Skip to main content

Lesson 23 of 25

Reporting to Management and the Board/Audit Committee

4 min read · CAMS-Audit

Write objective, audience-aware reports, handle the management response without erasing supported findings, and deliver significant findings to the board directly so independence holds all the way up.

The audit report

  • Objective, evidence-based, and clear
  • Overall opinion plus individual findings
  • Accurate, complete, concise, constructive, timely
  • Written for its audience — board vs. management

The audit report is the product everyone sees, so it must be objective, evidence-based, and clear. It typically gives an overall opinion or conclusion on the area audited, plus the individual findings with their risk ratings. The Institute of Internal Auditors sets quality criteria for communications, that they be accurate, objective, clear, concise, constructive, complete, and timely, and those words are worth remembering.

Crucially, write for the audience. The board needs a concise view of significant risks and themes; operational management needs the detailed findings and recommendations. A report that drowns the board in technical detail, or hands management only a vague summary, fails the audience it was meant to serve.

The management response

  • Management commits to actions, owners, and dates
  • Disagreement is recorded, not erased
  • Audit doesn't write management's action plan for them
  • Unaccepted high risks get escalated

A finding isn't complete without a management response. Management commits to specific corrective actions, names an owner for each, and sets target dates, that's the accountability that turns a finding into a fix. If management disagrees with a finding, the auditor records that disagreement transparently but does not delete a supported finding to make peace.

And note the boundary: audit recommends, but management owns its action plan; if audit writes the remediation itself, audit has stepped into the first line and compromised its independence to later validate the fix. When management refuses to accept an unresolved high risk, the auditor escalates it rather than dropping it, the governance principle from earlier put into practice.

Reporting to the board / audit committee

  • Significant findings reach the board directly
  • Themes, trends, and aggregate risk — not just a list
  • Status of prior issues and overdue remediation
  • Direct line preserves independence

Reporting to the board or audit committee is where independence becomes concrete. Significant findings must reach the board directly, on a path management can't intercept or soften, the FFIEC direct-reporting principle we covered in governance. But good board reporting is more than a list of findings.

It conveys themes and trends, is the same root cause showing up across areas, and an aggregate view of AML risk and control health. It reports the status of prior issues, especially anything overdue, so the board sees whether remediation is actually happening. The board can't oversee what it can't see, so the auditor's job is to give it a clear, honest, and complete picture, including the uncomfortable parts.

Common reporting failures

  • Softening findings under management pressure
  • Burying significant issues in volume
  • Late reports — stale by the time they land
  • No clear ownership or due dates for actions

Let's name the reporting failures the exam draws on. Softening or downgrading a finding because management pushed back corrupts the report's objectivity. Burying a significant issue in a flood of minor ones hides what matters, a materiality failure at the reporting stage.

Timeliness failures, a report so late the issue is stale before the board sees it, undercut the whole point of independent assurance. And action plans with no clear owner or due date are how remediation quietly never happens. The thread through all of these is that the report must tell the truth, clearly, to the right people, in time for them to act.

When it doesn't, the audit's value evaporates no matter how good the fieldwork was.

The closing meeting and report finalization

  • Validate facts with management before issuing
  • Resolve factual errors; don't soften valid conclusions
  • Distinguish a factual correction from a pressure tactic
  • Issue the final report on a timely, defined cadence

Before a report is finalized, auditors typically hold a closing meeting with management, and the exam tests how to handle it well. The legitimate purpose is to validate facts: if management can show that a finding rests on a factual error, you correct it, because accuracy serves everyone. But there's a line, and you must hold it.

Correcting a genuine factual mistake is appropriate; softening a valid, well-evidenced conclusion because management finds it uncomfortable is not. Learn to tell the two apart, sometimes management's pushback is a real correction, and sometimes it's pressure dressed as a fact dispute. Where the evidence supports your conclusion, the conclusion stands, and management's disagreement is recorded as their response rather than allowed to rewrite the finding.

Once facts are validated, issue the final report on a timely, defined cadence, because a report that drifts for weeks loses its force. The discipline at the closing meeting, open to facts, firm on conclusions, is a hallmark of an independent auditor, and a frequent exam scenario.

Recap and next

  • Report objectively, for the audience
  • Management owns the action plan; audit records disagreement
  • Significant findings reach the board directly
  • Next — remediation tracking, validation, and follow-up

Recapping: the audit report must be objective, evidence-based, and written for its audience, with significant findings reaching the board directly so independence holds. Management owns its corrective-action plan with owners and dates, and the auditor records disagreement rather than erasing a supported finding. Good board reporting conveys themes, trends, and the status of prior issues, not just a raw list.

In the final content lecture, we close the loop: tracking remediation, validating that fixes actually work, and designing follow-up to confirm closure. Test yourself on reporting first.

Sources

  • IIA International Professional Practices Framework — communicating results and quality of communications
  • FFIEC BSA/AML Examination Manual — board reporting and corrective action
  • Basel Committee, The internal audit function in banks (reporting to the board)

Test your knowledge

A few CAMS-Audit questions on this material — pick an answer to see the explanation.

  1. Q1. An auditor tests whether a CDD re-review process operates effectively by selecting a sample from the compliance team's tracking spreadsheet of completed reviews. What is the key limitation of using this as the sole sampling frame?

  2. Q2. Audit finds that SAR narratives across 30% of sampled cases are boilerplate and lack specificity. Management proposes to fix this by sending reminder emails to analysts. Why is this likely an insufficient remediation?

  3. Q3. Governance and 'tone at the top' are mentioned as auditable in the CAMS-Audit materials. Which of the following would be a governance FINDING rather than just background context?

  4. Q4. An auditor is planning a SAR-quality audit and notes that the institution conducted a major core-banking system migration six months ago. How should this factor into the scope?

Ready to practice?

Put this lesson to work on real CAMS-Audit questions.

Drill the full CAMS-Audit bank →