During the planning phase of the audit, I normally go through the prior audit reports. And during the fieldwork, if I find the same audit comments, which were mentioned before in the previous audits and still not rectified by the auditees, I mention them again in my audit report. I have been accused of cut and past in my audit reports. I understand that the IIA standard mention that if the management accepted the risk by not rectifying the audit findings then the auditor does not need to mention the same comments the second time around in their audits. What do you think? Do you cut and past from prior audit reports? Thank you for your input

It depends upon the circumstances.

1) If a prior audit report contains a recommendation and management commits to implement corrective action, and management fails to do so, I would include the finding in the current audit report as a repeat criticism. If, subsequent to the prior audit, management changes their mind, conducts a risk assessment to reevaluate the issue, and decides to accept the risk, I would probably include the issue again but include their "revised" response (assuming I still feel the exposure is there and there are insufficient mitigating controls in place).

2) If a prior audit contains a recommendation and, in their response, management indicates that the risk is acceptable, I would generally consider the issue closed. I would, however, bring the issue up again if circumstances have changed and the bank's exposure has increased since the last audit.

3) Notwithstanding what I said in #2 above, if I strongly disagree with management's "acceptance" of a given risk, and feel that the bank has significant exposure, I would probably include a discussion of the issue in the comment section of the audit report.

I do most definitely repeat comments on unsolved problems. Both the audit committee and the examiners want to know that we follow up on prior items.

If a concern is present, regardless of it being present on the past report, it still exists and is noted.

If it is a recommendation that I have made in the past that has been sufficiently explained as inappropriate given the cost, etc. it is not listed in the current report.

If a problem exists and management does nothing to correct the problem, I want it noted in the audit reports for my own protection. Come the next exam, I would not want the examiner thinking I was not doing my job.

I hope this makes some type of sense and will help.