HomeBlogRisk Assurance

Internal audit reports your CEO will actually read

PS

Paramjeet Singh

Feb 2026 4 min read
Internal audit reports your CEO will actually read

Ten-page annexures don't change behaviour. How risk-based auditing and sharp materiality thresholds turn assurance into action.

There is a particular silence that follows the tabling of a conventional internal audit report - forty pages, eleven annexures, ninety observations rated high, medium and low. Everyone agrees it is thorough. No one changes anything. The report has fulfilled its ritual purpose and will now rest undisturbed until the next quarter.

The failure is not effort; it is design. A report that treats a missing signature on a stationery indent with the same solemnity as an unreconciled vendor advance of forty lakhs has abdicated its real job, which is judgement.

Risk-based means ruthless

A risk-based audit plan starts from the question: what could genuinely hurt this business in the next eighteen months? Revenue leakage in the largest contract, concentration in one supplier, controls around the bank mandate, the ERP access of employees who left last year. The audit universe is ranked by exposure, and coverage follows exposure - not the comfort of auditing what was audited last year.

Write for decision, not documentation

The reports that change behaviour share a shape: one page the CEO reads, with the five findings that matter, each stated as money, risk or deadline. What is the exposure in rupees? What happens if nothing is done? Who owns the fix and by when? The detail still exists - in an annexure, for those who need it - but the leadership page carries judgement, not inventory.

Materiality thresholds do the pruning. Agree with the audit committee, in advance, what is too small to report individually. It feels uncomfortable the first time; it is also the single fastest way to make the important findings visible again.

Close the loop or don't bother

An audit function is ultimately measured by one number: the percentage of agreed actions actually implemented on time. Track it, publish it, and review the laggards by name in the audit committee. Assurance that ends at observation is expense; assurance that ends at implementation is control.

PS

Written by

Paramjeet Singh

Writing field notes on finance, tax, process and infrastructure - from the work, not about it.

Put It to Work

Reading is good. Results are better.

If this article speaks to a challenge on your desk right now, the next step is a conversation with the team that wrote it.