IS Audit and Assurance Guideline 2401 Reporting 

 

  Download

The guideline is presented in the following sections:

  1. Guideline purpose and linkage to standards
  2. Guideline content
  3. Linkage to standards and COBIT 5 processes
  4. Terminology
  5. Effective date

1. Guideline Purpose and Linkage to Standards


1.0 Introduction

This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’

1.1 Purpose

1.1.1 This guideline provides guidance for IS audit and assurance professionals on the different types of IS audit engagements and related reports.
1.1.2 The guideline details all aspects that should be included in an audit engagement report and provides IS audit and assurance professionals with considerations to make when drafting and finalising an audit engagement report.
1.1.3 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.

1.2 Linkage to Standards

1.2.1 Standard 1007 Assertions
1.2.2 Standard 1205 Evidence
1.2.3 Standard 1401 Reporting
1.2.4 Standard 1402 Follow-up Activities

1.3 Term Usage

1.3.1 Hereafter:
  • ‘IS audit and assurance function’ is referred to as ‘audit function’
  • ‘IS audit and assurance professionals’ are referred to as ‘professionals’

2. Guideline Content


2.0 Introduction

The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 Types of engagements
2.2 Required contents of the audit engagement report
2.3 Subsequent events
2.4 Additional communication

2.1 Types of Engagements

2.1.1 Professionals may perform any of the following types of audit engagements:
  • Examination
  • Review
  • Agreed-upon procedures

    Note: These terms are defined in ITAF, 2nd Edition.
2.1.2 Both examination and review engagements involve:
  • Planning the engagement
  • Evaluating the design effectiveness of control procedures
  • Testing the operating effectiveness of the control procedures (the nature, timing and extent of testing will vary as between both types of engagements)
  • Forming a conclusion about, and reporting on, the design and/or operating effectiveness of the control procedures based on the identified criteria:
    • The conclusion for a reasonable assurance engagement is expressed as a positive opinion and provides a high level of assurance.
    • The conclusion for a limited assurance engagement is expressed as a negative opinion and provides only a moderate level of assurance.
2.1.3 An ‘agreed-upon procedures’ engagement does not result in the expression of any assurance by professionals. Professionals are engaged to carry out specific procedures to meet the information needs of those parties who have agreed to the procedures to be performed (e.g., executive management, the board or those charged with governance). Professionals issue a report of factual findings to those parties that have agreed to the procedures. The recipients form their own conclusions from this report because the nature, timing and extent of procedures do not enable the professional to express any assurance. The report is restricted to those parties that have agreed to the procedures to be performed because others are not aware of the reasons for the procedures and may misinterpret the result.
2.1.4 An agreed-upon procedures report could also be distributed to a third party (e.g., regulatory body) when predetermined and approved by the parties that have agreed on the procedures before the start of the actual work. Professionals should consider this, using their professional judgement, based on the risk of misinterpretation of the work to be performed.
2.1.5 Professionals, who before the completion of an audit engagement are requested to change the audit engagement from an examination or review engagement to an agreed-upon procedures engagement, need to consider the appropriateness of doing so and cannot agree to a change where there is no reasonable justification for the change. For example, a change is not appropriate to avoid a qualified report.

2.2 Required Contents of the Audit Engagement Report

2.2.1 In developing an audit engagement report, all relevant evidence obtained should be considered, regardless of whether it appears to corroborate or contradict the subject matter information. Where there is an opinion, it should be supported by the results of the control procedures based on the identified criteria. Professionals should conclude whether sufficient and appropriate evidence has been obtained to support the conclusions in the audit engagement report. More detailed guidance can be found in Standard 1205 Evidence.
2.2.2 When concluding on an examination or review engagement, professionals should come to an expression of opinion about whether, in all material respects, the design and/or operation of control procedures in relation to the area of activity were effective. This opinion can be:
  • Unqualified—Professionals should express an unqualified opinion when they conclude that, in all material respects, the design and/or operation of control procedures in relation to the area of activity were effective, in accordance with the applicable criteria.
  • Qualified—Professionals should express a qualified opinion when they:
    • Having obtained sufficient and appropriate evidence, conclude that control weaknesses, individually or in the aggregate, are material, but not pervasive to the IS audit objectives
    • Are unable to obtain sufficient and appropriate evidence on which to base the opinion, but conclude that the possible effects on the IS audit objectives of undetected weaknesses, if any, could be material but not pervasive
  • Adverse— Professionals should express an adverseopinion when one or more significant deficiencies aggregate to a material and pervasive weakness
  • Disclaimer—Professionals should disclaim an opinion when they are unable to obtain sufficient and appropriate evidence on which to base the opinion, and conclude that the possible effects on the IS audit objectives of undetected weaknesses, if any, could be both material and pervasive.
2.2.3 Professionals’ examination or review report about the effectiveness of control procedures should include the following elements:
  • An appropriate and distinctive title, clearly distinguishing the report from any other type of report not subject to auditing standards
  • Identification of the recipients to whom the report is directed, according to the terms in the audit charter or engagement letter
  • Identification of the responsible party, including a statement of the party responsible for the subject matter
  • Description of the scope of the audit engagement, the name of the entity or component of the entity to which the subject matter relates, including:
    • Identification or description of the area of activity
    • Criteria used as a basis for professionals’ conclusion
    • The point in time or period of time to which the work, evaluation or measure of the subject matter relates
    • A statement that the maintenance of an effective internal control structure, including control procedures for the area of activity, is the responsibility of management
  • A statement identifying the source of management’s representation about the effectiveness of control procedures
  • A statement that professionals have conducted the audit engagement to express an opinion on the effectiveness of control procedures
  • Identification of the purpose (i.e., IS audit objectives) for which professionals’ report has been prepared and of those entitled to rely on it, and a disclaimer of liability for its use for any other purpose or by any other person
  • Description of the criteria or disclosure of the source of the criteria. Furthermore, the professionals should consider disclosing:
    • Any significant interpretations made in applying the criteria
    • Measurement methods used when criteria allow for a choice between a number of measurement methods
    • Changes in the standard measurement methods used
  • Statement that the audit engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards. Any non-compliance with these standards should be explicitly mentioned in the report.
  • Further explanatory details about the variables that affect the assurance provided and other information as appropriate
  • Findings, conclusions and recommendations for corrective action and include management’s response. For each management response, professionals should obtain information on the proposed actions to implement or address reported recommendations and the planned implementation or action date.
    • Responsible management may decide to accept the risk of not correcting a reported condition because of cost, complexity of the corrective action or other considerations. The board of directors (or those charged with governance) should be informed of recommendations for which management accepts the risk of not correcting the reported situation.
    • If professionals and the auditee disagree about a particular recommendation or audit comment, the engagement communications may state both positions and the reasons for the disagreement. The auditee’s written comments may be included as an appendix to the engagement report. Alternatively, the auditee’s views may be presented in the body of the report or in a cover letter. Executive management, or those charged with governance, should then make a decision as to which point of view they support.
  • A paragraph stating that because of the inherent limitations of any internal control, misstatements due to errors or fraud may occur and go undetected. In addition, the paragraph should state that projections of any evaluation of internal control over financial reporting to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions, or that the level of compliance with the policies or procedures may deteriorate. An audit engagement is not designed to detect all weaknesses in control procedures because it is not performed continuously throughout the period and the tests performed on the control procedures are on a sample basis.
  • A summary of the work performed, which will help the intended users of the report to better understand the nature of the assurance conveyed
  • An expression of opinion about whether, in all material respects, the design and/or operation of control procedures in relation to the area of activity were effective. When professionals’ opinion is qualified, a paragraph describing the reasons for qualification should be included.
  • Where appropriate, references to any other separate reports that should be considered, such as a separate report that communicates security vulnerabilities that are protected from disclosure and should be distributed to a restricted list of recipients
  • Date of issuance of the audit engagement report. In most instances, the date of the report is based upon the issue date. It is recommended to also mention the dates when the audit work was actually performed, if not yet mentioned with the summary of the work performed.
  • Names of individuals or entity responsible for the report, appropriate signatures and locations
2.2.4 The agreed-upon procedures report should be in the form of procedures and findings. The report should contain the following elements:
  • An appropriate and distinctive title, clearly distinguishing the report from any other type of report not subject to auditing standards
  • Identification of the recipients to whom the report is directed, according to the terms in the audit charter
  • Identification of the responsible party, including a statement of the party responsible for the subject matter
  • A statement that the audit engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards. Any non-compliance with these standards should be explicitly mentioned in the report.
  • Identification of the subject matter (or the written assertion related thereto) and the purpose (i.e., IS audit objectives) of the audit engagement
  • A statement that the procedures performed were those agreed to by the responsible parties identified in the report
  • A statement that the sufficiency of the procedures is solely the responsibility of the responsible parties and a disclaimer of responsibility for the sufficiency of those procedures
  • A list of the procedures performed (or reference thereto)
  • A description of the findings, including sufficient details of errors and exceptions found
  • A statement that professionals only performed the agreed-upon procedures and, as such, no assurance is expressed
  • A statement that if the professionals had performed additional procedures, other matters might have come to professionals’ attention and would have been reported
  • A statement of restrictions on the use of the report because it is intended to be used solely by the specified parties
  • A statement that the report only relates to the elements specified and that it does not extend beyond them
  • References to any other separate reports that should be considered
  • Date of issuance of the audit engagement report. In most instances, the date of the report is based upon the issue date. It is recommended to also mention the dates when the audit work was actually performed, if not yet mentioned with the summary of the work performed.
  • Names of individuals or entity responsible for the report, appropriate signatures and locations
2.2.5 There are two types of examination reports:
  • Direct reports—On the subject matter rather than on an assertion. The report should make reference only to the subject of the engagement and should not contain any reference to management’s assertion on the subject matter.
  • Indirect reports—Based on management assertions about the subject matter.
More detailed guidance on the difference between indirect and direct reporting can be found in Standard 1007 Assertions.

2.3 Subsequent Events

2.3.1 Events sometimes occur, subsequent to the point in time or period of time of the subject matter being tested but prior to the date of professionals’ report, which have a material effect on the subject matter and therefore require adjustment or disclosure in the presentation of the subject matter or assertions. These occurrences are referred to as subsequent events. In performing an audit engagement, professionals should consider information about subsequent events that comes to their attention. However, professionals have no responsibility to detect subsequent events.
2.3.2 Professionals should inquire with management as to whether they are aware of any subsequent events, through to the date of professionals’ report, that would have a material effect on the subject matter or assertions.

2.4 Additional Communication

2.4.1 Professionals should discuss the draft report contents with management in the subject area prior to finalisation and release, and include management’s response to findings, conclusions and recommendations in the final report, where applicable.
2.4.2 Professionals should communicate significant deficiencies and material weaknesses in the control environment to those charged with governance and, where applicable, to the responsible authority. They should also explicitly disclose in the report that these have been communicated.
2.4.3 Professionals should communicate to management internal control deficiencies that are less than significant but more than inconsequential. In such cases, those charged with governance or the responsible authority should be notified by the professionals that such internal control deficiencies have been communicated to management.
2.4.4 Professionals should obtain written representations from management acknowledging, at a minimum, the following assertions:
  • Management responsibility for establishing and maintaining proper and effective internal controls, including systems of internal accounting and administrative controls over operating activities and information systems under review, and activities to identify all laws, rules and regulations, which govern the subject area under review, and to ensure compliance with them.
  • All requested information relevant to the engagement objectives was provided to the engagement team including, but not limited to:
    • Records, related data, electronic files and reports
    • Policies and procedures
    • Pertinent personnel
    • Results of relevant internal and external IS audits, reviews and assessments
  • No event(s) has occurred or matters discovered since the end of fieldwork that would have a material effect on the engagement.
  • Management has no knowledge of any fraud or suspected fraud, irregularities and illegal acts related to the subject area under review, including management and employees with responsibility for internal control not already disclosed.
  • Management has no knowledge of any allegations of fraud or suspected fraud, irregularities and illegal acts affecting the area under review received in communications from employees, clients, contractors or others not already disclosed.
  • Acknowledgement of responsibility for the design and implementation of programs and controls to prevent and detect fraud, irregularities and illegal acts.

3. Linkage to Standards and COBIT 5 Processes


3.0 Introduction

This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance

3.1 Linkage to Standards

The table provides an overview of:
  • The most relevant ISACA IS audit and assurance standards that are directly supported by this guideline
  • Those standard statements that are most relevant to this guideline
Note: Only those standard statements relevant to this guideline are listed.

 

Standard Title
Relevant Standard Statements
1007 Assertions IS audit and assurance professionals shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.
1205 Evidence IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the engagement results.

IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objectives
1401 Reporting IS audit and assurance professionals shall provide a report to communicate the results upon completion of engagement including:
  • Identification of the enterprise, the intended recipients, and any restrictions on content and circulation
  • The scope, engagement objectives, period of coverage and the nature, timing and extent of the work performed
  • The findings, conclusions and recommendations
  • Any qualifications or limitations in scope that the IS audit and assurance professional has with respect to the engagement
  • Signature, date and distribution according to the terms of the audit charter or engagement letter
IS audit and assurance professionals shall ensure findings in the audit report are supported by sufficient, reliable and relevant evidence.
1402 Follow Up IS audit and assurance professionals shall monitor relevant information to conclude whether management has planned/taken appropriate, timely action to address reported audit findings and recommendations.


3.2 Linkage to COBIT 5 Processes

The table provides an overview of the most relevant:
  • COBIT 5 processes
  • COBIT 5 process purpose
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
COBIT 5 Process
Process Purpose
EDM05 Ensure stakeholder transparency. Make sure that the communication to stakeholders is effective and timely, and the basis for reporting is established to increase performance, identify areas for improvement and confirm that IT-related objectives and strategies are in line with the enterprise’s strategy.
MEA01 Monitor, evaluate and assess performance and conformance. Provide transparency of performance and conformance and drive achievement of goals.
MEA02 Monitor, evaluate and assess the system of internal control. Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.
MEA03 Monitor, evaluate and assess compliance with external requirements. Ensure that the enterprise is compliant with all applicable external requirements.


3.3 Other Guidance

When implementing standards and guidelines, professionals are encouraged to seek other guidance when considered necessary. This could be from IS audit and assurance:
  • Colleagues from within the enterprise
  • Management
  • Governance bodies within the enterprise, e.g., audit committee
  • Professional organisations
  • Other professional guidance (e.g., books, papers, other guidelines)

4. Terminology


 
Term
Definition
Appropriate evidence The measure of the quality of the evidence
Inconsequential deficiency A deficiency is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected deficiencies, that the deficiencies, either individually or when aggregated with other deficiencies, would clearly be trivial to the subject matter. If a reasonable person could not reach such a conclusion regarding a particular deficiency, that deficiency is more than inconsequential.
Sufficient evidence The measure of the quantity of evidence; supports all material questions to the audit objective and scope. See evidence.


5. Effective Date


5.1 Effective Date

This revised guideline is effective for all IS audit/assurance engagements beginning on or after 1 September 2014.