Write a four-element internal audit finding narrative.

Engagement: [ENGAGEMENT TITLE — e.g., "Q2 2026 IT General Controls Review"]
Finding title: [BRIEF TITLE — e.g., "Excessive User Access Privileges in ERP System"]
Risk rating: [HIGH / MEDIUM / LOW — per your organization's risk rating matrix]

Condition (what IS): [SPECIFIC OBSERVATION — what the auditor found. Use numbers, dates, and specific evidence. Avoid vague language like "some" or "many." E.g., "As of the test date of April 30, 2026, 47 of 312 active user accounts (15%) in the organization's SAP ERP system had system administrator (BASIS) privileges. Of the 47 accounts, 23 were assigned to personnel in non-IT business functions including Finance, HR, and Operations."]

Criteria (what SHOULD BE): [SPECIFIC STANDARD OR REQUIREMENT — policy, regulation, framework, or management commitment. E.g., "Per the organization's Information Security Policy (Section 4.3), system administrator access is to be restricted to IT personnel with a documented business need. The principle of least privilege requires that users have only the access necessary to perform their job functions."]

Cause (WHY the gap exists): [ROOT CAUSE — not a symptom. The cause should explain why the condition exists given the criteria. E.g., "The user access provisioning process does not include a control to prevent non-IT personnel from being granted BASIS privileges at onboarding. Access requests are manually processed by the IT helpdesk without automated role-segregation controls in the provisioning workflow."]

Effect (SO WHAT — the risk): [SPECIFIC IMPACT OR RISK — quantify where possible. E.g., "Excessive privileged access increases the risk of unauthorized changes to financial data, system configurations, and security settings. Users with BASIS access can bypass application-level controls and modify transaction records without detection by standard monitoring controls. Three of the 23 non-IT users with BASIS access have posting authority in the general ledger, creating a segregation of duties conflict."]

Recommendation: [SPECIFIC ACTION — who should do what by when. E.g., "Management should review all 312 active user accounts and revoke BASIS privileges from personnel in non-IT functions within 30 days. A quarterly access recertification process should be implemented, requiring business unit managers to certify appropriateness of all ERP access for direct reports."]

Under 500 words. Professional audit report language. Evidence-specific, not general.

Write a low-risk internal audit observation narrative for inclusion in the management letter section of an audit report.

Observation title: [BRIEF TITLE]
Engagement context: [TYPE OF AUDIT — financial / operational / compliance / IT]
Condition: [WHAT WAS OBSERVED — specific, with evidence. Lower-risk findings often involve process inefficiencies, documentation gaps, or opportunities for control enhancement rather than control failures.]
Criteria: [RELEVANT STANDARD OR BEST PRACTICE — may be internal policy, industry best practice, or efficiency benchmark]
Cause: [WHY THIS EXISTS — often simpler for low-risk observations: training gap, manual process, legacy workaround]
Effect: [LIMITED RISK IMPACT — specific but proportionate. E.g., "The current manual reconciliation process increases the risk of mathematical errors and requires approximately 12 additional hours per month of staff time compared to the automated reconciliation available in the current ERP."]
Recommendation: [PRACTICAL, LOW-BURDEN — e.g., "Management should evaluate enabling the automated reconciliation module in the ERP, which is already licensed and available. Implementation is estimated at 4-8 hours of IT configuration time."]

Management letter observation format. Under 350 words. Proportionate language — low-risk findings should not read like high-risk findings.

Write an internal audit finding narrative for an IT or cybersecurity control deficiency.

Engagement: [IT AUDIT SCOPE — e.g., "2026 Cybersecurity Controls Assessment"]
Finding title: [E.g., "Multi-Factor Authentication Not Enabled for Privileged Remote Access"]
Risk rating: [HIGH / MEDIUM — cybersecurity findings are typically rated HIGH or CRITICAL]

Condition: [SPECIFIC TECHNICAL FINDING — e.g., "As of the audit test date [DATE], MFA was not enabled for [X] of [Y] privileged remote access accounts (VPN + privileged identity management tool). Testing confirmed that [NUMBER] system administrator accounts could authenticate remotely using a username and password only."]

Criteria: [SPECIFIC STANDARD — e.g., "NIST SP 800-63B Level 2 assurance requires MFA for all privileged access. The organization's own Remote Access Security Policy (Version 3.2, issued January 2025) requires MFA for all remote connections to systems classified as High or Critical in the data classification schema. The ERP and financial reporting systems accessed by the identified accounts are classified as Critical."]

Cause: [E.g., "The MFA implementation project was completed in Q3 2025 for standard user accounts but excluded privileged accounts due to a technical constraint in the legacy PIM tool. A remediation plan was documented but not implemented within the committed timeline."]

Effect: [E.g., "Privileged remote accounts without MFA are vulnerable to credential-based attacks including password spraying and credential stuffing. According to Verizon's 2025 DBIR, 68% of breaches involving credential-based attacks targeted remote access vectors. A successful attack on any of the [NUMBER] privileged accounts could allow unauthorized access to critical financial systems with potential for data exfiltration or fraudulent transactions."]

Recommendation: [SPECIFIC AND TIME-BOUND — e.g., "Management should implement MFA for all privileged remote access accounts within 60 days. The updated PIM tool version (v4.2, released Q1 2026) resolves the technical constraint identified as the original barrier."]

Under 500 words.

Write a segregation of duties conflict finding narrative.

Engagement: [SCOPE — e.g., "Financial Close and Reporting Controls Review"]
Finding title: [E.g., "Inadequate Segregation of Duties in Accounts Payable — Journal Entry and Payment Approval"]
Risk rating: [HIGH — SOD findings typically HIGH due to fraud and error risk]

Condition: [SPECIFIC SOD CONFLICT — name the roles/functions that should be separated and confirm they're combined. E.g., "Audit testing confirmed that [X] employees in the Accounts Payable department have both (1) the ability to create and approve journal entries in the general ledger and (2) payment release authority in the ERP. Of the [NUMBER] employees with this conflicted access, [NUMBER] processed [NUMBER] journal entries and [NUMBER] payments during the test period [DATE RANGE], representing $[AMOUNT] in AP transactions."]

Criteria: [SOD STANDARD — e.g., "COSO's Internal Control — Integrated Framework requires that incompatible duties be separated to reduce the risk of error or fraud. Specifically, the ability to record transactions, authorize transactions, and have custody of assets should be divided among different individuals."]

Cause: [E.g., "The current SOD matrix was last reviewed in 2022 and does not reflect role changes resulting from the 2024 ERP migration. The ERP migration project consolidated several legacy system roles into combined ERP roles without a formal SOD impact analysis."]

Effect: [E.g., "The combined access creates an uncompensated risk that a single employee could initiate, approve, and process fraudulent payments without detection through standard system controls. During the test period, [NUMBER] payments totaling $[AMOUNT] were both initiated and approved by the same individual without a compensating review control."]

Recommendation: [SPECIFIC — e.g., "Management should update the SOD matrix to reflect current ERP roles, identify all conflicted user accounts, and implement role-based access changes to separate incompatible functions. Where full SOD cannot be achieved due to staffing constraints, compensating controls (enhanced management review, transaction monitoring reports) should be implemented and documented."]

Under 500 words.

Write a positive internal audit observation for a noteworthy practice.

Engagement: [SCOPE]
Practice observed: [SPECIFIC CONTROL OR PROCESS THAT IS WORKING EXCEPTIONALLY WELL — e.g., "The treasury reconciliation process includes daily automated bank-to-ERP reconciliation with exception reporting reviewed by two independent staff members — a control design that exceeds standard industry practice"]
Why this is noteworthy: [SPECIFIC — e.g., "The automated reconciliation process identified [NUMBER] bank discrepancies in Q1 2026 that were resolved within 24 hours. Prior to implementation in 2024, manual reconciliation resulted in an average of 7 days to identify and resolve discrepancies."]
Who implemented it: [TEAM OR DEPARTMENT — to give credit appropriately]
Replication potential: [OTHER DEPARTMENTS OR PROCESSES WHERE THIS APPROACH COULD BE APPLIED]

Noteworthy practice format. Under 250 words. Positive observations build trust with management and create a complete audit picture.

Write an internal audit engagement planning memorandum.

Engagement: [TITLE AND AUDIT TYPE]
Planned audit period: [DATE RANGE]
Audit team: [LEAD AUDITOR, STAFF AUDITORS — names or roles]
Engagement objectives: [2-4 SPECIFIC OBJECTIVES — what the engagement will assess]
Scope: [SPECIFIC — processes, systems, locations, time period included]
Scope exclusions: [WHAT IS EXPLICITLY NOT IN SCOPE — and why]
Inherent risk assessment: [KEY RISKS IDENTIFIED PRE-FIELDWORK — e.g., "High — recent ERP migration; high volume of related-party transactions; material restatement in prior year"]
Approach: [AUDIT METHODOLOGY — risk-based sampling / 100% population testing / data analytics / walkthrough — specify for each major area]
Sample selection methodology: [HOW SAMPLES WILL BE SELECTED AND SIZED — MUS, random, judgmental]
Preliminary timeline: [KEY MILESTONES — fieldwork start/end, draft report, management response, final report]
Resources required: [HOURS, SPECIALIZED SKILLS, DATA ANALYTICS TOOLS]
Key stakeholder contacts: [MANAGEMENT CONTACTS FOR EACH AUDIT AREA]
Coordination with external auditors: [ANY RELIANCE ON EXTERNAL AUDIT WORK OR COORDINATION PLANNED]

Planning memo format. Under 500 words.

Write a risk assessment for an internal audit engagement.

Engagement: [TITLE]
Business unit/process assessed: [SPECIFIC AREA]
Risk assessment methodology: [IIA IPPF / COSO / CUSTOM — describe approach]
Inherent risks identified:
  Risk 1: [TITLE] — [DESCRIPTION] — Likelihood: [HIGH/MEDIUM/LOW] — Impact: [HIGH/MEDIUM/LOW] — Inherent Risk: [HIGH/MEDIUM/LOW]
  Risk 2: [TITLE] — [DESCRIPTION] — Likelihood/Impact/Inherent Risk
  Risk 3: [TITLE] — [DESCRIPTION] — Likelihood/Impact/Inherent Risk
  [Add as needed]
Residual risks (after consideration of existing controls):
  Risk 1: [EXISTING CONTROL] — Residual risk after control: [HIGH/MEDIUM/LOW]
  Risk 2: [EXISTING CONTROL] — Residual risk after control
Priority areas for audit focus: [TOP 2-3 RISKS DRIVING AUDIT PROGRAM DESIGN — and why]
Risk areas deferred: [LOWER-RISK AREAS NOT INCLUDED IN THIS ENGAGEMENT — note for future planning]

Risk assessment format. Under 500 words. Risk ratings should be consistent with the organization's risk matrix.

Write a control testing workpaper narrative for a specific control.

Control tested: [CONTROL NAME AND CONTROL OBJECTIVE — e.g., "Management review of journal entries — designed to detect unauthorized or erroneous entries in the general ledger"]
Control frequency: [DAILY / WEEKLY / MONTHLY / PER TRANSACTION]
Testing approach: [WALKTHROUGH / ATTRIBUTE SAMPLING / STATISTICAL SAMPLING — describe]
Population: [SIZE AND DESCRIPTION OF THE POPULATION — e.g., "All manual journal entries processed from January 1 through March 31, 2026 — 1,847 entries totaling $247 million"]
Sample selected: [NUMBER — and selection methodology: random / MUS / judgmental]
Control performance criteria: [WHAT CONSTITUTES OPERATING EFFECTIVENESS — e.g., "Journal entry must have documented preparer, reviewer, and approval with evidence of review (reviewer sign-off or ERP approval timestamp) within [X] hours of entry date"]
Testing results:
  [NUMBER] of [SAMPLE SIZE] tested: [CONTROL OPERATED EFFECTIVELY — no exceptions]
  [NUMBER] of [SAMPLE SIZE]: [CONTROL EXCEPTION — describe what was missing or incorrect]
Conclusion: [EFFECTIVE / EFFECTIVE WITH EXCEPTIONS / INEFFECTIVE — with quantification: e.g., "[X]% exception rate — threshold for effective conclusion is X%"]
Supporting documentation: [CROSS-REFERENCE TO SUPPORTING WORKPAPERS OR EXHIBITS]

Under 400 words. Workpaper documentation standard per IIA IPPF — sufficient to allow an independent reviewer to reach the same conclusion.

Write a data analytics workpaper summary for an internal audit data analysis.

Engagement: [TITLE]
Analytics objective: [WHAT THE ANALYSIS WAS DESIGNED TO IDENTIFY — e.g., "Identify vendor payments processed outside normal business hours, which may indicate unauthorized transactions"]
Data source: [SYSTEM, TABLE, AND DATE RANGE — e.g., "Accounts Payable transaction data from SAP FI module, January 1 through March 31, 2026"]
Population analyzed: [TOTAL NUMBER OF RECORDS AND $ AMOUNT]
Query/analysis performed: [DESCRIPTION OF THE ANALYTICAL TEST — e.g., "All vendor payments with a transaction timestamp between 6:00 PM and 6:00 AM, or on weekends, were extracted and compared against the approved vendor master list"]
Results:
  [NUMBER] transactions — [$ AMOUNT] — met the criteria
  Of those, [NUMBER] were reviewed and determined to be [LEGITIMATE / WARRANTING FURTHER INVESTIGATION — explain]
Exceptions escalated for follow-up: [NUMBER AND SUMMARY — or "none"]
Limitations: [DATA QUALITY ISSUES, SCOPE LIMITATIONS — e.g., "Analysis is limited to payments processed in SAP; manual check payments processed outside SAP were excluded"]
Conclusion: [SUMMARY CONCLUSION — whether the analytics results are incorporated into a finding or closed as expected]

Under 400 words.

Write a management representation letter request for an internal audit engagement.

Chief Audit Executive or Engagement Lead: [NAME]
Recipient (management): [CFO / CONTROLLER / PROCESS OWNER NAME — appropriate level for this engagement]
Engagement: [TITLE]
Information requested for representation:
  1. [MANAGEMENT ASSERTION — e.g., "All material information affecting the [PROCESS] was made available to the audit team"]
  2. [SPECIFIC ASSERTION — e.g., "There are no unrecorded liabilities or commitments outside the normal course of business related to the audited period"]
  3. [FRAUD-RELATED — e.g., "Management has no knowledge of fraud or suspected fraud affecting the audited processes"]
  4. [COMPLIANCE — e.g., "All known violations of laws and regulations have been disclosed to the audit team"]
  5. [CORRECTIVE ACTIONS — e.g., "Corrective action plans submitted in response to audit findings represent management's complete and accurate remediation plans"]
Request for signature by: [DATE]
Transmission: [EMAIL / FORMAL LETTER — describe format]

Under 300 words. Note that management representation letters are IIA best practice and support the audit conclusion.

Write a risk and control matrix narrative description for a key financial control.

Process: [PROCESS NAME — e.g., "Financial Close and Reporting" / "Procurement to Pay" / "Revenue Recognition"]
Control ID: [INTERNAL REFERENCE — e.g., FIN-04]
Control name: [SPECIFIC — e.g., "Management Review of Monthly Account Reconciliations"]
Control type: [DETECTIVE / PREVENTIVE — and MANUAL / AUTOMATED / SEMI-AUTOMATED]
Control frequency: [DAILY / WEEKLY / MONTHLY / PER-TRANSACTION]
Control owner: [ROLE TITLE AND DEPARTMENT]
Control description: [HOW THE CONTROL OPERATES IN PRACTICE — 3-5 sentences of specific process language. Describe who performs the control, what they review, what evidence they review it against, what they do if an exception is identified, and how performance of the control is evidenced.]
Risk addressed: [SPECIFIC RISK — e.g., "Inaccurate account balances reported in financial statements due to undetected posting errors or unauthorized adjustments"]
Financial statement assertion(s): [COMPLETENESS / ACCURACY / EXISTENCE / VALUATION / CLASSIFICATION / OCCURRENCE / RIGHTS AND OBLIGATIONS — applicable assertions]
Key control: [YES — explain why this control is key to the overall control environment / NO]

RCM narrative format. Under 350 words.

Write a control gap analysis narrative for a process with insufficient control coverage.

Process: [PROCESS NAME]
Risk not adequately covered by existing controls: [SPECIFIC RISK — e.g., "Unauthorized changes to standing payment instructions for high-value vendors"]
Existing controls reviewed: [LIST CURRENT CONTROLS AND WHY THEY ARE INSUFFICIENT — e.g., "Payment approval control (FIN-07) requires manager authorization for payments over $50K, but does not include a control to detect changes to the bank account or routing number in the vendor master before payment release"]
Control gap: [SPECIFIC — what is not being addressed and why it matters]
Risk exposure: [QUANTIFIED IF POSSIBLE — e.g., "During the test period, $47 million in payments were made to the top 10 vendors. A successful business email compromise (BEC) attack targeting payment instruction changes would expose this payment volume to misdirection."]
Recommended control to add: [SPECIFIC NEW CONTROL — describe how it would work, who would own it, and what evidence of performance would look like]
Compensating control (if recommended control cannot be implemented immediately): [DESCRIBE — e.g., "Until the automated change detection control is implemented, require phone confirmation to a known vendor contact for all payment instruction changes"]

Under 400 words.

Write an audit committee executive summary for a completed internal audit engagement.

Engagement: [TITLE]
Report date: [DATE]
Audit period: [DATE RANGE]
Engagement conclusion: [OVERALL RATING — e.g., Satisfactory / Needs Improvement / Unsatisfactory — per your organization's rating scale]

Executive summary (for board-level readers — no jargon):
  Scope: [1-2 sentences — what was audited and why it was selected]
  Overall assessment: [2-3 sentences — what the audit found in plain language — e.g., "The procurement process has strong approval controls and vendor management practices. Two areas require management attention: access controls to the vendor master require strengthening, and contract review for sole-source awards needs a more consistent process."]

Finding summary table:
  Finding 1: [TITLE] — [HIGH / MEDIUM / LOW] — [1 sentence description]
  Finding 2: [TITLE] — [RATING] — [1 sentence]
  Finding 3: [TITLE] — [RATING] — [1 sentence]
  (if applicable — positive observation): [NOTEWORTHY PRACTICE — 1 sentence]

Management response: [AGREED TO ALL RECOMMENDATIONS WITH TARGET DATES / PARTIALLY AGREED — NOTE DISAGREEMENTS]
Corrective action timeline: [WHEN ALL ITEMS WILL BE RESOLVED — specific dates for high-risk findings]

Under 400 words. Board-level language — no technical acronyms without definition.

Write a quarterly or annual internal audit activity report for the audit committee.

Reporting period: [QUARTER/YEAR]
CAE presenting: [NAME]
Engagements completed this period: [LIST — engagement name, type, report date, overall rating]
Engagements in progress: [LIST — engagement name, type, estimated completion]
Planned audits deferred: [LIST — and reason for deferral]
Open findings status:
  Total open findings: [NUMBER]
  High risk open: [NUMBER — and whether any are past due]
  Medium risk open: [NUMBER]
  Closed this period: [NUMBER]
  Overdue corrective actions: [NUMBER — and which management area owns them]
Quality assurance: [EXTERNAL QUALITY ASSESSMENT STATUS — if applicable / PEER REVIEW STATUS / INTERNAL SELF-ASSESSMENT COMPLETED DATE]
Resources: [CURRENT TEAM SIZE vs. PLAN / VACANCIES / USE OF CO-SOURCING]
Emerging risks for next period: [TOP 2-3 RISK AREAS BEING MONITORED — why they are on the radar]

Audit committee reporting format. Under 500 words.

Write an audit committee update on the status of prior year audit findings and corrective actions.

Period: [REPORTING DATE]
Prior year findings reviewed: [NUMBER]
Status by finding:
  Finding 1: [TITLE — ORIGINAL RISK RATING]
    Original recommendation: [BRIEF — what management was asked to do]
    Management's committed action: [WHAT THEY SAID THEY'D DO — per original management response]
    Target date: [ORIGINAL DATE]
    Current status: [COMPLETED — evidence reviewed and verified DATE / IN PROGRESS — X% complete, new target date / OVERDUE — [NUMBER] days past target, updated explanation from management / NOT STARTED — management explanation]
  Finding 2: [REPEAT FORMAT]
  Finding 3: [REPEAT FORMAT]
Summary: [X OF Y FINDINGS FULLY REMEDIATED / Z FINDINGS OPEN — [NUMBER] HIGH RISK OVERDUE]
Recommendation to audit committee: [FINDINGS REQUIRING ESCALATION OR BOARD ATTENTION — specific, with recommended action]

Under 400 words. Status should be verified by the audit team — do not accept management's word on completion without evidence review.

Write a preliminary fraud investigation referral memo from the internal audit function.

Prepared by: [CAE or LEAD AUDITOR NAME]
Recipients: [GENERAL COUNSEL, CEO, AUDIT COMMITTEE CHAIR — as appropriate per fraud response plan]
Date: [DATE]
Subject: [CONFIDENTIAL — Preliminary Notification of Suspected Fraud or Misconduct]

Summary of allegation or indication: [SPECIFIC — how the matter came to audit's attention — e.g., hotline tip, audit exception, management referral]

Preliminary facts known at this time: [WHAT IS DOCUMENTED — without speculation or conclusion. E.g., "Audit testing identified [NUMBER] vendor payments totaling $[AMOUNT] to a vendor address matching the home address of Employee A. The vendor has no documented contract in the contract management system and was not in the approved vendor master as of [DATE]."]

Individuals potentially involved: [NAMES AND ROLES — if known. This is preliminary — do not conclude guilt.]

Documents and evidence preserved: [WHAT HAS BEEN SECURED — e.g., "System access logs, vendor master records, payment records, and Employee A's email files have been preserved as of [DATE and TIME]"]

Recommended next steps: [SPECIFIC — who should conduct the investigation, whether external resources are needed, whether HR and Legal should be engaged, whether law enforcement notification is appropriate at this stage]

Confidentiality notice: This memo is attorney-client privileged communications if sent to General Counsel. [ADD IF APPLICABLE]

Under 400 words. Factual, non-conclusory. Fraud memos frequently become legal documents.

Write a fraud investigation interview summary note for a witness interview.

Interviewer(s): [NAME(S) AND ROLE(S) — if more than one person, specify who asked questions and who took notes]
Interviewee: [NAME AND ROLE — confirm spelling and title]
Date, time, location: [SPECIFIC]
Purpose of interview: [WHAT INFORMATION WAS SOUGHT]
Key statements (paraphrased, not verbatim unless verbatim quote is critical):
  On [TOPIC 1]: [WHAT THE WITNESS SAID — factual paraphrase. Note if the witness said they didn't know something, not just what they affirmed.]
  On [TOPIC 2]: [PARAPHRASE]
  On [TOPIC 3]: [PARAPHRASE]
Documents reviewed during or provided after the interview: [LIST]
Inconsistencies or concerns noted: [ANY STATEMENTS THAT CONTRADICT OTHER EVIDENCE — document without editorializing]
Follow-up items: [WHAT NEEDS TO BE VERIFIED OR FOLLOWED UP — specific]
Interview recording/notes: [RECORDED WITH CONSENT / NOTES TAKEN — disposition of notes]

Under 400 words. Interview notes should be factual. Never characterize a witness as credible or not credible in the written record.

Write a fraud root cause analysis for a completed fraud investigation.

Investigation summary: [BRIEF — what happened, who was involved, $ amount, how it was perpetrated]
Root causes identified:
  Control failure 1: [SPECIFIC — e.g., "Vendor master change approval was not required for changes to existing vendor bank account information — a single accounts payable clerk could change routing numbers without review"]
  Control failure 2: [SPECIFIC — e.g., "Quarterly vendor master reconciliation was not performed — new vendors matching employee address or SSN were not detected"]
  Detection gap: [HOW LONG THE FRAUD WENT UNDETECTED AND WHY — e.g., "The fraud continued for 22 months because the reconciliation that would have detected the address match was suspended during the ERP migration and not reinstated"]
Tone-at-the-top factors: [IF APPLICABLE — management culture, pressure, inadequate oversight]
Recommended systemic controls: [SPECIFIC CHANGES — process, system, and monitoring controls to prevent recurrence]
Employee acknowledgment: [TRAINING OR ACKNOWLEDGMENT PROGRAM TO REINFORCE VENDOR MANAGEMENT CONTROLS]

Root cause analysis format. Under 450 words. RCA is forward-looking — the goal is prevention, not blame.

Write a management response to an internal audit finding for inclusion in the audit report.

Finding addressed: [FINDING TITLE AND RISK RATING]
Finding condition summary: [1-2 SENTENCE RECAP OF WHAT AUDIT FOUND]
Management response position: [AGREE / PARTIALLY AGREE / DISAGREE — AND BASIS]

If agree:
  Management action: [SPECIFIC — what management will do to address the root cause and condition. More specific than "will improve the control." E.g., "The IT Security team will implement role-based access controls in the ERP to prevent non-IT personnel from being assigned BASIS privileges. A configuration change will be deployed in the next change control window (scheduled for [DATE])."]
  Owner: [SPECIFIC PERSON — name and title, not "management"]
  Target completion date: [SPECIFIC DATE — not "Q3 2026"]
  Compensating control (if applicable): [WHAT IS IN PLACE UNTIL THE TARGET DATE IS MET]

If partially agree or disagree: [MANAGEMENT'S SPECIFIC OBJECTION — factual basis for disagreement with the finding's condition, criteria, cause, or effect. Note: disagreements with findings should be reviewed by the CAE and documented accurately.]

Under 300 words. Management responses should be specific and commitment-based — "will improve" is not a management response.

Write a corrective action plan tracking status update for audit follow-up.

Finding: [TITLE — ORIGINAL RISK RATING — ENGAGEMENT NAME]
Original target date: [DATE]
Current date of follow-up: [DATE]
Status: [COMPLETED / IN PROGRESS / OVERDUE / REDESIGNED]

If completed:
  Evidence reviewed: [SPECIFIC DOCUMENTS REVIEWED TO VERIFY COMPLETION — e.g., "Updated access control matrix showing removed BASIS privileges reviewed on [DATE]; reviewed list of 312 active user accounts — 0 non-IT users with BASIS access as of verification date"]
  Verification conclusion: [FINDING REMEDIATED / PARTIALLY REMEDIATED — describe what remains open]

If in progress:
  Milestone completed to date: [WHAT HAS BEEN DONE — specific]
  Remaining actions: [WHAT IS STILL OUTSTANDING — specific]
  Revised target date (if changed): [DATE — and management explanation for delay]

If overdue:
  Original target: [DATE]
  Days overdue: [NUMBER]
  Management explanation for delay: [WHAT MANAGEMENT SAID — verbatim or close paraphrase]
  Escalation recommended: [YES — to CAE and audit committee / NO — and basis]

Under 300 words.

Write a CIA (Certified Internal Auditor) exam study plan.

Candidate: [NAME]
Current credentials: [BACHELOR'S OR MASTER'S DEGREE — and any experience completed]
CIA exam experience level: [STARTING PART 1 / PREPARING FOR PART 2 / PREPARING FOR PART 3]
Target exam date: [MONTH AND YEAR]
Available study time per week: [HOURS]
Study resources selected:
  Primary: [COURSE/TEXTBOOK — e.g., Gleim CIA Review, IIA CIA Learning System, Surgent CIA Review]
  Supplemental: [MOCK EXAMS, FLASHCARDS, STUDY GROUPS — describe]
CIA Part [X] Content Domains to cover:
  Domain 1: [TITLE — allocated study time]
  Domain 2: [TITLE — allocated study time]
  Domain 3: [TITLE — allocated study time]
  Domain 4: [TITLE — if Part 1 or 2 — allocated study time]
Weekly schedule outline:
  Weeks 1-[X]: [CONTENT DOMAIN FOCUS AND WEEKLY HOURS]
  Final 3 weeks: [REVIEW AND PRACTICE EXAM FOCUS]
Exam logistics: [REGISTRATION WITH IIA / PEARSONVUE SCHEDULING / SCORE REPORT TIMELINE]

Under 350 words. CIA has no exam expiration once enrolled — but most candidates perform best with consistent study over 8-16 weeks per part.

Write a continuing professional education reflection for IIA annual CPE requirements.

Auditor: [NAME AND CIA/QIAL/CCSA/CFSA — or other IIA credentials]
CPE requirement: [40 hours per year per IIA Standards 1230]
CPE activity: [CONFERENCE / WEBINAR / COURSE / SELF-STUDY — TITLE, PROVIDER, DATE, HOURS]
Key insights applicable to internal audit practice:
  1. [SPECIFIC — e.g., "AI governance audit frameworks are being adopted at 31% of Fortune 500 companies — IIA's 2026 survey data; our organization should prioritize AI controls audit in the next annual plan"]
  2. [SPECIFIC — e.g., "Continuous monitoring programs reduce audit finding recurrence rates by 40% compared to point-in-time testing — evidence for proposing a continuous monitoring pilot in the cash disbursements process"]
  3. [ADDITIONAL SPECIFIC INSIGHT]
How I will apply this in the next engagement: [CONCRETE — e.g., "Will incorporate AI governance testing into the planned Q3 ERP controls audit using the IIA's 3-Lines model framework"]

Under 250 words. CPE is not compliance — it's professional development. Document what you actually learned.

Write an annual internal audit department self-assessment narrative for IIA Standards conformance.

CAE: [NAME]
Period assessed: [YEAR]
Self-assessment methodology: [INTERNAL QA CHECKLIST / PEER REVIEW / EXTERNAL QUALITY ASSESSMENT — which was conducted]
IIA Standards assessed: [ALL MANDATORY GUIDANCE / SPECIFIC STANDARDS — list]
Conformance summary:
  Generally conforms: [LIST STANDARDS AREAS WHERE THE DEPARTMENT FULLY MEETS REQUIREMENTS]
  Partially conforms: [LIST AREAS WHERE GAPS EXIST — and improvement plan for each]
  Does not conform: [LIST — and action plan with owner and timeline]
Key improvements made this year: [SPECIFIC — e.g., "Implemented engagement quality review for all high-risk audit reports; updated risk assessment methodology to align with COSO ERM 2017; completed training on data analytics for all audit staff"]
Goals for next year: [SPECIFIC — 3-5 IMPROVEMENT INITIATIVES]
External quality assessment plan: [SCHEDULED DATE — IIA requires EQA at least every 5 years]

QA narrative format. Under 400 words.

Write a peer feedback note for an internal audit staff member.

Reviewer: [NAME AND ROLE]
Reviewed staff member: [NAME AND LEVEL — e.g., Senior Auditor, Audit Manager]
Engagement reviewed: [TITLE]
Assessment areas:
  Technical audit skills: [SPECIFIC OBSERVATIONS — e.g., "Sample selection methodology was appropriate and well-documented; the IT control testing workpaper required two revision cycles due to incomplete evidence cross-referencing"]
  Finding documentation quality: [SPECIFIC — e.g., "Finding narratives demonstrate strong understanding of the four-element structure; effect statements could be strengthened with quantification in future engagements"]
  Communication with auditees: [SPECIFIC — e.g., "Professionally managed a challenging meeting with the Controller; maintained objectivity under pressure"]
  Time management: [SPECIFIC — e.g., "Completed fieldwork within 10% of planned hours; escalated a scope expansion issue early, allowing replanning without missing the report deadline"]
Strengths: [2-3 SPECIFIC STRENGTHS — with evidence from the engagement]
Development areas: [1-2 SPECIFIC, CONSTRUCTIVE — with suggested next step]
Recommended professional development: [SPECIFIC — course, CIA study, mentoring topic]

Under 300 words. Specific and evidence-based.

Write a narrative supporting an annual internal audit charter review.

CAE: [NAME]
Charter review date: [DATE]
Charter last updated: [DATE]
IIA Standards requirement: [Standards 1000, 1010 — charter establishes purpose, authority, and responsibility]
Review elements:
  Purpose, authority, and responsibility: [CURRENT LANGUAGE APPROPRIATE / REVISION NEEDED — describe]
  Organizational independence: [REPORTING LINE CONFIRMED: CAE REPORTS TO [AUDIT COMMITTEE / CEO / OTHER]]
  Direct access to audit committee: [CONFIRMED / NEEDS CLARIFICATION]
  Scope of work: [REFLECTS CURRENT ORGANIZATIONAL RISK PROFILE / NEEDS UPDATE — describe]
  Nature of assurance and consulting services: [APPROPRIATE / NEEDS UPDATE]
  Endorsement by senior management and audit committee: [LAST REVIEWED AND ENDORSED DATE / PENDING]
Recommended revisions: [SPECIFIC LANGUAGE CHANGES — or "no revisions required at this time"]
Next scheduled review: [DATE — IIA recommends annual review]

Charter review narrative. Under 350 words.

Write a process walkthrough summary note for an internal audit engagement.

Process: [NAME — e.g., "Vendor Onboarding and Approval"]
Walkthrough conducted with: [NAME(S) AND TITLE(S)]
Date: [DATE]
Walkthrough method: [OBSERVE / INTERVIEW / DOCUMENT REVIEW / TRACE TRANSACTION END-TO-END]
Process steps documented:
  Step 1: [SPECIFIC — who does what, what system is used, what documentation is created, what approval is required]
  Step 2: [REPEAT]
  Step 3: [REPEAT]
  [Add as needed]
Key controls identified during walkthrough:
  Control 1: [SPECIFIC — where in the process, who performs it, how frequently, how evidenced]
  Control 2: [REPEAT]
Potential control gaps noted for follow-up testing: [PRELIMINARY OBSERVATIONS — specific]
Supporting documentation obtained: [LIST — e.g., process flowchart, policy document, sample transaction]

Under 400 words. Walkthrough notes are working paper documents — specificity matters.

Write an auditor response to management's objection to an audit finding.

Original finding: [TITLE AND KEY CONDITION/CRITERIA/EFFECT]
Management's objection: [SPECIFIC — what management is disputing and their basis — e.g., "Management asserts that the finding condition is not accurate because the control was in place but not documented in the period tested"]
Audit team's response:
  Acknowledge the objection: [RESPECTFUL — state that management's perspective has been considered]
  Reaffirm or modify the finding:
    If reaffirming: [SPECIFIC BASIS — additional evidence, IIA Standards requirement, relevance of documentation gap even if control operated]
    If modifying: [WHAT IS BEING CHANGED AND WHY — e.g., "Audit agrees that the lack of documented evidence, rather than lack of the control itself, is the more precise finding. The condition has been revised to reflect this."]
  Resolution path: [HOW THE DISAGREEMENT WILL BE DOCUMENTED — both management's position and the audit team's position will be reflected in the report, per IIA Standard 2410]

Under 300 words. Maintain professional tone. Some management disagreements are legitimate — the audit team should be open to revisions when the evidence supports it.

Write a benchmarking summary comparing the internal audit function to industry peers.

CAE: [NAME]
Benchmark source: [IIA GLOBAL PULSE / PROTIVITI SURVEY / KPMG AUDIT COMMITTEE SURVEY — cite the specific survey and year]
Organization size and industry: [DESCRIBE — for context]
Key benchmarks:
  Audit staff per $1B revenue: [OUR RATIO vs. MEDIAN PEER]
  % of time on assurance vs. consulting vs. admin: [OUR % vs. PEER %]
  Audit committee engagement (meetings per year): [OUR FREQUENCY vs. PEER]
  Technology usage (data analytics, GRC tools, AI): [OUR MATURITY vs. PEER]
  EQA compliance (external quality assessment frequency): [OUR STATUS vs. PEER]
Gaps and recommendations: [WHERE THE DEPARTMENT IS BELOW PEER AND WHAT IT WOULD TAKE TO CLOSE THE GAP]
Strengths relative to peers: [WHERE THE DEPARTMENT EXCEEDS PEER BENCHMARKS]

Benchmarking summary for audit committee. Under 350 words.

Write an overall audit opinion on the adequacy of internal controls for a business process.

Process audited: [SPECIFIC PROCESS]
Audit period: [DATE RANGE]
Overall opinion: [SATISFACTORY / NEEDS IMPROVEMENT / UNSATISFACTORY — per your organization's definitions]
Basis for opinion:
  Number of findings: [TOTAL — and breakdown by HIGH/MEDIUM/LOW]
  Most significant finding: [TITLE AND 1-SENTENCE DESCRIPTION OF WHY IT MATTERS]
  Control areas with adequate coverage: [LIST — processes or control types that are operating effectively]
  Control areas requiring attention: [LIST — and why]
Positive factors: [WHAT IS WORKING WELL — management responsiveness, control improvements since prior audit, effective compensating controls]
Limiting factors: [ANY SCOPE LIMITATIONS, OUTSTANDING INFORMATION REQUESTS, OR SUBSEQUENT EVENTS]
Next audit: [WHEN THIS PROCESS WILL BE AUDITED AGAIN — or "recommendation for follow-up in [X] months based on risk rating"]

Opinion statement format. Under 400 words.

Write an internal audit annual plan narrative for audit committee approval.

CAE: [NAME]
Plan period: [YEAR]
Methodology: [RISK-BASED PLANNING — describe how the plan was developed: risk assessment, stakeholder input, prior findings, regulatory requirements, emerging risks]
Total planned engagements: [NUMBER]
Audit universe coverage: [% OF AUDIT UNIVERSE COVERED — and basis for deferring uncovered areas]
Plan by category:
  Financial/operational audits: [NUMBER — specific engagement titles]
  IT/cybersecurity audits: [NUMBER — specific engagement titles]
  Compliance audits: [NUMBER — specific engagement titles]
  Investigative/consulting projects: [ALLOCATED HOURS]
  Unplanned/management requests (reserve): [HOURS/% OF TOTAL]
Resource plan: [TOTAL STAFF HOURS AVAILABLE / TOTAL HOURS PLANNED / SURPLUS OR DEFICIT — co-sourcing planned if deficit]
Emerging risks incorporated: [SPECIFIC — e.g., "AI governance controls assessment added in Q3 following SEC guidance on AI disclosure; third-party risk program audit added following a significant vendor failure at a peer organization"]
Assumptions: [KEY ASSUMPTIONS THE PLAN DEPENDS ON — e.g., "No significant unplanned investigations; access to planned systems granted within engagement start timing"]

Annual plan narrative. Under 500 words.