How to Write an Audit Findings Report Under ISA 265

Your draft findings report just came back from partner review with more red ink than black. The comments aren’t about your audit work. They’re about how you wrote it up. The client’s audit committee read the same report and asked for “clarification” on four of six findings, which is code for: they didn’t understand what you meant or why it matters. Most audit findings fail not because the evidence is weak but because the report buries the point under passive hedges and procedural language.

An audit findings report under ISA 265.9 communicates significant deficiencies in internal control to those charged with governance, structuring each finding with a condition, criterion, cause, effect, and recommendation that the audit committee can act on without requesting a follow-up meeting.

What ISA 265 actually requires you to report

ISA 265.9 requires you to communicate significant deficiencies in internal control in writing to those charged with governance on a timely basis. That’s the floor. ISA 265.10 adds that you must also communicate to management deficiencies that are “of sufficient importance to merit management’s attention.” The distinction between these two audiences (governance versus management) shapes the entire report structure. A finding addressed only to management doesn’t need the strategic framing that a governance-directed finding requires.

The standard itself doesn’t prescribe a template. ISA 265.A14 lists possible content elements (description of the deficiency, explanation of potential effects, sufficient information for governance to understand the context) but stops short of mandating a format. Most teams get stuck at exactly this point. Without a mandated format, they default to whatever the prior year file used, which often means a mishmash of paragraphs with no consistent internal structure.

What ISA 265 does mandate is the judgment call. ISA 265.8 requires you to determine whether identified deficiencies, “individually or in combination,” constitute significant deficiencies. That judgment needs to be documented. A reviewer who opens your findings report and can’t trace the significant-versus-other classification to a documented rationale will send it back. The AFM’s thematic reviews have flagged this repeatedly: the deficiency was identified, the communication was issued, but the file contained no evidence of the significance assessment.

The five-part finding structure that passes review

The framework isn’t in ISA 265 itself. It comes from audit methodology manuals and regulatory expectations, and it works because it forces you to separate what happened from why it happened from what it costs. Every finding in your report should contain five distinct sections: condition, criterion, cause, effect, and recommendation.

Most draft findings collapse two or even four of these into a single paragraph. The result reads like a narrative account of what the auditor observed, which is useful as a fieldwork memo but not as a governance communication. The audit committee doesn’t need the story. They need the structured answer to four questions: what went wrong, what should have happened, why it went wrong, and what it costs if nobody fixes it.

Structure also controls length. A well-separated five-part finding runs 150 to 250 words. A finding that merges everything into prose typically runs 400 words and says less. If your findings report exceeds ten pages for a mid-market entity with four to six findings, the structure is the problem, not the volume of issues.

Writing the condition: what you found

The condition is a factual statement. No judgment, no implication. Just what you observed, stated with enough precision that someone who wasn’t on the engagement could verify it independently.

Two rules govern the condition. First, it must be specific. “The company’s revenue recognition process has weaknesses” is not a condition. “The company recorded €2.1M in revenue in Q4 2024 without evidence of delivery completion for 14 of 38 sampled transactions” is a condition. ISA 265.A14(a) asks for a “description of the deficiency” sufficient for the reader to understand the context. A vague description fails that test.

Second, the condition must be limited to the observable. Don’t diagnose the root cause here. The condition section establishes the factual basis that your internal control testing already supports. If the audit committee disputes anything else in the finding, the condition must still stand as an independently verifiable statement.

Writing the criterion: why it matters

The criterion is the benchmark the condition falls short of. It answers: compared to what? Without a stated criterion, the audit committee has no way to assess whether the condition is actually a problem or just the way this client has always operated.

For internal control deficiencies, the criterion is usually the control that should have operated. “The company’s accounts payable policy requires three-way matching (purchase order, goods receipt, invoice) before payment authorisation.” The condition then becomes the gap between this policy and what you actually observed.

For financial reporting deficiencies, the criterion is the applicable accounting standard. Always cite the specific paragraph. ISA 265.A14(b) refers to an explanation of “potential effects.” You can’t explain potential effects without first establishing what the correct state looks like.

A common mistake is writing the criterion as a restatement of the condition in reverse. “The company should have three-way matching” is just the condition flipped. A proper criterion states the source and the specific requirement. It gives the audit committee the reference point they need to assess whether management’s response is adequate.

Writing the cause: why it happened

The cause section is where most findings either earn credibility or lose it. A cause that reads “management did not operate the control effectively” adds nothing. The audit committee already knows the control failed. That’s the condition. The cause needs to explain the mechanism.

Good cause analysis identifies the layer where the failure sits. Was this a design deficiency (the control never existed) or an operating deficiency (the control exists but didn’t run)? ISA 265.7 makes this distinction, and your cause should too. A design deficiency implies the recommendation will require new controls. An operating deficiency may only require retraining or monitoring.

Causes fall into a handful of recurring categories. Staff turnover in the finance team during the reporting period. A system migration that temporarily disabled automated controls. Manual workarounds introduced during rapid growth that became permanent. Lack of segregation of duties in a team of two. Write the specific mechanism. “High turnover in the accounts receivable team during Q3 2024 (two of four staff replaced) left the three-way matching control unreviewed for 11 weeks” tells the audit committee something they can act on.

Writing the effect: making the numbers talk

The effect section determines whether the audit committee takes the finding seriously. A finding with a vague effect (“this could lead to errors”) gets noted and filed. A finding with a quantified effect (“this resulted in €340K of unmatched payments, of which €87K were confirmed as duplicate payments requiring recovery”) gets discussed in the next board meeting.

ISA 265.A14(b) references “potential effects.” Potential is doing real work in that sentence. You don’t need to prove that a loss occurred. You need to establish what could happen if the deficiency persists. But “potential” doesn’t mean vague. Quantify the exposure wherever you can.

Two levels of quantification work in practice. The first is actual impact: what already went wrong because of this deficiency during the audit period. Did the testing identify misstatements? What was the total? The second is exposure: what is the total population at risk. If your sample of 38 transactions found 14 without delivery evidence, and the total Q4 revenue is €12.4M, the exposure is the proportion of that €12.4M that lacks support. Compare the quantified effect against your performance materiality to determine whether the finding qualifies as significant under ISA 265.8.

If you genuinely can’t quantify the effect, describe the specific risk scenario. “Without three-way matching, the entity cannot detect duplicate payments or payments for goods not received. During the period, accounts payable processed €8.2M in payments. The entity has no compensating control that would catch a duplicate within the same payment run.” That’s still specific. It’s still tied to a number.

Never write “this could result in material misstatement” as the entire effect section. Every deficiency could result in material misstatement if you tilt the assumptions far enough. The effect section needs to show this specific deficiency’s impact on this specific entity’s numbers during this specific period.

Writing the recommendation: specific enough to implement

The recommendation must be clear enough that someone who wasn’t in the meeting can implement it without asking a follow-up question. ISA 265.A15 notes that the auditor may wish to suggest actions but is not obligated to do so. In practice, issuing a finding without a recommendation tells the audit committee you identified a problem but won’t help them solve it. Every finding should include one.

Write the recommendation as a concrete action with a defined scope. “We recommend improving the revenue recognition process” fails the test. “We recommend the finance director implement a monthly reconciliation of shipping documents to invoiced revenue, with exceptions reviewed by the financial controller before month-end close” passes it. The difference is that the second version names who does what, how often, and what the review step looks like.

Avoid two common traps. First, don’t recommend what the standard says. “We recommend compliance with IAS 18.14” is a citation, not a recommendation. Second, don’t over-specify to the point where you’re designing their control system. The recommendation should close the gap between the condition and the criterion. It shouldn’t redesign the finance function.

Tone and language: writing for the audit committee

The audit committee is not your engagement team. They read the findings report once, typically the evening before the meeting. If a finding requires re-reading to understand, it has already failed.

Use short sentences. Active voice. Name the actor in every sentence. “The financial controller did not review the reconciliation” carries more weight with a board member than “the reconciliation was not reviewed.” ISA 265.A14 expects the communication to contain sufficient information for those charged with governance to understand the context. That standard of sufficiency is tested by readers who spend eight minutes on your report, not eighty.

Avoid hedging language in the condition and effect sections. “It appears that certain controls may not have operated as intended” tells the reader nothing. Either the control operated or it didn’t. Either you found exceptions or you didn’t. State the fact. The cause section is where nuance belongs.

Watch your use of “noted.” In audit reports, “we noted” appears on average four times per page. It’s filler. “We found” or “testing identified” says the same thing with more authority. Similarly, “it was observed that” is a passive construction that adds seven words and zero information. Cut it. Start with what you found.

Format matters too. Each finding should start on a new page. The five sections should be visually distinct (bold headers or a consistent label format). The AFM’s inspection guidance notes that report clarity is assessed alongside report content. A technically sound finding buried in dense paragraphs doesn’t meet the “timely and effective communication” standard that ISA 265.9 requires.

Worked example: Van Leeuwen Bouw B.V.

Scenario: Van Leeuwen Bouw B.V. is a Dutch construction company with €68M revenue, audited by a mid-tier firm. During the 2024 audit, the engagement team identified that project revenue was recognised based on estimated percentage of completion without independent verification of project stage assessments.

Finding 1: Unverified percentage-of-completion estimates for project revenue

Condition

Van Leeuwen Bouw B.V. recognised €68M in construction revenue during FY2024 based on percentage-of-completion estimates prepared by project managers. The audit team tested 12 of 31 active projects (representing €44M of revenue) and found that 8 of 12 project stage assessments had no independent verification by the financial controller or quantity surveyor. The stage assessments for these 8 projects relied solely on the project manager’s estimate without supporting documentation such as surveyor reports or certified milestone completions.

Documentation note: Record the population (31 active projects, €68M total), sample (12 projects, €44M), and exception rate (8/12) in the testing summary. Cross-reference to the substantive test working paper (WP ref: E.3.2).

Criterion

IFRS 15.39 requires revenue recognised over time to reflect the entity’s progress toward complete satisfaction of the performance obligation. IFRS 15.B14 through B19 specify that the output method (surveys of work performed, milestones reached) or input method must use reliable data. Van Leeuwen Bouw’s own project accounting policy (Section 4.2) requires quarterly sign-off by a quantity surveyor for all projects exceeding €500K.

Cause

Van Leeuwen Bouw’s in-house quantity surveyor left in March 2024 and was not replaced until November 2024. During this eight-month period, project managers self-assessed completion percentages without independent review. The financial controller relied on project manager certifications as sufficient evidence, citing time pressure on monthly reporting deadlines.

Effect

The audit team’s independent re-estimation of completion percentages for the 8 unverified projects identified a net overstatement of €1.2M in revenue (2.7% of the €44M sampled). Two projects were individually overstated by more than €400K. The remaining 19 untested projects represent €24M in revenue. If the error rate holds across the population, total exposure is approximately €1.5M, which exceeds the performance materiality of €680K set at planning.

Recommendation

We recommend the financial controller reinstate mandatory quarterly quantity surveyor sign-off for all projects exceeding €500K, consistent with the entity’s existing policy (Section 4.2). For the interim period until the new quantity surveyor completes onboarding, we recommend the financial controller engage an external surveyor for projects exceeding €1M, funded from the project contingency budget. Van Leeuwen Bouw should complete this by 31 March 2025, with the first external surveyor review covering all Q1 2025 project assessments.

Practical checklist for your next findings report

1. Before drafting, classify every identified deficiency as significant or other per ISA 265.8 and document the rationale in a separate assessment working paper. Don’t embed this judgment only in the report itself.
2. Write each condition in two sentences or fewer. One sentence for what you observed, one sentence for the scope. If you need a longer condition, you’re likely combining two findings.
3. State the criterion with a specific paragraph reference (IFRS 15.39, ISA 265.A14, the entity’s own policy section number). An unnamed benchmark is an unsupported finding.
4. Quantify the effect with actual numbers from your testing. State the misstatement found, the population at risk, and the relationship to performance materiality. If you can’t quantify, describe the exposure with the relevant monetary amount of the population affected.
5. Write each recommendation as a sentence with a named actor, a specific action, a frequency, and a deadline. “Improve controls” is not a recommendation. “The financial controller should reconcile X to Y monthly, starting Q2 2025” is.
6. Run the complete report through partner review before issuing it to the client. The most common return comment is a finding where condition and cause are merged into one paragraph.

Common mistakes regulators flag

• The AFM’s 2023 thematic review on audit quality found that 31% of reviewed files communicated deficiencies but contained no documented assessment of whether they constituted significant deficiencies under ISA 265.8. The classification was implicit, not evidenced.
• The FRC’s 2022–23 Audit Quality Inspection noted that several firms issued findings reports where the “effect” section contained no quantification, relying instead on phrases like “could lead to material misstatement.” The FRC expects the auditor’s communication to reflect the specific financial impact observed during testing, not a theoretical risk statement.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: the authoritative source for the complete ISA 265 text, including all application material on communicating deficiencies in internal control.
• ISA 320, Materiality in Planning and Performing an Audit: the materiality threshold against which finding effects are measured.
• ISA 330, The Auditor’s Responses to Assessed Risks: the control testing that generates the evidence behind your findings.
• IFRS 15, Revenue from Contracts with Customers: the criterion referenced in the worked example for percentage-of-completion revenue.