This sample audit report outlines findings from a risk assessment performed at a company with the purpose of identifying areas of risk and developing a three-year internal audit plan.
This sample utilizes the concept of the “three lines of defense,” which applies to a company’s risk management environment. The first line of defense refers to employees executing the core operations of the company, serving as “risk and control owners” for the organization, and the front-line employees who apply internal controls and other risk responses to treat the risks associated with their respective transactions. The second line of defense refers to risk oversight groups such as quality assurance, compliance, legal, finance and human resources (HR), who provide independent oversight of the risk management activities of the first line of defense, ensuring that risks are actively and appropriately managed. The third line of defense refers to internal audit, which plays the critical role of providing risk assurance to the organization.