Guide pour rapport d'audit
Introduction
1. Should be succinct and informative to explain the reasons for, not the objectives of, doing the audit;
2. Only essential background information should be included – this should include the business objectives of the auditable entity;
3. Any references to previous audits should include the name and date of the audit, the overall assessment and the status of any issues or follow up work;
4. Any references to other related audit work should include details of the audit name, timing and linkage to the scope of the current audit;
Objectives and Scope
5. Should be written to recognise that any reader (e.g. the regulator) may not have the same level of understanding of the scope as the author;
6. The purpose, risks and scope should be clearly set out with transparent linkage to the Risk Profile to demonstrate that the scope is risk based;
7. Audit objectives should include the following wording ‘to assess the design and operating effectiveness of key controls in place to mitigate the following major risks’;
8. Should contain a clear explanation of what is in scope and what is out of scope. Also, a clear explanation where other audits cover parts of the process;
9. The scope and risks should be described in separate sections of the APM. Scope should describe the processes, products or business areas which will be covered during the audit. In addition the key risks which the audit will focus on should be described with clear linkage to the Risk Profile of the auditable entity. Risks should also be considered in relation to the business objectives of the auditable entity.
10. Clear coverage of all of the most significant risks, otherwise an explanation as to why these risks are not being covered in the audit;
11. Risks should clearly be described as risks and not as either control failures, consequences of risks crystallising or business processes