Reporting & communication

The reporting phase is the culmination of the audit, where complex evidence and analysis are synthesized into clear, impactful communications. This is the native territory of generative AI, which excels at transforming structured data and fragmented notes into coherent, professional prose.

A primary task in this phase is drafting audit findings. A well-structured prompt can convert raw workpaper notes into a formal narrative. The key is to provide the AI with the core components of a finding (often called the 5 C's: Condition, Criteria, Cause, Consequence, and Corrective Action/Recommendation) and instruct it on the desired tone and format.

This prompt demonstrates how to synthesize a formal finding:

You are an audit director reviewing a senior's workpaper notes. Convert the following structured notes into a formal audit finding suitable for an audit committee report. The tone must be professional, objective, and constructive.

Condition: The user access review for the finance ERP system was not performed in Q2 2025. 

Criteria: The company's IT General Controls policy requires documented user access reviews to be performed quarterly by the data owner. 

Cause: The controller, who is the data owner, was on extended leave, and no backup was assigned to perform the review. 

Consequence: There is an increased risk that inappropriate or unauthorized user access (e.g., from terminated employees) was not detected and removed in a timely manner, potentially exposing sensitive financial data. 

Recommendation: The company should formalize a process to designate and train a backup for critical control activities.

Beyond individual findings, AI can generate high-level summaries for leadership. By providing a full, detailed report as context, you can prompt the model to distill the most critical information for an executive audience, translating technical details into business impact. As always, I like to instruct the AI to be terse.

Given the attached full 40-page internal audit report on cybersecurity controls, generate a one-page executive summary for the Chief Financial Officer. Focus on the top three highest-risk findings, their potential financial and reputational impact, and the corresponding high-level recommendations. Avoid technical jargon and be terse in your output.

Multi-perspective review

One powerful technique is using AI to simulate how different stakeholders will receive and interpret audit findings. This helps auditors anticipate questions and refine their messaging before formal presentation. By explicitly asking the AI to adopt different viewpoints, you can identify gaps in your narrative or areas requiring additional context.

You are reviewing an audit finding from three different perspectives. Provide feedback from each viewpoint:

1. AUDIT COMMITTEE MEMBER: Focus on governance implications and board-level concerns
2. CFO: Focus on financial impact, resource requirements, and implementation feasibility  
3. OPERATIONAL MANAGER: Focus on day-to-day implementation challenges and process changes

FINDING: During our review of expense reports from January-June 2024, we identified $847,293 in expenses lacking proper approval documentation. 42% of these expenses (totaling $355,863) were from C-suite executives, with individual amounts ranging from $500 to $45,000. The approval workflow system shows these were auto-approved after 30 days due to a misconfigured timeout setting implemented during the Q4 2023 system upgrade.

For each perspective, identify: 
- What questions would they ask? 
- What concerns would they raise? 
- What additional context would they need?

This approach ensures your findings resonate with diverse audiences and preemptively addresses their unique concerns. It's particularly valuable when preparing for audit committee presentations where multiple stakeholder perspectives converge.

Risk rating calibration

Maintaining consistency in risk ratings across findings is crucial for credibility and prioritization. AI can help calibrate these ratings by comparing findings against each other and established frameworks. This comparative analysis approach helps avoid the common pitfall of risk rating inflation or inconsistent application of risk criteria.

Compare these two audit findings and recommend whether they should have the same risk rating. Use the COSO framework and consider both likelihood and impact.

FINDING A - Segregation of Duties:
- 3 employees in Treasury can both initiate and approve wire transfers up to $10M
- 147 transfers totaling $523M were processed this way in 2024
- No compensating detective controls exist
- Current rating: MEDIUM

FINDING B - Password Management:
- 67% of privileged accounts use passwords that haven't changed in 18+ months
- No multi-factor authentication on database admin accounts
- 12 shared service accounts with passwords stored in Excel
- One confirmed breach attempt (blocked by firewall) in past year
- Current rating: HIGH

Analyze whether these ratings are appropriately calibrated relative to each other. Consider:
1. Financial impact (direct loss potential)
2. Operational impact (business disruption)
3. Reputational impact (stakeholder confidence)
4. Regulatory/compliance impact
5. Likelihood of occurrence based on current controls

Provide specific justification if you recommend changing either rating.

This comparative approach helps ensure that your highest-rated risks truly represent the most significant threats to the organization, improving the credibility of your risk assessment and helping management appropriately allocate remediation resources.