Information Systems Audit Process - Auditing Information Systems: Enhancing Performance of the Enterprise

Information Technology Reference

In-Depth Information

Figure 2.3 Report Structure

Observations - The IS auditor should use this column to indicate what he has observed re-

lating to a particular activity. The statement should be made as an observation because the

auditor is basing the statement on available information at the time of the audit. The ob-

servation should be detailed enough and, where necessary, supported by evidence collected

during the audit. If the supporting evidence documentation is large, the IS auditor might

consider including the evidence in the appendix.

Risk - Allows the IS auditor to indicate the risk to the enterprise of the observation. The IS

auditor may include one or more risks identified.

Impact Rating - The impact rating can be high, moderate, or low. Higher impact rating may

indicate that immediate action should be taken and with an appropriate level of mitigation.

It is advisable to include the impact rating so that the client is aware of the level of impact

regarding a particular observation.

Recommendations - The IS auditor should make clear recommendations in order to enable

the client to implement the recommendations. Often clients will ask how the implementa-

tion should be carried out if they are not clear with the IS auditor's recommendations.

Benefits - Benefits indicate what rewards would be derived from implementing the recom-

mendations. It is important to add benefits in the report as it motivates the client to appre-

ciate the importance of your recommendations.

Management Response - This is the response management gives on the IS auditor's obser-

vations. Management might agree or disagree with the observations and recommendations

made by the IS auditor.

Responsibility - This indicates who is responsible for implementing the recommendations

made by the auditors. This could be the system owner, the IT director, finance director, or

functional head.

Target Dates - It is always important to agree with the client on the dates for resolution of

the issues raised in the report. This will allow the auditor to follow up on or after the indic-

ated dates.

At the end of the audit, the IS auditor would have collected a number of documents and

also generated new documents. Listed below in figure 2.4 are the various documents and

pieces of information the IS auditor would have collected during your audit.

Search WWH ::

Custom Search

Home