• Bookmark

A New Practical Guide On Information Systems Auditing

By John Beveridge, CISA, CISM, CGEIT, CRISC, CFE

COBIT Focus | 16 February 2015

Information Systems Auditing: Tools and Techniques is a practical guide on how to write an information systems (IS) audit report. It assists IS auditors in preparing comprehensible, well-supported audit reports that comply with the requirements of the IS Audit and Assurance Standards and IS Audit and Assurance Guidelines published by ISACA. This guide provides the reader with recommended content for each section of the audit report and an audit report template (downloadable Microsoft® Word Document) with standard text and writing guidance.

The value of the IS audit report really lies in its ability to communicate the scope, objectives, results and recommendations of the audit. The value also lies in the report’s ability to provide information to persuade and assist management in reducing risk, achieving organisational objectives and taking corrective action.

What if an IS audit report:

  • Included content that was presented in an illogical order and was completely confusing?
  • Contained errors, inadequate labelling of exhibits or poor explanations?
  • Was not comprehensive enough and required supporting information?
  • Did not clearly explain how the audit was performed?
  • Did not explicitly state the findings, or the benefits of taking corrective action, and the risk of not doing so?
  • Did not align with any industry standards?

An audit report like the one described above would not serve as a statement of assurance that the performance of IS operations, adequacy of internal controls, or the appropriateness of system development policies and procedures supports the achievement of enterprise goals. Moreover, a report like this would appear to lack integrity and could not be relied upon to assist business process management and IS management in taking corrective actions or acquiring additional resources to support IT initiatives.

The value of the IS audit report really lies in its ability to communicate the scope, assurance objectives, results and recommendations of the audit.

It is, therefore, very important to have a well-written, properly supported audit report that clearly communicates the objectives of the audit, what was performed, and focuses on the conclusions and any actions needed by the auditee. An effective audit report can have a significant impact on management decisions regarding the auditee organisation and those whom it serves (its stakeholders). Depending on the audit scope and objectives, conclusions drawn, and the opinion provided, governance and management practices may be enhanced, resources reallocated and performance measures recalibrated. Just as the audit engagement must be performed by competent audit staff in accordance with relevant auditing standards, so too must the development of the audit report.

The credibility of the audit engagement itself also depends on having a well-written and properly organised audit report. Here the auditor should take into account the way the enterprise structures the governance and management of its information systems, including their use of standards (e.g., International Organization for Standardization [ISO]), frameworks (e.g., COBIT, ITIL®) and practice guides, to optimise the credibility and applicability of the report contents. Even if the enterprise does not use such guidance, these sources may still provide valuable material to base the report contents on—focusing on the purpose and outcomes intended in the guidance rather than the specifics of the guide structure itself, because the structure would not resonate with the auditee. The purpose of this audit reporting guide is to reduce the risk that the value of the audit and the auditor’s conclusions and recommendations could be lost or disregarded.

This guide outlines the process of writing an IS audit report via three high-level phases:

  • Phase 1: In the, preparing to write phase, the focus is on the content requirements, which are based on the type and logistics of the audit engagement, complexity of the audit subject matter, audit standards and guidelines, readership, and the important messages from the engagement. The audit engagement will be based on an audit program developed to guide the assessment activity and capture the results of the audit testing performed. The program used will be adapted by the auditor to reflect the enterprise area being audited. However, for many areas of IT audit activity, there are common practices used by most enterprises and there are base audit programs available from ISACA, including those based on COBIT process areas, and other sources to give the auditor a head start in developing a quality comprehensive program for their work. A quality audit program is key to preparing to write the audit report. During this phase, the report structure is also determined depending on the expected length of the report, requirement for an executive summary, table of contents or appendices.
  • Phase 2: During the report writing phase, specific details on audit scope, audit objectives, methodology, conclusions, findings and recommendations are extracted from the audit work papers and inserted into the formal draft report. The report writing activity itself can also be supported by reference to applicable standards, frameworks and practice guides, helping the auditor to clearly state their findings and the implications that follow from them. This report can be presented to the auditees for their review, feedback, and provision of a management response or responses to the report’s conclusions and recommendations. This step continues the interactive communication between the auditor and the auditee with discussion, confirmation and feedback on audit topics, control objectives, controls and possible corrective actions if deficiencies have been detected.
  • Phase 3: The report finalisation phase prepares the final audit report for issuance to the auditee and any other designated parties. Audit management responses are inserted into the report with possible auditor replies, and final decisions are made regarding report content, reporting subsequent events or disclosures, report distribution, and compliance with audit standards and other requirements. After the additional information is included and any changes are made, the audit report should be subject to a final review by senior audit management before the report is issued.

The audit report contains the conclusions of audit work or an opinion that is related to the objectives of the audit. Auditing standards stipulate that reports contain certain information; the order and structure within which that content is presented is driven by relevant practices and the need to make reports readable and understandable. A good audit report contains precise and concise facts that are easily understood by the readers. In addition to terminology, language, report structure, content requirements and protocol, sentence structure and punctuation are also important considerations.

Read ISACA’s Information Systems Auditing: Tools and Techniques for more information on this topic.


Is a member of the faculty at Bentley University (Waltham, Massachusetts, USA) where he teaches courses in IT auditing, accounting information systems and fraud investigation. His professional career spans more than 25 years in government and private industry in the US and England. He has served as deputy state auditor for the Commonwealth of Massachusetts Office of the State Auditor where he was responsible for the IT audit division. While deputy state auditor, he served as co-chair of the Commonwealth of Massachusetts Enterprise Security Board and a member of the Commonwealth’s IT Advisory Board. Beveridge formalized the board’s policy and standards development process and initiated its management advisory role regarding IT security. Before serving as deputy state auditor, Beveridge also worked for the First National Bank of Boston and Imperial Tobacco Group in England. His experience includes providing training and consulting services. He is a past international president of ISACA and was a member of the team that developed COBIT. John has served in a number of capacities with ISACA, including the COBIT Steering Committee, Governance Advisory Council, Information Systems Auditing Standards Board, IT Governance Credentialing Committee, Education Board, Assurance Board, and the Advisory Committee to the Task Force on Model Curriculum for IT Auditing. At the local level, he has served on chapter boards for ISACA, the Institute of Internal Auditors, the Association of Government Accountants and the Association of Certified Fraud Examiners.

Share: Email