While authoring this column and, indeed, participating in the Audit and Assurance community on ISACA’s Engage Online forum,1 my opinion is often sought on a wide range of audit-related topics from ISACA members around the world. Recently, I was asked about the contents of an audit report, and this struck me as something that was worthy of further discussion. We (as IT auditors) spend many hours discussing and seeking audit programs (which are of no interest to the business) and little or no time discussing the audit report, which (we hope) will provide business value.
So, what are the components of an IT audit report? This, of course, depends on the type of audit. According to ISACA, there are three types: an examination, a review and an agreed-upon procedure.2 We will concentrate on examination, which is a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions3 about an entity or event, processes, operations, or internal controls for the purpose of forming an opinion and providing a report on the degree to which the assertions conform to an identified set of standards.4 Fundamentally, this is our “standard” audit.
Audit Report Components
The mandatory components of an IT audit report are described in ISACA’s Information Technology Assurance Framework (ITAF)5 under guideline 2401, reporting. In addition, an ISACA white paper, IS Audit Reporting, suggests further discretionary components (figure 1).6 The components are not necessarily in any order and many are self-explanatory (additional information may be found in the referenced documents, if required); however, the items in italics are worthy of further discussion. It is important to note that although ITAF requires these components, that does not necessarily mean that an audit report will have a separate section or heading for each. The components may be combined under different sections.
Scope of the Audit Engagement
The audit scope should define the audit subject. It should define the limits to the audit. This can be an organization, a division within the organization, a business process, an application system or supporting technology, such as a particular platform or network.7 The scope statement should also define the period under review and when the audit was performed. To a knowledgeable reader, audit scope should indicate the expected breadth of audit work and topic areas covered.8
Source of Management’s Representation
Management may make representations about the effectiveness of the control procedures. These are usually in the form of assertions or any formal declaration or set of declarations about the subject matter made by management.9 Common assertions include confidentiality, integrity, availability and compliance. So, management may assert that the application under review is in compliance with, say the Payment Card Industry Data Security Standard
Objectives of the Audit
The purpose of the audit is identified in the audit objectives. Why are we auditing it? The objectives identify the items to be evaluated or assessed by the audit.10 Audit objectives are most commonly phrased as, “To determine whether…” or, for example, “To assess the adequacy of internal controls.”11 An objective may be “To determine whether the application under review is in compliance with PCI DSS.”
Source of the Criteria
Criteria are the standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter.12 Criteria are often defined by the entity that is under review (e.g., contracts, service level agreements [SLAs], policies, standards); however, there will be instances, for example, when an organization has not defined its own standards, when other criteria should be applied. Criteria can be established by ISACA, other bodies of experts, and laws and regulations, or can have been developed specifically for the audit engagement.13 Following the PCI DSS example, ISACA’s ICQ and Audit/Assurance Program for PCI DSS Compliance Program14 might be considered suitable criteria.
Findings, Conclusions and Recommendations
Audit findings are provided in the audit report when action is required to correct a deficiency in a process or its related controls.15 The five key elements, or attributes that should be addressed when presenting an audit finding, are described in figure 2.
It is also good practice to allocate a rating to indicate the significance of each finding, along with a unique reference number to easily identify the item. These can be used by management to prioritize its response and by audit to track the findings through to completion.16 The findings can also be presented in order of their significance. When capturing management’s responses, always capture the manager responsible and an agreed implementation date. These will aid with the audit follow-up process.17
An Expression of Opinion
The purpose of this section is to provide an overall conclusion or opinion with respect to the engagement’s audit objectives. An auditor’s opinion is a formal statement expressed by the IT audit or assurance professional that describes the scope of the audit, the procedures used to produce the report, and whether or not the findings support that the audit criteria have been met. The types of opinions are:18
- Unqualified opinion—Notes no exceptions or none of the exceptions noted aggregate to a significant deficiency. Essentially a clean bill of health with respect to the audit objectives.
- Qualified opinion—Notes exceptions aggregated to a significant deficiency (but not a material weakness). In this instance, the report should include an explanatory paragraph stating the reasons why a qualified opinion is expressed in the report.
- Adverse opinion—Notes one or more significant deficiencies aggregating to a material weakness. From an internal control perspective, an adverse opinion is expressed when adequate controls are not in place or in effect to provide reasonable assurance that control objectives are met, or that there is a reasonable likelihood that the control objectives are not met. Again, include an explanatory paragraph stating the reasons why the opinion was reached.
A disclaimer of opinion is issued when the auditor is unable to obtain sufficient appropriate audit evidence on which to base an opinion or if it is impossible to form an opinion due to the potential interactions of multiple uncertainties and their possible cumulative impact.
An executive summary is a concise document demonstrating the problem, findings and recommendation of a longer report.19 It typically includes a high-level description of the primary message of the report, key audit objectives and a brief summary of audit results.20 It is not mandated by ITAF, but is highly recommended as, often, it is the only section of the report that will be read by senior executives.
IT audit professionals spend many hours searching for and discussing IT audit programs, and rightly so, since this can affect the quality of the work performed and, ultimately, the assurance provided to the enterprise. However, the contents of the audit report are rarely discussed, even though they will be used to drive the audit follow-up process and often result in expenditure to the enterprise. ISACA has produced standards, guidelines, a white paper and a report template, which should be referenced to ensure that each enterprise’s audit reports meet high professional standards. Adhering to these standards will also prove invaluable to the IT auditor when, as is often the case, the results of the audit report are challenged.
1 ISACA Online Forum, Audit and Assurance, https://engage.isaca.org/communities/community-home/digestviewer?communitykey=b4f0c214-8b78-4359-8bd0-8f0e7382b68a&tab=digestviewer
2 ISACA, Information Technology Assurance Framework (ITAF), USA, 2014, www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/ObjectivesScopeandAuthorityofITAudit.aspx
3 An assertion is any formal declaration or set of declarations about the subject matter made by management. Ibid., p. 19
4 ISACA, IS Audit Reporting, USA, 2015 www.isaca.org/Knowledge-Center/Research/Documents/IS-Auditing-Tools-and-Tech_res_Eng_0215.pdf
5 Op cit ITAF
6 Op cit IS Audit Reporting
7 Ibid., p. 22
9 Op cit ITAF, p. 73
10 Op cit IS Audit Reporting, p. 22
12 Op cit ITAF, p. 21
13 Ibid., p. 79
14 ISACA, ICQ and Audit/Assurance Program for PCI DSS Compliance Program, USA, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/icq-and-audit-assurance-program-for-pci-dss-compliance-program.aspx
15 Op cit IS Audit Reporting, p. 26
16 Cooke, I.; “Enhancing the Audit Follow-Up Process Using COBIT 5,” ISACA Journal vol. 6, 2016, https://www.isaca.org/archives
18 Op cit ITAF, p. 16
19 Harvard Kennedy School Communications Program, “How to Write an Executive Summary,” Harvard University, Cambridge, Massachusetts, USA, https://projects.iq.harvard.edu/files/hks-communications-program/files/how_to_write_an_exex_summ_to_use_4_18_18.pdf
20 Op cit IS Audit Reporting, p. 21
Ian Cooke, CISA, CRISC, CGEIT, COBIT 5 Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, FIP, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt
Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has over 30 years of experience in all aspects of information systems. Cooke has served on several ISACA committees and is a member of ISACA’s CGEIT Exam Item Development Working Group. He is the topic leader for the Audit and Assurance discussions in the ISACA Online Forums. Cooke has supported the update of the CISA Review Manual and was a subject matter expert for the development of ISACA’s CISA and CRISC Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training modules. He welcomes comments or suggestions for articles via email (Ian_J_Cooke@hotmail.com), Twitter (@COOKEI), LinkedIn (www.linkedin.com/in/ian-cooke-80700510/), or on the Audit and Assurance Online Forum (engage.isaca.org/home). Opinions expressed are his own and do not necessarily represent the views of An Post.