While authoring this column and, indeed, participating in the Audit and Assurance community on ISACA’s Engage Online forum, 1 my opinion is often sought on a wide range of audit-related topics from ISACA members around the world. Recently, I was asked about the contents of an audit report, and this struck me as something that was worthy of further discussion. We (as IT auditors) spend many hours discussing and seeking audit programs (which are of no interest to the business) and little or no time discussing the audit report, which (we hope) will provide business value.
So, what are the components of an IT audit report? This, of course, depends on the type of audit. According to ISACA, there are three types: an examination, a review and an agreed-upon procedure. 2 We will concentrate on examination, which is a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions 3 about an entity or event, processes, operations, or internal controls for the purpose of forming an opinion and providing a report on the degree to which the assertions conform to an identified set of standards. 4 Fundamentally, this is our “standard” audit.
The mandatory components of an IT audit report are described in ISACA’s Information Technology Assurance Framework (ITAF) 5 under guideline 2401, reporting. In addition, an ISACA white paper, IS Audit Reporting, suggests further discretionary components (figure 1). 6 The components are not necessarily in any order and many are self-explanatory (additional information may be found in the referenced documents, if required); however, the items in italics are worthy of further discussion. It is important to note that although ITAF requires these components, that does not necessarily mean that an audit report will have a separate section or heading for each. The components may be combined under different sections.
The audit scope should define the audit subject. It should define the limits to the audit. This can be an organization, a division within the organization, a business process, an application system or supporting technology, such as a particular platform or network. 7 The scope statement should also define the period under review and when the audit was performed. To a knowledgeable reader, audit scope should indicate the expected breadth of audit work and topic areas covered. 8
Management may make representations about the effectiveness of the control procedures. These are usually in the form of assertions or any formal declaration or set of declarations about the subject matter made by management. 9 Common assertions include confidentiality, integrity, availability and compliance. So, management may assert that the application under review is in compliance with, say the Payment Card Industry Data Security Standard
The purpose of the audit is identified in the audit objectives. Why are we auditing it? The objectives identify the items to be evaluated or assessed by the audit. 10 Audit objectives are most commonly phrased as, “To determine whether…” or, for example, “To assess the adequacy of internal controls.” 11 An objective may be “To determine whether the application under review is in compliance with PCI DSS.”
Criteria are the standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter. 12 Criteria are often defined by the entity that is under review (e.g., contracts, service level agreements [SLAs], policies, standards); however, there will be instances, for example, when an organization has not defined its own standards, when other criteria should be applied. Criteria can be established by ISACA, other bodies of experts, and laws and regulations, or can have been developed specifically for the audit engagement. 13 Following the PCI DSS example, ISACA’s ICQ and Audit/Assurance Program for PCI DSS Compliance Program 14 might be considered suitable criteria.
Audit findings are provided in the audit report when action is required to correct a deficiency in a process or its related controls. 15 The five key elements, or attributes that should be addressed when presenting an audit finding, are described in figure 2.
It is also good practice to allocate a rating to indicate the significance of each finding, along with a unique reference number to easily identify the item. These can be used by management to prioritize its response and by audit to track the findings through to completion. 16 The findings can also be presented in order of their significance. When capturing management’s responses, always capture the manager responsible and an agreed implementation date. These will aid with the audit follow-up process. 17
The purpose of this section is to provide an overall conclusion or opinion with respect to the engagement’s audit objectives. An auditor’s opinion is a formal statement expressed by the IT audit or assurance professional that describes the scope of the audit, the procedures used to produce the report, and whether or not the findings support that the audit criteria have been met. The types of opinions are: 18
A disclaimer of opinion is issued when the auditor is unable to obtain sufficient appropriate audit evidence on which to base an opinion or if it is impossible to form an opinion due to the potential interactions of multiple uncertainties and their possible cumulative impact.
An executive summary is a concise document demonstrating the problem, findings and recommendation of a longer report. 19 It typically includes a high-level description of the primary message of the report, key audit objectives and a brief summary of audit results. 20 It is not mandated by ITAF, but is highly recommended as, often, it is the only section of the report that will be read by senior executives.
IT audit professionals spend many hours searching for and discussing IT audit programs, and rightly so, since this can affect the quality of the work performed and, ultimately, the assurance provided to the enterprise. However, the contents of the audit report are rarely discussed, even though they will be used to drive the audit follow-up process and often result in expenditure to the enterprise. ISACA has produced standards, guidelines, a white paper and a report template, which should be referenced to ensure that each enterprise’s audit reports meet high professional standards. Adhering to these standards will also prove invaluable to the IT auditor when, as is often the case, the results of the audit report are challenged.
