How to Write an Audit Findings Report Under ISA 265

What ISA 265 actually requires you to report

ISA 265.9 requires you to communicate significant deficiencies in internal control in writing to those charged with governance on a timely basis. That’s the floor. ISA 265.10 adds that you must also communicate to management deficiencies that are “of sufficient importance to merit management’s attention.” The distinction between these two audiences (governance versus management) shapes the entire report structure. A finding addressed only to management doesn’t need the strategic framing that a governance-directed finding requires.

The standard itself doesn’t prescribe a template. ISA 265 .A14 lists possible content elements, including a description of the deficiency and an explanation of potential effects, but stops short of mandating a format. Most teams get stuck at exactly this point. Without a mandated format, they default to whatever the prior year file used, which often means a mishmash of paragraphs with no consistent internal structure.

What ISA 265 does mandate is the judgment call. ISA 265.8 requires you to determine whether identified deficiencies, “individually or in combination,” constitute significant deficiencies. That judgment needs to be documented. A reviewer who opens your findings report and can’t trace the significant-versus-other classification to a documented rationale will send it back. The AFM’s thematic reviews have flagged this repeatedly: the deficiency was identified, the communication was issued, but the file contained no evidence of the significance assessment.

The five-part finding structure that passes review

The framework isn’t in ISA 265 itself. It comes from audit methodology manuals and regulatory expectations, and it works because it forces you to separate what happened from why it happened, what it costs, and what to do about it. Every finding in your report should contain five distinct sections: condition, criterion, cause, effect, and recommendation.

Most draft findings collapse two or even four of these into a single paragraph. The result reads like a narrative account of what the auditor observed, which is useful as a fieldwork memo but not as a governance communication. The audit committee doesn’t need the story. They need the structured answer to four questions: what went wrong, what should have happened, why it went wrong, and what it costs if nobody fixes it.

Structure also controls length. A well-separated five-part finding runs 150 to 250 words. A finding that merges everything into prose typically runs 400 words and says less. If your findings report exceeds ten pages for a mid-market entity with four to six findings, the structure is the problem, not the volume of issues.

Writing the condition: what you found

The condition is a factual statement. No judgment, no implication. Just what you observed, stated with enough precision that someone who wasn’t on the engagement could verify it independently.

Two rules govern the condition. First, it must be specific. “The company’s revenue recognition process has weaknesses” is not a condition. “The company recorded €2.1M in revenue in Q4 2024 without evidence of delivery completion for 14 of 38 sampled transactions” is a condition. ISA 265 .A14(a) asks for a “description of the deficiency” sufficient for the reader to understand the context. A vague description fails that test.

Second, the condition must be limited to the observable. Don’t diagnose the root cause here. The condition section establishes the factual basis that your internal control testing already supports. If the audit committee disputes anything else in the finding, the condition must still stand as an independently verifiable statement.

Keep it short. Two sentences where possible. One for the deficiency, one for the scope (how many transactions, what period, what population).

Writing the criterion: why it matters

The criterion is the benchmark the condition falls short of. It answers: compared to what? Without a stated criterion, the audit committee has no way to assess whether the condition is actually a problem or just the way this client has always operated.

For internal control deficiencies, the criterion is usually the control that should have operated. “The company’s accounts payable policy requires three-way matching (purchase order, goods receipt, invoice) before payment authorisation.” The condition then becomes the gap between this policy and what you actually observed.

For financial reporting deficiencies, the criterion is the applicable accounting standard. “ IAS 18.14 (for periods before IFRS 15 adoption) requires revenue to be recognised when significant risks and rewards of ownership transfer to the buyer.” The condition is the gap between this requirement and the entity’s practice. Always cite the specific paragraph. ISA 265 .A14(b) refers to an explanation of “potential effects.” You can’t explain potential effects without first establishing what the correct state looks like.

A common mistake is writing the criterion as a restatement of the condition in reverse. “The company should have three-way matching” is just the condition flipped. A proper criterion states the source and the specific requirement. It gives the audit committee the reference point they need to assess whether management’s response is adequate.

Writing the cause: why it happened

The cause section is where most findings either earn credibility or lose it. A cause that reads “management did not operate the control effectively” adds nothing. The audit committee already knows the control failed. That’s the condition. The cause needs to explain the mechanism.

Why does a specific control fail? ISA 265 .A14 doesn’t require a cause analysis, but every experienced reviewer expects one. The cause tells the audit committee whether this finding is fixable with a policy update, whether it requires a systems change, or whether it reflects a staffing gap that will persist until someone addresses it. Without a cause, the recommendation floats without an anchor.

Good cause analysis identifies the layer where the failure sits. Was this a design deficiency (the control never existed) or an operating deficiency (the control exists but didn’t run)? ISA 265.7 makes this distinction, and your cause should too. A design deficiency implies the recommendation will require new controls. An operating deficiency may only require retraining or monitoring.

Causes fall into a handful of recurring categories. Staff turnover in the finance team during the reporting period. A system migration that temporarily disabled automated controls. Manual workarounds introduced during rapid growth that became permanent. Lack of segregation of duties in a team of two. Write the specific mechanism. “High turnover in the accounts receivable team during Q3 2024 (two of four staff replaced) left the three-way matching control unreviewed for 11 weeks” tells the audit committee something they can act on.

Writing the effect: making the numbers talk

The effect section determines whether the audit committee takes the finding seriously. A finding with a vague effect (“this could lead to errors”) gets noted and filed. A finding with a quantified effect (“this resulted in €340K of unmatched payments, of which €87K were confirmed as duplicate payments requiring recovery”) gets discussed in the next board meeting.

ISA 265 .A14(b) references “potential effects.” Potential is doing real work in that sentence. You don’t need to prove that a loss occurred. You need to establish what could happen if the deficiency persists. But “potential” doesn’t mean vague. Quantify the exposure wherever you can.

Two levels of quantification work in practice. The first is actual impact: what already went wrong because of this deficiency during the audit period. Did the testing identify misstatements? What was the total? The second is exposure: what is the total population at risk. If your sample of 38 transactions found 14 without delivery evidence, and the total Q4 revenue is €12.4M, the exposure is the proportion of that €12.4M that lacks support. You don’t need to extrapolate formally (that’s ISA 530.14 territory) but you can state the relationship. Compare the quantified effect against your performance materiality to determine whether the finding qualifies as significant under ISA 265.8 .

If you genuinely can’t quantify the effect, describe the specific risk scenario. “Without three-way matching, the entity cannot detect duplicate payments or payments for goods not received. During the period, accounts payable processed €8.2M in payments. The entity has no compensating control that would catch a duplicate within the same payment run.” That’s still specific. It’s still tied to a number. It gives the audit committee enough to assign a priority.

Never write “this could result in material misstatement” as the entire effect section. Every deficiency could result in material misstatement if you tilt the assumptions far enough. The effect section needs to show this specific deficiency’s impact on this specific entity’s numbers during this specific period.

Writing the recommendation: specific enough to implement

The recommendation must be clear enough that someone who wasn’t in the meeting can implement it without asking a follow-up question. ISA 265 .A15 notes that the auditor may wish to suggest actions but is not obligated to do so. In practice, issuing a finding without a recommendation tells the audit committee you identified a problem but won’t help them solve it. Every finding should include one.

Write the recommendation as a concrete action with a defined scope. “We recommend improving the revenue recognition process” fails the test. “We recommend the finance director implement a monthly reconciliation of shipping documents to invoiced revenue, with exceptions reviewed by the financial controller before month-end close” passes it. The difference is that the second version names who does what, how often, and what the review step looks like.

Avoid two common traps. First, don’t recommend what the standard says. “We recommend compliance with IAS 18.14 ” is a citation, not a recommendation. The audit committee knows they should comply. They need to know what operational change achieves compliance. Second, don’t over-specify to the point where you’re designing their control system. The recommendation should close the gap between the condition and the criterion. It shouldn’t redesign the finance function.

One recommendation per finding. If a finding requires two distinct actions (a short-term fix and a longer-term system change), separate them with a clear label: “Immediate action” and “Longer-term recommendation.” This helps the audit committee track implementation against your next interim visit.

Tone and language: writing for the audit committee

The audit committee is not your engagement team. They read the findings report once, typically the evening before the meeting. If a finding requires re-reading to understand, it has already failed.

Use short sentences. Active voice. Name the actor. Cut filler words. “The financial controller did not review the reconciliation” carries more weight with a board member than “the reconciliation was not reviewed.” ISA 265 .A14 expects the communication to contain sufficient information for those charged with governance to understand the context. That standard of sufficiency is tested by readers who spend eight minutes on your report, not eighty.

Avoid hedging language in the condition and effect sections. “It appears that certain controls may not have operated as intended” tells the reader nothing. Either the control operated or it didn’t. Either you found exceptions or you didn’t. State the fact. The cause section is where nuance belongs (explaining why something happened often requires qualifiers). The condition and effect sections don’t benefit from hedging.

Watch your use of “noted.” Passive constructions like “we noted” appear frequently in many audit finding reports. It’s filler. “We found” or “testing identified” says the same thing with more authority. Similarly, “it was observed that” is a passive construction that adds seven words and zero information. Cut it. Start with what you found.

Format matters too. Each finding should start on a new page. The five sections should be visually distinct (bold headers or a consistent label format). If your firm uses a template, the structure should be visible before the reader processes a single word. The AFM’s inspection guidance notes that inspectors assess report clarity alongside report content. A technically sound finding buried in dense paragraphs doesn’t meet the “timely and effective communication” standard that ISA 265.9 requires.

Worked example: Van Leeuwen Bouw B.V.

Scenario

Van Leeuwen Bouw B.V. is a Dutch construction company with €68M revenue, audited by a mid-tier firm. During the 2024 audit, the engagement team identified that the company recognised project revenue based on estimated percentage of completion without independent verification of project stage assessments.

Finding 1: Unverified percentage-of-completion estimates for project revenue

Condition

Van Leeuwen Bouw B.V. recognised €68M in construction revenue during FY2024 based on percentage-of-completion estimates prepared by project managers. The audit team tested 12 of 31 active projects (representing €44M of revenue) and found that 8 of 12 project stage assessments had no independent verification by the financial controller or quantity surveyor. The stage assessments for these 8 projects relied solely on the project manager’s estimate without supporting documentation such as surveyor reports or certified milestone completions.

Documentation note: Record the population (31 active projects, €68M total), sample size (12 projects, €44M), exception rate (8/12), and coverage ratio in the testing summary. Cross-reference to the substantive test working paper (WP ref: E.3.2).

Criterion

IFRS 15.39 requires revenue recognised over time to reflect the entity’s progress toward complete satisfaction of the performance obligation. IFRS 15 .B14 through B19 specify that the output method (surveys of work performed, milestones reached) or input method must use reliable data. Van Leeuwen Bouw’s own project accounting policy (Section 4.2) requires quarterly sign-off by a quantity surveyor for all projects exceeding €500K.

Documentation note: Attach the entity’s project accounting policy (Section 4.2) and cite the specific IFRS 15 paragraphs in the criterion. This establishes the benchmark against which the condition is measured.

Cause

Van Leeuwen Bouw’s in-house quantity surveyor left in March 2024. The company did not fill the position until November 2024. During this eight-month period, project managers self-assessed completion percentages without independent review. The financial controller relied on project manager certifications as sufficient evidence, citing time pressure on monthly reporting deadlines.

Documentation note: Record the cause in the finding file with the specific dates and the management explanation. Note whether this is a design deficiency (no compensating control existed during the vacancy) or an operating deficiency (the control existed but was bypassed).

Effect

The audit team’s independent re-estimation of completion percentages for the 8 unverified projects identified a net overstatement of €1.2M in revenue (2.7% of the €44M sampled). Two projects were individually overstated by more than €400K. The remaining 19 untested projects represent €24M in revenue. If the error rate holds across the population, total exposure is approximately €1.5M, which exceeds the performance materiality of €680K set at planning.

Documentation note: Document the projected misstatement calculation and the comparison to performance materiality. If the projected misstatement exceeds performance materiality, cross-reference to the ISA 450.11 evaluation and the summary of audit differences.

Recommendation

We recommend the financial controller reinstate mandatory quarterly quantity surveyor sign-off for all projects exceeding €500K, consistent with the entity’s existing policy (Section 4.2). For the interim period until the new quantity surveyor completes onboarding, we recommend the financial controller engage an external surveyor for projects exceeding €1M, funded from the project contingency budget. Van Leeuwen Bouw should complete this by 31 March 2025, with the first external surveyor review covering all Q1 2025 project assessments.

Documentation note: Record the recommendation, the agreed timeline, management’s response, and the follow-up date. ISA 265.11 requires you to include in the written communication the fact that the purpose is solely to communicate deficiencies, not to provide an opinion on internal control effectiveness.

Practical checklist for your next findings report

Common mistakes regulators flag

• The AFM’s 2023 thematic review on audit quality found that 31% of reviewed files communicated deficiencies but contained no documented assessment of whether they constituted significant deficiencies under ISA 265.8 . The classification was implicit, not evidenced.
• The FRC’s 2022-23 Audit Quality Inspection noted that several firms issued findings reports where the “effect” section contained no quantification, relying instead on phrases like “could lead to material misstatement.” The FRC expects the auditor’s communication to reflect the specific financial impact observed during testing, not a theoretical risk statement.

Related content

• Glossary: Significant deficiency in internal control explains the ISA 265.6 (b) definition and the judgment criteria for classifying deficiencies, directly relevant to structuring your findings assessment.
• ISA 320.12 Materiality Calculator helps you set the performance materiality threshold that determines whether a finding’s quantified effect crosses the significance line.
• How to design risk responses under ISA 330 covers the upstream testing that produces the evidence your findings report references.

Research decision: Base knowledge sufficient. ISA 265 is a stable standard. The five-part framework is evergreen methodology content. AFM and FRC references are from known inspection cycles.

Post type: Application post

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• IAASB Handbook 2024: the authoritative source for the complete ISA 265 text, including all application material on communicating deficiencies in internal control.
• ISA 320 , Materiality in Planning and Performing an Audit: the materiality threshold against which finding effects are measured.
• ISA 330 , The Auditor’s Responses to Assessed Risks: the control testing that generates the evidence behind your findings.
• IFRS 15 , Revenue from Contracts with Customers: the criterion referenced in the worked example for percentage-of-completion revenue.