The Seven Quality Attributes — And Why Most Reports Miss Them
GIAS 2024 Standard 11.2 specifies seven quality attributes for audit communications: accurate, objective, clear, concise, constructive, complete, and timely. Evaluating every audit report against each attribute before issuance is a quality control discipline that most functions do not apply systematically.
Accurate means every factual statement is verifiable against a workpaper. A finding that states management approved 23 invoices without dual authorisation must be supported by documentation of those 23 specific invoices. Accuracy failures give management grounds to dispute the entire finding and undermine the credibility of the report.
Clear is where most audit reports most significantly fail. Technical language, passive voice, and jargon-heavy descriptions of findings obscure meaning and reduce impact. If the Audit Committee Chair cannot understand the significance of a finding from reading the report without further explanation, the report has failed its primary communication purpose.
Concise is not the same as brief. Reports that include lengthy procedural descriptions, extensive background that management already knows, or detailed descriptions of processes not relevant to the finding are padded — and padding reduces rather than enhances impact.
The Finding Structure Problem
The most common cause of audit reports that fail to drive action is poorly structured findings. The five-element framework — criteria, condition, cause, effect, recommendation — is widely known but widely misapplied. Common errors: criteria that are vague; conditions that describe what auditors found without specifying evidence; causes that identify the symptom rather than the root cause; effects stated in abstract risk language rather than concrete business impact; and recommendations that address symptoms rather than root causes.
Consider the difference. Version one: "There were weaknesses in the approval process for procurement transactions." Version two: "Of 87 procurement transactions tested above PKR 500,000, 23 (26%) were approved by staff below the required authority level specified in the Delegation of Authority Matrix. Root cause: the updated Matrix has not been communicated to 14 of 18 approving staff. Effect: the organisation is exposed to risk of unauthorised commitments up to PKR 2.3 million for tested transactions alone. Recommendation: The Head of Procurement must communicate the updated Delegation of Authority to all approving staff within 14 days and obtain written acknowledgement."
The first version will be filed and produce no change. The second version specifies exactly what happened, why, how much risk exists, and precisely what must be done — creating the conditions for genuine accountability.
The Root Cause Imperative
The single most important improvement most audit functions can make to their reporting is investing more rigorously in root cause analysis. Root cause is what management must fix; addressing the symptom means the issue will recur. Root cause categories include: design deficiency (the control was never designed to prevent this risk); operating ineffectiveness (the control exists but is not being followed); resource gap (insufficient skilled personnel); system limitation (technology cannot support the control); and culture or tone failure (management override, lack of accountability).
Rating Systems and the Significance Problem
Audit rating systems are intended to help management and the board prioritise their response. In practice, many functions apply ratings too conservatively, driven by a desire to avoid management pushback. When most findings are rated Medium regardless of actual significance, the rating system loses meaning. A Critical finding should mean what it says: the control environment has a fundamental failure creating immediate risk of material loss, regulatory sanction, or significant reputational damage.
The Management Response Assessment
Audit reports that include management responses without the auditor's assessment of whether those responses are adequate leave the Audit Committee without a basis for independent judgment. Including the internal audit function's explicit assessment of management response adequacy — in the report — is one of the most impactful improvements a function can make. It requires professional courage, because management will push back on unfavorable assessments. But it is precisely this professional courage that transforms audit reporting from a compliance exercise into a genuine governance contribution.