Tips for Writing Better Audit Reports
By Lisa R. Young, CISA, CISM
Effectively communicating audit results requires clear and unambiguous language, evidentiary-based support, and knowledge of the audience that will receive the report. An audit report is designed to provide information, persuade the readers to take action, and convince management to change or improve something. How we say things makes a difference. A well-written audit report is a call to action, whereas a poorly written report can result in erroneous action or no action at all. The ISACA Information Technology Assurance Framework™ (ITAF™) standards have recently undergone revision. The associated guidelines are also pending revision and will be released in 2014. ITAF, 2nd Edition provides explicit guidance on reporting audit results in standard 1401, Reporting. Standard statement 1401.1 states that IS audit and assurance professionals shall provide a report to communicate the results upon completion of the engagement including:
- Identification of the enterprise, the intended recipients, and any restrictions on content and circulation
- The scope, engagement objectives, period of coverage, and the nature, timing and extent of the work performed
- The findings, conclusions and recommendations
- Any qualifications or limitations in scope that the IS audit and assurance professional has with respect to the engagement
- Signature, date and distribution according to the terms of the audit charter or engagement letter
In addition to the 1401 standard, there is an associated guideline, 2401 (G20), which expands a bit further on the standard and provides additional considerations for audit result reports. A good audit report tells the reader the severity of the issue(s) and provides an appropriate recommendation for correction of the issue(s).
The following are additional considerations for writing a concise, clear and complete report that achieves its purpose:
- Do not focus only on the bad. An audit is not an attempt to document only the nonconformities or control weaknesses. A thorough audit report should also mention the things that are working and any good points observed, e.g., “The records show evidence that operators have had training on the ABC software that is facilitating control of new projects.”
- Be specific on nonconformities. If there is a standard that defines the specification, be sure to cite it. It is better to say that you “have tested 10 transactions and none were successful” than to report that “all transactions tested were unsuccessful.”
- Offer solid, specific recommendations. The audit report should offer solid recommendations for specific actions that need to be taken. Do not say, “Management should consider reviewing administrator-level accounts on a periodic basis.” Instead, say, “All administrator-level user accounts should be reviewed on a periodic basis.”
- Avoid unnecessary technical language. The following simply stated example provides sufficient information. “Based on our review, we conclude that operations were generally satisfactory. However, we noted areas where efficiency could be improved. Issues that led to this conclusion include: insufficient controls to ensure that all costs were accounted for and properly billed and timely deposit of funds received.” Compare that to the unnecessarily technical language in the following statement. “During the aforementioned examination of the accounts undertaken by the internal auditors, the team evaluated the cumulative impact of several nonmaterial items such as insufficient controls to ensure that all costs were accounted for and properly billed; and timely deposit of funds received and concluded that the result of the combined cumulative effect does not constitute a material weakness.”
- Document interviewees and their scope of responsibility within the audit. Even if the report is written with nonattribution, it is important that you have evidence that the person or persons who supplied information are the correct, responsible and accountable parties.
It takes a lot of practice to write clear, concise and actionable audit reports. The audit report is the most important product of any audit assignment and must convey the results in order to provide the organization with a basis for action to change or improve its processes. Keeping these standards, guidelines and considerations in mind will go a long way toward improving the effectiveness of the reports.
Editor’s Note: ISACA’s Professional Standards and Career Management Committee is working on a project to provide more guidance for reporting on audit issues. This guidance is scheduled to be issued in April 2014.
Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.
Learn More With Your ISACA Membership
As a member of ISACA, you have access to the latest research in your field. In 2013 alone, ISACA produced almost 20 white papers and deliverables on topics that include cybersecurity, advanced persistent threats, COBIT 5, vendor management and cloud governance. Almost all of these publications are free to members and are available for download on the Information Technology and Information Systems Research page of the ISACA web site.
After reviewing the white papers, venture into the Knowledge Center. In the Knowledge Center, you can review a variety of documents by topic, post a question, respond to a query and connect with other like-minded professionals. If you are struggling with the presentation you have to give next week or what to do about cloud computing, connecting with other members in the Knowledge Center can provide helpful insights.
Whether you are new to the field or have years of experience, your ISACA membership meets your professional development needs. ISACA strives to diversify, and its benefits include the ISACA Journal, informational webinars, lively virtual conferences and COBIT.
We are always working to serve you better. If there is something you would like to see in your benefits package, email your idea to email@example.com.
ISACA Certifications Required for Australia’s IRAP
The Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) certifications are listed among the certifications and prerequisites that make one eligible for the Information Security Registered Assessors Program (IRAP) training and exams. Applicants must also have relevant secondary and tertiary education, baseline security clearance and at least 5 years of experience in information and communications technology (ICT). Additionally, applicants must provide 2 references to attest to their relevant experience.
IRAP is an initiative by the Australian government to endorse information security specialists who can then provide cybersecurity services to the government. Endorsed IRAP Assessors will evaluate current ICT, provide security suggestions and indicate any security risk.
To learn more about ISACA’s certifications, visit the Certification page of the ISACA web site.
Book Review: Hiles on Business Continuity, 3rd Edition
Reviewed by Ibe Etea, CISA, CRISC, ACA, CFE, CRMA, ISO 9001:2008 QMS
Hiles on Business Continuity, 3rd Edition, by Andrew Hiles, is an exposition of the best practices in the broad scope of business continuity (BC) management, crossing the boundaries of IT focus. This guide equips the reader with the ability to develop business continuity plans and related management systems.
In this 3rd edition, the author disaggregates the various themes by which the BC landscape has been defined. The book stretches the concept of BC to include security management; enterprise risk management; and operational, incident and emergency management. This book is not focused strictly on the IT viewpoint, but on the entirety of the BC universe from a business perspective, while being inclusive of IT. It delves deep into the compliance aspect of BC with a thorough review of the latest BC standards, including the pros and cons of each. In this book, IT practitioners—both new and experienced—will find a wealth of advanced concepts and tools on BC that may create a paradigm shift in their views of BC from a core IT standpoint.
The plethora of diagrams, tables, exercises, exam questions, road maps and illustrations throughout the book, in addition to the large font size, make this highly informative book aesthetically appealing too. This edition also includes online access to extensive licensed materials, including sample project plans, editable business continuity planning (BCP) templates, formats, forms and appendices, and emergency management policies and procedures.
Hiles on Business Continuity is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email firstname.lastname@example.org.
Ibe Kalu Etea, CISA, CRISC, ACA, CFE, CRMA, ISO 9001:2008 QMS, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. He also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).
ISACA Certifications and Membership Offer Personal and Professional Benefits
Urmilla Persad, CISA, CISM, CRISC, MCSE, CEH, IT Audit Manager at First Citizens Trinidad & Tobago and Certification Coordinator of the Trinidad & Tobago Chapter, Shares the Benefits of Involvement With ISACA
Urmilla Persad began pursuing her Certified Information Security Manager (CISM) certification to advance her career, and as a result of the certification and her involvement with ISACA she has experienced both personal and professional growth. “I needed something to boost my knowledge and help me better understand the needs and requirements of my clients while at the same time improving my career options,” explained Persad.
“The knowledge gained from studying for and maintaining the CISM has enabled me to provide better value…on information security engagements and projects,” Persad continued. In addition to helping her with her day-to-day tasks, the CISM certification has also improved the way Persad communicates with management. “Because CISM focuses on the value of information to organizations and the required level of governance that must be in place to optimize the value of the IT investments, CISM has helped me have the right conversations with executives and senior management.”
Her CISM certification and involvement with ISACA have also provided Persad an opportunity to give back. “My involvement with my local ISACA chapter has really provided me an opportunity to give back in a meaningful way.” As a certification coordinator in the Trinidad & Tobago Chapter, Persad finds advising those considering certification incredibly rewarding. “The fact that I hold an ISACA certification means that I can really give meaningful feedback/advice to those who are interested in the field but are not sure which certification to choose or how to go about pursuing their career choice.”
To learn more about ISACA certifications, visit the Certification page of the ISACA web site.