Smart contract security audits are essential for trust in decentralized finance (DeFi), yet audit reports from different firms vary widely in scope definition, severity labels, fix verification, and report structure. These differences make it hard for developers, users, and other stakeholders to assess risk. In this paper, we address these issues by empirically analyzing 160 audit reports from 26 leading auditing firms to uncover patterns and gaps in current practices. Using qualitative content analysis, we extract a taxonomy of 19 common properties that audit reports include (or omit). We then apply Formal Concept Analysis (FCA) to identify five distinct ``report style families'' used by auditors, and perform a temporal trend analysis to see if the industry is converging on certain best practices. Finally, we synthesize a feature model that specifies a minimal defensible baseline for audit reports, distinguishing mandatory sections from optional extensions to support traceability and consistent interpretation across reports. This model enables reproducible comparisons across auditors, strengthens accountability for scope definition and fix verification, and provides an evidence base to improve the quality and uniformity of smart contract audit reporting.