SIA 320 outlines the requirements for presenting internal audit reports to ensure clarity, objectivity, and timely communication of audit findings to stakeholders. The standard prescribes a uniform report structure that includes an executive summary, audit objectives and scope, methodology, detailed observations with risk-based categorization, root cause analysis, management responses, action plans, and overall conclusions if applicable. Internal auditors are responsible for ensuring that reports are evidence-based, concise, and actionable, enabling stakeholders to understand risks, control deficiencies, and improvement opportunities. Reports should be issued in written form and, where necessary, accompanied by formal presentations to Boards, Audit Committees, or relevant authorities, in line with engagement terms and internal audit charters.
The standard also addresses special circumstances, such as audits conducted in response to fraud allegations, whistleblower complaints, or regulatory inquiries. In these cases, auditors may present reports directly to designated authorities, maintain confidentiality, and limit circulation to authorized personnel. Protocols for secure communication, documentation of presentations, and stakeholder feedback are emphasized. Proper record-keeping, version control, and adherence to confidentiality measures are required to ensure transparency, accountability, and compliance with professional standards while safeguarding sensitive information.
The Institute of Chartered Accountants of India
Standard on Internal Audit
(SIA) 320
Presentation of Internal Audit
Reports
1. Introduction
1.1 Internal audit reports constitute the principal means for communicating the results of audit engagements to stakeholders. The presentation of such reports plays a critical role in ensuring that audit findings, conclusions, and recommendations are conveyed effectively, enabling appropriate action by those charged with governance.
1.2 This Standard prescribes the minimum requirements and recommended practices for the structure, content, communication, and presentation of internal audit reports. It also provides guidance on reporting in special circumstances, such as in response to allegation of fraud etc.
1.3 Internal audit reporting must maintain a high standard of clarity, objectivity, and relevance, ensuring that key risks, control deficiencies, and improvement opportunities are communicated in a timely and actionable manner.
1.4 Scope: This Standard applies to all internal audit functions, including in-house departments, co-sourced models, and engagements outsourced to third-party service providers.
2. Effective Date
2.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
3. Objective
3.1The primary objectives of this Standard are to:
a. Prescribe a uniform structure and format for internal audit reports that promotes clarity, transparency, and consistency.
b. Ensure that internal audit reports provide relevant, reliable, and timely information to support informed decision-making by management and those charged with governance.
c. Establish protocols for presenting internal audit reports to appropriate stakeholders, including in scenarios where internal audits are conducted in special circumstances or under special instructions from oversight bodies.
(d) Reinforce the internal auditor’s responsibility to uphold confidentiality, independence, and professional judgment in the preparation and presentation of reports.
4. Requirements
4.1 Report Structure and Minimum Content (Refer Para. A1)
The internal auditor may ensure that every internal audit report contains, at a minimum, the following components:
- Executive Summary: Highlighting key findings, critical risks, and high-priority recommendations.
- Audit Objectives and Scope: Including the period covered, business areas reviewed, and specific focus areas.
- Methodology and Criteria: Brief description of the audit approach and benchmarks or standards used.
- Detailed Observations and Recommendations: Including categorization of issues by significance (e.g., high/medium/low), root cause analysis, and risk implications.
- Management Responses and Action Plans: Reflecting agreed corrective actions, responsible owners, and implementation timelines.
- Conclusion or Overall Opinion: If required by the engagement terms, an audit conclusion summarizing the overall control environment or risk posture.
4.2 Mode of Report Communication (Refer Para. A2)
The internal audit report may be:
- Prepared and issued in a written format, using a standardized template as defined in the internal audit manual or engagement agreement.
- Accompanied by a formal presentation to relevant stakeholders, if required by the Audit Committee, Board, or as per the internal audit charter.
- Delivered in a timely manner in accordance with the internal audit plan, engagement terms, or regulatory timelines, as applicable.
4.3 Presentation in Special Circumstances (Refer Para. A3)
In certain situations, such as internal audits undertaken:
- In response to allegations of fraud, misconduct, whistleblower complaints, or regulatory inquiries.
- As part of strategic transactions, mergers, or other special reviews.
The internal auditor may be required to present the internal audit report directly to the Audit Committee, Board, regulators, or any other designated authority. In such cases, the internal auditor may:
- Obtain prior written approval or direction from appropriate governance authorities.
- Prepare a presentation version of the report, maintaining accuracy, objectivity, and confidentiality.
- Limit circulation of the report to authorized individuals, in accordance with applicable laws, policies, and confidentiality agreements.
4.4 Confidentiality and Communication Protocols (Refer Para. A4) The internal auditor may:
- Adhere to confidentiality requirements while disclosing audit results.
- Follow established reporting lines as per the internal audit charter, unless directed otherwise in writing.
- Ensure appropriate documentation of report circulation, meetings held for presentation, and stakeholder responses, where applicable.
*****
Application and Other Explanatory Material
A1. Report Structure and Minimum Content (Refer Para. 4.1)
- The Executive Summary should be concise yet comprehensive, enabling senior stakeholders to grasp key messages without reviewing the full report.
- Root cause analysis enhances the value of the audit by identifying systematic issues and helping prevent re-occurrence.
- Issues should be prioritized based on risk and impact, using clear rating criteria. (e.g., critical, major, moderate)
A2. Mode of Report Communication (Refer Para. 4.2)
- While written reports remain the principal means, presentations (e.g., via PowerPoint or dashboards) may be used to facilitate stakeholder discussion.
- Oral presentations should be documented, with records of attendees, discussion points, and action items arising from the meeting.
A3. Presentation in Special Circumstances (Refer Para. 4.3)
- In internal audit on special circumstances, the internal auditor may clarify the engagement scope and intended recipients at the outset.
- Reports prepared for regulators or external stakeholders may require modification to comply with legal disclosure requirements.
- Special reports may include a disclaimer if they are not part of the annual audit plan and do not follow standard risk-rating models.
A4. Confidentiality and Communication Protocols (Refer Para. 4.4)
- Mark reports with appropriate classification labels such as “Confidential,” “Restricted Circulation,” or “Board Use Only.”
- Use secure channels (e.g., encrypted emails, controlled-access portals) for report transmission.
- Maintain an audit trail of all communications, especially where deviations from normal reporting lines are involved.
A5. Documentation: The internal auditor may maintain appropriate documentation to support compliance with this Standard, including:
- The final issued version of the internal audit report and associated presentation materials.
- Approval for report presentation to non-routine stakeholders. (e.g., Board, regulators)
- Records of meetings or presentations conducted, including minutes, discussion points, and stakeholder feedback.
- Evidence of adherence to confidentiality protocols and circulation controls.
