How to ensure efficient compliance in your organisation

How to ensure efficient compliance in your organisation

Efficient compliance

 Every business was once a small business. To grow, businesses learnt to eliminate inefficiencies or work around them. However, successful entities have found ways to become efficient in most parts of their operations. Efficient compliance is crucial as it provides many benefits to small businesses and prevents them from getting in trouble. Without finding efficient ways to achieve compliance it can be quite a big administration or paperwork burden. Compliance is necessary for every organisation as there are many rules surrounding business operations. Trying to make compliance efficient might be slightly more complex than other processes. 


How to increase efficient compliance

There are many steps a small business can take to make compliance more efficient:

-Smart recruitment 

-Use of tools

-Standardising procedures

-Implement a framework


Smart recruitment 

 When hiring new staff, it is important to have a clear job description so the candidates are aware of what their responsibilities will be. If the employees will be multi-tasking, then the business needs to ensure that they give them time to do each part of their job and not restrict them or give them duties they are not qualified for. If new responsibilities need to be introduced, the business will have to provide them with the relevant training and education for them to take on a new role. 

 The training will provide employees with the best knowledge so they know how to comply with laws and regulations and have the skills required. 

Hiring can also assist in efficient compliance by hiring employees with the right attitude. This will prevent issues within the workplace and make it easier for employees to get along and remain productive.


Use of tools

Efficiency means that the business needs to get rid of all the piles of papers and folders. By using tools to record everything online, organisations can avoid duplicating documents, can identify gaps in compliance and improve policy management.

 For example, Google Documents automatically maintains a version history for each document – so a small company can write a document control policy that uses this feature, and avoid spending administration time manually updating document histories on a cover page. The whole process will become faster and fewer people will be needed to manage the data. Using compliance tools will also decrease the probability of data being lost and will allow the business to monitor its compliance obligations. 

 There are different software and programs an entity can utilise for the best results. Polonious offers customers the tools to move all their compliance information online and find everything they need within seconds. We can help customers reduce the occurrence of manual data entry errors and help them store everything in one place.


Standardise and automate

 Standardising procedures leaves little room for error. Businesses are able to see what is the best way to complete a task and then set guidelines that comply with rules and obligations. The entity might choose to make an SOP to increase both operational and compliance efficiency. An SOP is a standard operating procedure that outlines what employees need to do to complete a complex task.

Automating compliance can greatly decrease business costs. It involves the use of technology to check systems, send notifications when a problem is present and make procedures more simple. 

 The first step to automating is to standardise the process, as you cannot automate something that has too much variation or is done in an ad hoc manner. However, once you have standardised a process you will be able to see what opportunities there are for automating all or part of it. The business will have to test the automation system before it is implemented and review it regularly to avoid errors and improve the efficiency and quality of processes. 

 Polonious assists entities in automating their compliance by providing them with ways to automate their workflow. It protects their sensitive information, reduces the pains of ad-hoc communications and provides reports on actions that can be taken if there is a problem.

Efficient compliance

Implement a framework 

 A framework is a base for the minimum standards a business needs to follow. By implementing a framework the business will have to follow the guidelines it provides to meet its obligations. The framework needs to be a ‘living document’ that is updated when necessary and is able to adapt to the changing business environment. This will make compliance more efficient for a small business as its minimum obligations are clear and it does not need to have numerous guidelines that confuse employees. 

 One of the best frameworks for businesses of any size and industry is the ISO 31000 ERM. It guides organisations towards success by assisting them with optimising their processes and updating them when needed. By using the ISO 31000 the business will have the required principles to meet its objectives and obligations.  

 The framework can help the business build its policies and procedures. Policies should not be created by outsourcing to a third party or by taking a shortcut. Even though that might be seen as efficient it can have consequences in the long term. It is advisable for the business to create its own policies and procedures to ensure that it addresses all its expectations and objectives. 

 To save time, you can start with template policies from online or from consultants, or research policies from similar companies – however you should always review them thoroughly and make them fit your context, otherwise you may end up promising things that are not relevant to you and wasting more time in the long run. E.G. consultants will often give you a great deal of paperwork and forms when setting up a compliance system, as this seems like good value as you get a lot of ‘stuff’ for your money.

 However they may be setting you up with an unnecessarily burdensome compliance system – if you have a consultant helping you, it is better value to ask them how you can be compliant with less paperwork.

 The management should then ensure that all employees are familiar with the policies and aware of what action they can take. This increases compliance efficiency as all employees are given the same document to follow and are aware of what their obligations are. 



 Efficient compliance can help businesses achieve their obligations in the least costly and least time-consuming way. It can reduce the need for new employees and decrease the probability of problems arising from processes. It will allow a business to operate more smoothly and focus on the benefits of improving their risk management and business processes, rather than keeping up with paperwork. If a business puts emphasis on efficient compliance, it is more likely to also modify other parts of its operations to ensure that it generates as much profit as possible. 



 Continuous improvement is what helps a business grow. If a business is focused on improving its processes and updating its systems and controls regularly then it will be easier to achieve efficient compliance. Internal audits and inspections can monitor compliance and indicate whether efficiency is executed correctly or if other actions have to be taken.

 Efficient compliance has many benefits and small businesses can use multiple ways to achieve the desired results. Automating workflow, implementing a framework or using tools are all activities that Polonious specialises in. It can provide your business with the best resources that will reduce time needed to complete a task, give you everything you need in one place and assist with recording data for compliance purposes.

Book a Demo Now

Learn more about how Polonious can help you achieve efficient compliance. 

Tips for a workplace investigator

Tips for a workplace investigator


 A workplace investigator is responsible for ensuring that an investigation is conducted fairly and in a timely manner. However, it is important to remember that the investigator involved might be faced with content that is sensitive and sometimes may be upsetting. They have to focus on the quality of their investigation while ensuring the organisation takes care of the mental wellbeing of the parties involved, as well as the investigator’s own wellbeing. 

 A workplace investigation has many laws and regulations that need to be followed as well as the business policies that the investigator must comply with. During the process, there will be many interviews that are necessary to understand what went wrong and get perspectives from different employees. Therefore, it has to be conducted effectively so mistakes are avoided. 


Tips for the investigator

The investigation has to be carried out correctly because a false result could be harmful for the person accused. The investigator needs to remember to:

-Be confidential

-Protect evidence 

-Avoid bias

-Act quickly 

-Seek support 

-Investigate fairly 

-Be transparent


Be confidential

 An investigator is usually aware that everything that occurs in the investigation needs to remain confidential. Sometimes organisations are not familiar with investigations; it might be the first time they are conducting one and they might be unprepared. The investigator has to emphasise the importance of protecting the confidentiality of those involved to avoid false accusations and harm to the employees’ careers. 

The investigator should be the only one with access to evidence and the only one conducting interviews. If this is a bigger investigation, only the people responsible should be communicating with employees. This will minimise the chances of information leaking. 


Protect evidence

 The investigator or investigation team need to be the only ones with access to evidence for more reasons than just confidentiality. By storing information in a safe place, the investigator decreases the chances of the evidence being stolen or tampered with. Original documents should be stored carefully to avoid damage and if possible, it is advisable to have copies of them for use and if sharing is required, rather than the original file. Interview notes need to be stored neatly so they are not mingled. Organising the information during an investigation is crucial for it to be successful.

 Polonious assists its customers when they are conducting a workplace investigation by providing them with a secure place to store the evidence. This does not only ensure confidentiality but allows the investigator to protect the data available to them and organise them as they see fit.


 Avoid bias

 The investigator will probably hear many perspectives during the process. They may meet many people who will not give them a good impression or their attitude indicates that something is wrong. It is important to avoid making pre-judgements as it will lead to a misleading result. The investigator needs to be objective and not favour certain individuals because they seem more trustworthy. Looking at facts rather than emotions can prevent unconscious bias and result in a successful investigation.

 It is also important not to let hostile or nervous behaviour colour or cloud an investigator’s judgement of an interviewee – investigation interviews are situations that make people nervous, regardless of whether they’re telling the truth, and many of the stereotypical ‘signs’ of lying are merely signs of nervousness which are not reliable indicators of truth telling. Therefore it is doubly important to let the facts speak for themselves and to determine lies through factual contradictions rather than being influenced by behaviour.


Act quickly

 The investigator may have been called in days or weeks after the issue took place. It is easy for memories to fade or for individuals to misremember actions. If the parties involved discussed the occurrence with other people, it is possible that their perspective has been influenced and they start to doubt what they saw or what they thought happened. This is why the investigator must act quickly and conduct interviews with the most important parties early. They will be able to recall events better and provide a clearer picture of the event. 

 The rest of the parties can then be prioritised in order of importance: those who were witnesses to the events, that knew of previous occurrences and who are likely to forget easier than others need to be interviewed first. It might be a good idea to encourage employees to write down what they want to say to remember specific details. 


Seek support

 During an investigation, the parties involved, including the investigator, might be under a lot of pressure and stress. The employees may feel like they are in trouble and the issue being investigated might cause them distress. The investigator should seek support from the organisation to minimise the impact of the process on mental health. They might ask the organisation to provide counselling as well as free mental health services that will check on the person’s wellbeing. 

 It will be a good idea for investigator to also use similar services, such as the EAP, to ensure that their mental health is not as heavily impacted and are still able to stay focused on the task. 


Investigate fairly

 The investigator must give everyone involved a chance to explain themselves, what they felt, what they saw and how they were affected. If employees want to add more details, they must be welcome to do so. This will improve the quality of the investigation process and give everyone the same treatment. When conducting interviews, it is advisable for the investigator not to interrupt with new questions if the employee has not finished talking. Even though the investigator needs answers, the employee may not be in the best headspace and actions like that may make them feel unfairly treated. Employees need to feel listened to and understood so it is easier for them to open up. 

 Even if the investigator feels like the information is irrelevant, they can ask open-ended questions to guide them toward the topic they want to discuss. The more information that is given, the more facts there are to cross reference and find inconsistencies if someone is lying.


Be transparent

 Before starting the investigation, the investigator needs to explain the process to the employer and employees. By sharing details such as interviews being recorded and communicating effectively with the employer and employees it will make it so they are more likely to trust the investigator. It will also avoid retaliation and confusion as employees will not be afraid of the unknown and will know what to expect. Encouraging the employees to ask questions themselves, for things they do not understand or something they are unsure about will provide them with clarity and more confidence. 



 The investigator and their attitude plays a very important role in the success of the investigation. Therefore, they need to focus on the task but also remember not to neglect mental health and the employees’ wellbeing. All the parties involved need to be fairly treated and listened to, and this will allow the investigator to collect more information to base their conclusion on.

 Polonious can help your business with a workplace investigation by protecting your employees’ confidentiality and the investigators’ evidence. It provides companies with resources to ensure a quicker and correct result by reducing disorganisation and helping investigators have everything they need readily available to them.

Book a Demo Now

Learn more about how Polonious can help you conduct a fair workplace investigation.  

ISO 31000 vs COSO ERM

ISO 31000 vs COSO ERM

ISO 31000

 In risk management, ISO 31000 and COSO are the two most popular standards. Standards are essential in a business as they set a baseline to avoid conflict over what is right or wrong.  ISO 31000 and the COSO framework provide a similar definition of what a risk is and recognise it as an uncertain occurrence. 

 ISO and COSO are updated when necessary and are best known for making compliance easier. They both have the same goal: help employers manage risk in their organisation to achieve their goals. What other similarities do they have and what are their differences?


The COSO framework

 COSO stands for the Committee of Sponsoring Organizations which was founded in 1985 by five professional associations: The Institute of Management Accountants, The American Accounting Organization, Financial Executives International, American Institute of Certified Public Accountants, and the Institute of Internal Auditors. 

 The COSO framework was created in 1992 and was then updated in 2013. In 2017 the committee updated it as the COSO ERM (Enterprise Risk Management)  framework. It is usually depicted as a three-dimensional cube The cube shows how COSO connects its three elements; the objectives are at the top, the components are at the front and the organisational structure on the side. It promotes accountability and confidence that controls will mitigate risks. 


ISO 31000

 ISO stands for International Organization for Standardization. It was founded by 25 countries in February 1947. ISO 31000 was firstly issued in 2009 and was later updated in 2018. It provides guidelines for implementing enterprise risk management strategies encouraging decision-making based on risk management. The second version introduces the concept of risk appetite which is a confusing term in risk management. It heavily focuses on creating and protecting the value of a business. 

 ISO has stated that ISO 31000 cannot be used for certification purposes. However, these risk management standards underpin a lot of the practices in other standards that can be used for certification e.g. in ISO27001 as information security is highly dependent on managing risk.


 Both standards explore risks widely. They encourage risk-taking and decision-making that is backed by risk management. They offer an approach that allows businesses to control risks so they can achieve their objectives and grow. Both COSO and ISO 31000 cover the ERM process in great detail. They promote a consistent approach to the risk management process that will drive the improvement of measures and strategies. 

 Both frameworks are guidelines. They do not intend to enforce rules. They allow organisations to customise their approach to fit the situation of that specific business. They do not provide companies with a certification, rather, they encourage continuous improvement and better governance. Businesses that use ISO 31000 and the COSO framework can compare their own risk management policies and procedures to standards that are globally recognised.

 Another similarity between the two frameworks is that they recognise the importance of being updated. They accept that we live in a fast-changing world and the risk environment does not remain the same. Both documents get updates to add new concepts and address different kinds of situations. They provide guidelines on how to identify, assess and monitor constantly evolving risks. 



 COSO is a much larger document than ISO 31000. The latter has 16 to 32 pages while the former has over 120 pages. This allows COSO to explain concepts, such as risk appetite, more thoroughly than ISO and introduce other concepts such as risk tolerance and capacity. ISO 31000 is more concise and simple but businesses have said that it does not cover all elements of risk management implementation. Another reason that the COSO framework is longer is because it depicts many concepts using visual elements while ISO 31000 does not. 

 COSO is mainly targeted at accounting and auditing firms but ISO 31000 can be used by any organisation as it provides a general approach. This is because ISO offers a broad risk model and COSO focuses on financial reporting. The target market also differs geographically. Even though COSO and ISO are internationally recognised, ISO is used globally while the COSO framework is mostly used in North America. 

ISO 31000

Which one is better: ISO 31000 or COSO ERM?

 Both frameworks offer interesting perspectives on how to implement risk management in decision-making and how to use risk management to help a business achieve its objectives. The standards of the frameworks are just the base, the starting point companies can use to develop their processes and procedures. Which document is better heavily depends on the business, its industry and where it operates. It is important that business owners read both documents and understand their content before deciding which one to use. 

 There are other risk management standards such as the BS 31100, FERMA and OCEG. However, the COSO ERM and ISO 31000 remain the leading frameworks for multiple reasons, including their focus on risk management being an ongoing process rather than a one-time decision. They explain risk management as part of the core business rather than a separate strategy and highlight how every process will need to be customised to fit the needs of the organisation.

 ISO 31000 and the COSO ERM can offer benefits such as the strengthening of internal controls and the effective response to a changing business environment. Since they assist organisations in improving their crisis management, they indirectly assist in improving the performance of the organisation as well. They also help in fostering a risk-aware culture which contributes to significant cost savings for the company. 



 Whether a company chooses to implement the COSO ERM framework or the ISO 31000, it will choose to take a step in the right direction by preparing the business for unpredictable events. While both frameworks have some similarities, they also have some significant differences, so it is important to read both before deciding which one to use. Managers must remember that the frameworks only offer guidelines, and it is up to the company to develop its own risk management process.

Book a Demo Now

Learn more about how Polonious can help you achieve effective risk management. 

What is risk management?

What is risk management?

risk management

 Risk management consists of the strategies and tools businesses use to avoid, mitigate, accept or eliminate risks. Innovation and growth always come with some type of risk. Risk management involves identifying and assessing threats to make informed decisions when pursuing innovation and growth. To continue to survive and be profitable, the business must be able to recognise and control risks so they do not adversely affect operations. 

 Risk management explores the relationship between risks and how one risk materialising could create a domino effect where more risks start to occur. In order for risk management to be effective, it needs to adapt to new and different kinds of risk.


Risk exposure

 A risk is a future uncertain event that could negatively affect the business. Risk exposure examines how vulnerable a business is to risk. It assesses the future potential impact that a threat might have on the business. Risk exposure is measured by calculating the probability of a risk materialising and the losses that could occur as a result of this. 

Risk exposure = Risk impact X Probability

 With risk management, companies can calculate their risk exposure and be aware of the effect it will have on their operations. A risk assessment allows an organisation to understand how to respond to a high-risk situation.

Risk exposure can be split into two types: pure risk and speculative risk.

 Pure risk cannot be controlled by the business and could either cause losses or nothing at all. By nothing, it means that this category does not provide the organisation with a way to make profit. Examples of pure risk include natural disasters like a fire or theft and property damage. There are no benefits associated with pure risk.

 The opposite of pure risk is speculative risk. This category can result either in a gain or a loss. The decisions businesses make have speculative risks. For example, the management might have chosen to invest in an asset. The asset could either bring profits or could incur extra costs for the organisation. Speculative risk is not predictable but it is controlled by the choices the employers make. 


Risk appetite and risk tolerance

Risk management examines the risk appetite and tolerance of a business. 

 Risk appetite looks at how much risk an organisation wants to accept to achieve its objectives. Through identifying and assessing risks, the company can make decisions on whether it is in a position to accept the risks involved with its operations. Risk appetite looks at risk categorisation and the benefits of accepting the risks versus the losses that might occur. Risk appetite involves the use of qualitative data to make better-informed decisions. 

 These decisions always rely on the industry the entity is operating in, its competitors and the objectives the entity is trying to achieve. 

 Risk tolerance shows the acceptable level of risk a company can take. People tend to confuse the two terms as they find them quite similar. However, the difference is that risk appetite is the amount of risk a business is willing to accept while risk tolerance indicates the amount of risk a business can accept.

 It highlights whether a business will be able to withstand most of the risks resulting in a negative outcome. For example, if a company was small but had a lot of cash in reserves, it could show that it has a high-risk tolerance and can afford to take more risks than a medium size business with no reserves. However, the employer of the small business might have a fairly low-risk appetite and avoid taking many risks. 

 Risk tolerance looks at the strategies a business uses to mitigate risks and the limits set for how much risk it can handle. It also involves the decisions that might follow after a risk has materialised, or after a business has taken on more risk than it can tolerate.

Risk management

Risk management

As seen in the risk management framework, risk management focuses on:







 Identifying a risk involves determining what threats the business is facing and finding out the sources of those threats. Managers should comprehensively understand the risks and which areas of the organisation they could impact.

 Assessing a risk examines the probability of the risk materialising and the impact it could have on the business. After conducting a risk assessment, management will be able to prioritise risks. 

 Mitigation offers managers four options: avoidance, reduction, transference or acceptance. Based on the risk assessment the business will need to decide what kind of risk threat they are dealing with and what is the correct approach. 

 Risk monitoring requires the business to review its current strategies and monitor the risk to track any changes or decide whether different actions need to be taken. The organisation will need to determine if the controls are effective or if new measures will need to be implemented. 


The risk management plan 

 A risk management plan describes the risks the business is facing and how it will approach the risk management process. A company may have multiple risk management plans that address different risks if they are facing many diverse issues. An organisation is always facing the risk of failure, which means they must be prepared to control and manage that risk to protect the organisation. 

 A risk management plan is different from a risk assessment. It documents the whole process,  identification, assessment, mitigation and monitoring, the costs of each risk and strategy and analyses made by management. A risk management plan can outline management decisions based on all the information they have collected. 

 A risk assessment assists the organisation by identifying and analysing risks. This allows the management to understand the likelihood of a risk and the impact it will have on the business. A risk assessment is not the only tool managers can use; other tools can help in the risk management process. SWOT analysis, risk matrix and risk register can all assist in managing risk. All these tools and their results will then be documented in the risk management plan. 

 For a risk management plan to be successful the business needs to set clear objectives to be achieved over a specific time frame. Having a schedule will encourage an organised approach to risk management. Businesses need to be clear about when they want each step to be conducted and the costs associated with each risk and step. 

 It is important that every employee within the risk management team has been assigned a task. This will make it easier for them to communicate and know who is responsible for what. They will know who to contact if there is an emergency and what to do if there is an unplanned event. Well-defined roles can also prevent conflicts from arising during the process. 


Risk response strategies

 Every organisation will face good and bad risks. Good risks are opportunities for the business to grow. The business is informed of the benefits associated with this type of risk and it is ethical. A bad risk may be the result of the business wanting to take shortcuts. The organisation might make unethical decisions or choose not to comply with rules and regulations to obtain a temporary reward. For example, tax evasion gives the business more money but in the long run it could cause fines and a negative reputation. 

After identifying and assessing risks, as part of the mitigation step, the company can address them by:







 Avoidance requires the business to develop strategies that would help in preventing the risk from occurring. Risk avoidance can also occur if the business makes the decision not to engage with some type of risk. For example, collaborating with an organisation that has a bad reputation might cause backlash from the community, something that can affect the sales of the business. The company can choose to avoid this risk by not collaborating with the organisation. 

 Reduction involves making decisions that could either reduce the likelihood of the risk or the impact. Reducing the risk is more complex as the company chooses to take the risk but tries to reduce the consequences that could follow. Management can assess its operations and find where flaws are present, then try to improve them to reduce the likelihood and impact of a risk materialising.

 Transference occurs when the business moves the risk to a third party, for example, its insurance. This response is not easy for all types of risks but can be used to mitigate pure risks, such as natural disasters. 

 Risk acceptance means that the business is willing to accept the risk involved with its decisions as there is no way to avoid or mitigate it. Mitigating the risk may be more expensive than accepting it which is another reason why businesses may choose this response. Deciding whether or not to accept a risk relies heavily on the risk appetite and tolerance of the company. 



 Risk management is a crucial process for every company. Managers need to focus on creating a risk-aware culture, as well as training employees to recognise potential signs of failure. By understanding the elements of risk management, an entity can create a risk management plan to identify, assess, mitigate and monitor threats. Risk management allows organisations to make better decisions and be prepared in case of an unpredicted event. Not every risk will be under the company’s control, but there are still measures a business can take to prevent potential losses and protect itself from failure.

Book a Demo Now

Learn more about how Polonious can help you achieve effective risk management. 

How to write an audit report

How to write an audit report

Audit report

  An audit report is a document that details a company’s financial statement status. It is written by an auditor and includes their opinion of the area of process they are auditing.. An auditor’s opinion can be clean, qualified, adverse or disclaimer. An audit is the examination, inspection and evaluation of significant processes and/ or financial reports by an independent party or an employee within a business. 

 Audits are performed to ensure business compliance with laws and regulations and determine whether the financial information recorded is accurate. It can also assist in identifying risks and preventing fraud. It can highlight whether the controls in place are adequate to manage future threats or weaknesses within business processes. 

 An effective audit report needs to be comprehensive and communicate findings succinctly. Each section should be detailed and only include factual and relevant information. The auditor could create graphs, tables or present information in bullet points when required. 


How to write an audit report

 Every audit report must follow a structure. The full names of the auditors need to be included, not only initials. At the beginning of the audit report, the responsibilities of the management and the auditor should be outlined. The actions taken during the audit ought to be written in the past tense. The most important sections of the audit report are:

-Scope and objectives

-Executive summary



-Basis for opinion



Scope and objectives

 After discussions between the auditor and business management, the scope and objectives of the audit can be determined. The audit report must state the purpose of the audit needs to be established and to what extent examination will be conducted. Which files will be evaluated, across how many years and which departments. To satisfy the scope of the audit, the auditor might have to review current policies and confirm whether the business’s resources are being used for its own interests. The objective and scope will vary depending on the type of audit performed. 

 The auditor must ensure that accounting books and records are correctly maintained for a tax audit. For a process audit, assurance needs to be given about the effectiveness of the systems and processes of the business. Scope and objectives can be set on a per-audit basis or they are set once the audit schedule has been determined. 


Executive summary

 The executive summary of an audit report should be carefully written as it summarises the content of the audit report. It is usually 1 to 2 pages maximum and contains the main sections of the audit report, along with definitions, in less detail. Bullet points could be utilised to make the executive summary easier to read, as well as present information clearly and concisely. The auditor could also use a table to highlight the most important issues and risks, how controls should be implemented, and when. When this part of the report is written, it is crucial to remember that it is constructed for people who do not have a lot of time and need clear and accurate information. 



 After looking at the activities and practices of the business, the auditor will be able to make conclusions based on their evaluation. Depending on the nature of the audit, the findings could indicate faults within the business. It could be found that unapproved overtime is being recorded or there are significant deficiencies in internal controls. The audit could also uncover other risks such as fraud, lack of policies and procedures and unauthorised access to information by employees, which should have been restricted. 

 Opportunities for improvement (OFIs) may be provided by the auditor in the audit report as they give feedback and could help the business avoid future or potential non-compliance. The auditor shares ideas that will improve business systems and offer a third-party perspective to the organisation. The OFI should not be written authoritatively, rather it should mention the area of the company that is affected and what action can be taken. 

 All nonconformances must be highlighted along with the areas they occurred in.  The auditor should also describe how they got those findings, the actions they took and the data they looked at. 

 However, findings could be positive as well, not only negative. The auditor can find that the business is maintaining records properly and is compliant with all relevant laws and regulations. The opinion of the audit report will highlight that. 



At the end of the audit process, the auditor states their opinion based on their observations during the process. There are four types of auditor opinions:

-Unqualified opinion

-Qualified opinion

-Disclaimer of opinion

-Adverse opinion


Unqualified opinion

 Also called a clean report, an unqualified opinion indicates that the auditor is satisfied with business practices and how financial information is recorded. It is the most common type of report and the one companies want as it means that there is nothing wrong with financial statements. An unqualified opinion confirms that the business follows laws and regulations, banks are more likely to lend money as all the information is fairly presented. There is assurance that there will be little to issues in the organisation and that it is compliant. It is also positive for investors as it shows that the business is moral and has integrity. 


Qualified opinion

A qualified opinion in an audit report is given when the auditor is not completely satisfied with the state of financial procedures within a business. There may be an issue present such as the company not following the country’s financial standards when reporting its information. There could also be an issue regarding the limitation of the audit. It could be that the auditor did not find enough documents or data for a certain objective. 

The qualified opinion indicates a non-pervasive issue but could still cast doubt on the company’s practices and its statements’ accuracy. This type of opinion is not as detrimental to the business as it can change in the future after the areas of issues are described by the auditor.


Adverse opinion

 Adverse opinion means that the auditor is not satisfied with the financial statements provided by the management. They have found evidence that the financial information has been misstated and there are irregular records. The issues that arise from this opinion indicate a pervasive problem and serious risks within the company. It is also a red flag that indicates fraud is happening in the organisation as the management has not maintained truthful data. 

 An adverse opinion is the least wanted outcome as it jeopardises the company’s outlook and ability to borrow money and attract investors. It can impact many aspects of the business such as its reputation and stock prices as the organisation does not follow accounting principles and its morality is questioned. 


Disclaimer opinion

 A disclaimer shows that the auditor has formed no opinion for various reasons. It could be that the auditor did not have access to the right or enough documents. The auditor has questions that have remained unanswered due to insufficient evidence or the company not cooperating. Generally, it is neither a positive or negative opinion. However, it can have implications as it does not provide a clear outcome and may indicate that the business has not provided enough support to the auditor. 

 Investors might not feel as confident about the business and creditors can be hesitant about lending money. In some cases, the auditee can sue the auditor if they disagree with this opinion.

audit report

For a process audit report the results are:


-Minor non-compliance

-Major non-compliance



 Compliant is equivalent to unqualified opinion. It shows that all processes and systems abide by policies and requirements. They comply with laws and regulations and they are efficient and effective. Opportunities for improvement do not count against a ‘Compliant’ opinion, as the process complies with all requirements, there is simply an opportunity to make it more efficient or effective.


Minor non-compliance

 Minor non-compliance is the equivalent of a qualified opinion. The audit report probably found that some processes are not compliant with policy or requirements but in a minor, non substantial way. An example of a minor non-compliance could be the inadequate implementation of a procedure that has little effect on business operations, and does not result in a breach of any laws, regulations, standards, or contractual requirements.

 One weakness will not cause issues in the business, but if many issues start appearing, the company will have greater problems to deal with. If the audit relates to a certification then their certification will remain provided they’re corrected by the time of the next audit. However if they fail to meet the requirements after the next audit, their certification will be suspended. It can encourage a further investigation to find out why the non-conformance exists in the first place and the steps the organisation can take to prevent another one in the future. 


Major non-compliance

 Major non-compliance is the equivalent of adverse opinion. It occurs when the audit finds that there are serious and substantial deficiencies in the audited process(es) compared to policy and requirements. Major non-conformance can be the result of previous minor compliances being underestimated. 

 An example of major non-compliance is a business not following their standard operating procedure when building their product which causes faults and damage to the reputation of the company, or the breach of applicable laws, regulations, standards, or contractual requirements. If this is a certification-related audit, certification would be suspended until they’re rectified. If the business is found to have major non-compliance, then an investigation should take place to find the root cause of the problem. It will cause the company to lose money and time as they try to make improvements and get everything in order before the next audit. 


Basis for opinion

 This section of the audit report must mention that the audit was conducted according to the auditing standards of the country the company is based in. It may outline the responsibilities of each party under those standards, for example, that the business’s management is responsible for financial statements while the auditor is responsible for their opinion after performing an audit.

 The auditor should explain whether the evidence and findings are sufficient for them to provide an opinion. They should also describe which accounting principle applies to their audit. They may explain to what extent the opinion is based, meaning the documents that were examined for them to form that opinion. If this is an external audit, the auditor needs to mention they are acting independently from the business. 



 Recommendations are made to the management of the company after the audit has been finalised. They are not mandatory, but once given, the managers have to follow the advice of the auditor as they made a commitment before the audit. Implementation of the recommendations involves the actions the business can take to improve its compliance and any nonconformances that are present within the organisation. It is important for the business to act quickly after receiving the recommendations to ensure that the audit is beneficial. 

 The recommendations need to be taken with improvement as the main goal as well as management of risks. It is not enough to follow the advice of the auditor, the management has to monitor the effectiveness of their actions and internal controls. It should be clear who is responsible for making the changes required to establish better communication and results. 

 At the end of the audit report, there should be the auditor’s signature, the date of the report and the auditor’s address. If external sources were used then the auditor needs to include a reference section. 



 An audit report can only be effective if the audit is performed correctly. The organisation will have to provide all relevant files to the auditor and provide them with the space to work within the company. If more documents are needed the business must be ready to provide them to ensure the timely completion of the audit. There has to be good communication between the auditor and the auditee to produce a better quality audit report. An audit report will have different content depending on the type of audit performed, but some sections remain the same for every report. 

 It is crucial that the business and the auditor cooperate to ensure that the results can help the organisation improve and avoid risks.

Book a Demo Now

Learn more about how Polonious can help you with audits and audit reports.

SIU Insights report 2021How do you compare to other SIUs?

Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.

GICOP changes 2021Download the GICOP whitepaper and stay compliant.

Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.