Information Technology Reference
In-Depth Information
Findings and Reporting
After the audit has been performed and testing of evidence has been completed, the next
stage is to produce a report to the client. The 1401.1 information systems audit stand-
ard requires the IS auditor to communicate the results of the audit upon completion of
the engagement. The standard also specifies the recommended content of the audit report
(ISACA 2013) which includes the following:
a) identification of the enterprise or organisation being audited
b) the intended recipients and any restrictions on content and circulation should be
clearly communicated
c) the scope, engagement objectives, period of coverage, and the nature, timing, and ex-
tent of the work performed
d) the findings, conclusions, and recommendations should be clearly written
e) any qualifications or limitations in the scope that the IS audit and assurance profes-
sional has with respect to the engagement
f) signature, date, and distribution according to the terms of the audit charter or engage-
ment letter.
The 1204 information systems audit standard goes further by stating that the findings in
the report are supposed to be supported by sufficient and relevant evidence. This has been
discussed in detail in the earlier sections of this chapter.
The structure of the report may vary from one enterprise to the other, but the basic inform-
ation contained in the reports should be the same. It is important that the language in the
report should not be very technical if the recipients or part of the recipient group are not
technical people. Where all recipients are technical, it is fine to use high-level technical
language as long as it does not hide the main objectives of the report. The idea of a report is
to communicate findings, recommendations, conclusions, and not the technical language.
For the report to be an effective tool of communication, it should carry clearly written ob-
servations or findings in line with the audit objectives, ending with recommendations and
conclusions.
Distribution of the report is also important. Only authorised recipients should have access
to the report. Many times unauthorised people have received IS audit reports causing prob-
lems for the IS auditors and sometimes the client.
It is always important to include an executive summary in the report for use by the board
or senior management, who might not have the time to read the entire report. Sometimes
Search WWH ::
Custom Search