IT Audit Course: How to make a report of IS Auditing

March 3, 2008

BASIC AUDIT REPORT

The contents of most audit reports follow a similar pattern and include:

  • Background, scope, and objectives
  • Summary of major findings
  • Audit opinion
  • Detailed findings and recommendations
  • Acknowledgments of satisfactory performance
  • Detailed technical appendices

A cover is almost always desirable because it sets a professional tone from the start. It should include the report title, name and location of auditee, and the date of audit coverage.

A formalities section normally constitutes an introduction and is typically one to three pages in length. It includes the date of the report, the addressee (get it right), and the background, scope, and objectives of the audit. A brief audit opinion and the general nature of the findings together with the reply expectations and a signature are required. The names of participating auditors, distribution list, and contents of the body of the report are also a normal part of the formalities section.

EXECUTIVE SUMMARY

Most audit reports include an executive summary covering the most important issues and findings from an overall business point of view. The executive summary provides a preliminary perspective to the whole report and focuses on risks to the organization and the specific effect of control weaknesses. It may be all that is read and, in many cases where such summaries go to senior executives, it is all that should be read.

Two approaches are possible in the executive summary, depending on the nature of the executive audience. With a knowledgeable executive, a condense and eliminate approach may be used. This involves an abbreviated explanation of major audit findings, in order of importance to the executive and cross-referenced to the body of the report. A briefings approach that informs, advises, and interprets may be more appropriate in a specialized audit where the executives may not be fully conversant with the implications of findings.

DETAILED FINDINGS

Detailed findings usually constitute the body of the report. Strange as it sounds, a finding is not something that was found. An audit finding is comprised of four distinct parts:

  1. Condition. Records what was found by the auditor (i.e., what the evidence showed)
  2. Criteria. Indicates what should have happened in terms of control considerations
  3. Cause. Indicates whether the condition was caused by the absence of an internal control or the failure of one and, if so, which
  4. Effect. Indicates the impact on the business of the cause of the condition

Many auditors struggle to decide how much detail should be included in the body of the report. The detailed findings should include sufficient information for the reader to understand the nature of the finding, the relative importance of the finding, and what needs to be done about the finding. There can be no clear-cut rule on this because it depends on the knowledge level and experience of the audience being communicated with. During the course of the audit, the auditor should assess how much detail will be required in the final report. In order to ensure the final report is readable, exhibits and attachments are usually placed in an appendix if placing the information in the body of the report would make it overly lengthy or unreadable. All graphics, charts, photographs, and financial tabulations should be clearly labeled within the report in case they are referenced in two or three places. Where appendices are used they should be cross-referenced to the report.

One of management’s common requirements is the expression of an audit opinion. This normally takes the form of an opinion on the adequacy and effectiveness of the internal control structures. The auditor must bear in mind that an opinion on adequacy is an indication that the control structures do or do not achieve management’s desired level of control. Many auditors express an opinion on whether the control structures meet their own definition of adequacy. The audit opinion provides an overall perspective to the rest of the report and forces auditors to commit themselves, but can cause a management overreaction resulting in important parts of the report being ignored because, by their nature, audit results are normally mixed.

Auditee responses to findings and recommendations are normally included in the final report. This assists provision of a balanced report and can lend credibility to the report. Where such comments are included, they must be reviewed with and agreed by the auditee. This does not mean, however, that the auditee must agree with all of the auditor’s findings and recommendations. In some cases the two parties must agree to disagree with both opinions expressed within the report so that the managerial decision can be made. If the manager decides to accept the risk expressed within the report and take no action, and if such a decision is within their area of authority, the auditor has done their work in drawing the risk to management’s attention and no further audit effort is required in this area.

POLISHING THE REPORT

Because the audit report is a reflection on the professionalism and competence of the whole IS Audit function, the report must appear as professional as possible. Polishing the report involves a rigorous review prior to issue. This can be done by using a checklist to ensure the readability and understandability of the report or by using a peer group, which normally involves one auditor with no knowledge of the specific audit area so that assumptions may be challenged. Ultimately the report will be signed off by the in-charge auditor or a designated deputy. One of the major auditee complaints is that reports containing critical issues are issued late and that they are expected then to implement the recommendations with immediate effect. It is therefore critical that the auditor does not build in delays to report issuance.

Commonly the audit report will involve the coordination of several writers’ efforts. In such cases is may be wise to read the report aloud and recognize the differences where individual contributors change.

DISTRIBUTING THE REPORT

Audit reports are normally distributed to a variety of managerial levels. The report should be directed at the first authority level able to take appropriate action. The full distribution list is normally known early in the audit process; however, auditee chains-of-command can cause internal political ramifications. Many IS Audit reports are sent to the recipients by e-mail. In general, the delivery method should take into account both the confidentiality of the reported information as well as the remoteness of the recipient. Couriering or hand-delivery may be preferred but impractical. If e-mail is used, adequate encryption techniques should be implemented to ensure the confidentiality and integrity of the message delivered.

If the audit report contents are highly confidential, detective controls can be implemented to trace individual copies should a leak occur. The most obvious of these techniques is copy numbering, but intentional misspellings or rewording of critical areas may also be used.

Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.

Get free blog up and running in minutes with Blogsome | Theme designs available here