the fix in a single reading.