1. Should be succinct and informative to explain the reasons for, not the objectives of, doingthe audit;
2. Only essential background information should be included – this should include the business objectives of the auditable entity;
3. Any references to previous audits should include thename and date of the audit, the overall assessment and the status of any issues or follow up work;
4. Any references to other related audit work should include details of the audit name, timing andlinkage to the scope of the current audit;
Objectives and Scope
5. Should be written to recognise that any reader (e.g. the regulator) may not have the same level of understanding of the scope asthe author;
6. The purpose, risks and scope should be clearly set out with transparent linkage to the Risk Profile to demonstrate that the scope is risk based;
7. Audit objectives should include thefollowing wording ‘to assess the design and operating effectiveness of key controls in place to mitigate the following major risks’;
8. Should contain a clear explanation of what is in scope andwhat is out of scope. Also, a clear explanation where other audits cover parts of the process;
9. The scope and risks should be described in separate sections of the APM. Scope should describe theprocesses, products or business areas which will be covered during the audit. In addition the key risks which the audit will focus on should be described with clear linkage to the Risk Profile of theauditable entity. Risks should also be considered in relation to the business objectives of the auditable entity.
10. Clear coverage of all of the most significant risks, otherwise an explanation asto why these risks are not being covered in the audit;
11. Risks should clearly be described as risks and not as either control failures, consequences of risks crystallising or business processes...