Presenting Findings to Management and Audit Committees

The reporting structure for a forensic audit engagement is not the same as for an ordinary operational audit. In a routine internal audit, findings flow to management, which decides what remedial action to take. In a forensic engagement, particularly one triggered by suspicion of fraud or misconduct, that structure can be compromised if the people the auditor would normally report to are themselves under investigation.

Most corporate governance codes resolve this by giving the audit committee direct oversight of forensic investigations. The committee, composed of independent non-executive directors, sits outside the management hierarchy and can receive findings that management cannot see. The forensic auditor should confirm the reporting line at the outset of the engagement and document it in the engagement letter. If the engagement is triggered by a referral from the audit committee itself, as is common in larger organisations, the reporting line is already established.

In practice, the audit committee chair is usually the first point of contact for urgent oral briefings. The chair decides whether to convene the full committee, bring in additional independent directors, or involve the full board. This decision is theirs, not the auditor's. The auditor's role is to provide accurate, timely information and to flag clearly when the matter is urgent enough to require an immediate meeting rather than the next scheduled session.

An oral briefing to an audit committee is not an informal conversation. It is a professional communication with legal and practical consequences. The auditor should prepare as carefully as for a written report: organise the findings in a logical sequence, distinguish clearly between what the evidence shows and what it does not yet show, and avoid drawing conclusions that go beyond the evidence at hand.

The standard structure for a forensic briefing is: scope and mandate (what the auditor was asked to do), methodology (how the work was carried out and what its limitations are), findings (what the evidence shows, presented factually and without editorial characterisation), and next steps (what further investigation is needed or what immediate actions are recommended). This structure prevents the common problem of briefings that lead with conclusions without providing the evidentiary basis, which leaves committee members unable to evaluate the quality of the finding.

Confidentiality of the briefing itself must be addressed explicitly. The auditor should ask the committee to confirm who else will receive the information discussed and in what form. In some jurisdictions, committee members have disclosure obligations to regulators that may arise as soon as they receive certain findings. Counsel should advise on these obligations before the briefing begins. The auditor should also document that the briefing occurred, who attended, what was covered, and any decisions made, even if that documentation is itself privileged.

Whether a forensic audit report or the communications surrounding it attract legal professional privilege depends on the engagement structure and the jurisdiction. Privilege does not attach automatically to audit work. In the US, the Upjohn Co. v. United States (1981) Supreme Court decision established that privilege can protect internal investigations conducted by corporate counsel, including investigation work commissioned by counsel. A forensic audit report prepared at the direction of legal counsel, in anticipation of litigation, may attract both attorney-client privilege and work-product protection under Federal Rule of Civil Procedure 26(b)(3).

In England and Wales, the dominant-purpose test determines whether a document is privileged: the document must have been prepared for the dominant purpose of obtaining legal advice or conducting or anticipating litigation. A forensic audit report prepared primarily for management information purposes, which later becomes useful in litigation, will generally not be privileged. The structure of the engagement, specifically who commissioned the work and for what stated purpose, matters enormously. In India, Section 126 of the Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872) protects professional communications between advocates and their clients, but the scope of privilege in corporate investigations is narrower and less developed than in common-law jurisdictions.

The practical consequence is that the auditor and counsel should agree on the privilege architecture before the engagement begins, not after the first findings are ready. This means deciding: will the engagement be structured as a legal matter (counsel commissions the work, privilege may apply) or a management matter (management commissions the work, privilege generally will not apply)? The answer depends on whether litigation or regulatory proceedings are anticipated. Many large-scale fraud investigations begin as management matters and convert to legal matters mid-engagement when litigation becomes foreseeable, which creates complications that are easier to avoid than to fix.

Legal counsel serves a distinct function in a forensic engagement from the forensic auditor. The auditor finds facts. Counsel advises on the legal implications of those facts, manages disclosure obligations, and controls information flow to protect the organisation's legal position. In well-run investigations these two roles reinforce each other. Confusion between them is a common source of engagement problems.

Counsel typically decides: who may see preliminary findings and in what form; whether and when to make voluntary disclosure to regulators; how to respond to regulatory requests for investigation documents; and what the organisation's public statement, if any, will say about the investigation. The forensic auditor informs these decisions by providing accurate, well-documented findings, but does not make them. When counsel asks the auditor to delay delivery of findings pending a legal review of disclosure implications, that is a legitimate instruction. When counsel asks the auditor to omit or soften findings to reduce the organisation's legal exposure, that crosses into suppression of evidence and the auditor must refuse.

In regulated industries such as banking and insurance, the regulator may have a direct relationship with the forensic auditor separate from the organisation's own counsel. The UK Financial Conduct Authority and the US Securities and Exchange Commission both have powers to appoint skilled-person reviewers or require independent forensic examinations, where the auditor's primary obligation runs to the regulator rather than to the organisation. The auditor should identify at the outset whether any such regulatory overlay applies to the engagement. See Legal Framework for Forensic Audits for a fuller treatment of regulatory structures.

The most professionally sensitive reporting situation arises when the forensic investigation produces findings that implicate a member of senior management, including the CEO, CFO, or board members themselves. This is not rare: the Association of Certified Fraud Examiners (ACFE) Report to the Nations consistently shows that management and owner-operators commit frauds that are larger in value than employee-level frauds and take longer to detect, precisely because they have the authority to override controls and suppress internal reporting.

The auditor's response to this situation is procedural, not discretionary. Findings that implicate a member of management must be reported to the audit committee directly, bypassing the implicated individual entirely. The auditor should not brief management before the committee in such cases, should not send interim reports to the CFO if the CFO is implicated, and should not seek management's response to preliminary findings before the committee has been informed. The committee, not the auditor, decides the next steps: whether to commission independent legal counsel, whether to suspend the individual, whether to notify regulators, and whether to engage law enforcement.

In some cases, findings implicate members of the audit committee itself or the full board. This is the most difficult escalation scenario. Options include retaining an independent counsel who reports to a special committee of unconflicted directors, appointing a special litigation committee under the company's constitutional documents, or, in extreme cases, engaging the relevant market regulator directly. The auditor should take legal advice before proceeding in any of these scenarios, as the obligations and risks differ significantly by jurisdiction and by the company's constitutional structure.

The formal written report to the audit committee or board consolidates the findings from the investigation into a document that will serve multiple downstream purposes: informing the board's governance decisions, providing a basis for regulatory disclosure, supporting disciplinary or legal proceedings, and creating a record that can be reviewed years later. Its structure should reflect all of these uses.

A well-structured forensic report contains: an executive summary that states the mandate, the scope, the key findings, and the recommended actions in a page or two; a methodology section that explains how evidence was gathered and what its limitations are; a findings section organised by issue rather than by chronology; a section on internal control weaknesses identified during the investigation; and appendices containing the underlying evidence documents, transaction analyses, and interview summaries. The findings section should distinguish between findings that are supported by direct evidence, findings that are supported by circumstantial evidence, and matters that require further investigation.

The report should state what it does not cover as clearly as what it does. A forensic audit is necessarily scope-limited, and a committee that relies on the report as a complete picture of the organisation's exposure, when it is actually a targeted investigation of a specific allegation, may fail to commission additional work that is needed. The auditor bears responsibility for communicating the scope boundaries clearly, not for filling every gap that the scope does not address. See Predication and Engagement Planning for how scope decisions are made at the outset of an engagement.