Tips for Writing Better Audit Reports
By Lisa R. Young, CISA, CISM
Effectively communicating audit results requires clear and unambiguous language, evidentiary-based support, and knowledge of the audience that will receive the report. An audit report is designed to provide information, persuade the readers to take action, and convince management to change or improve something. How we say things makes a difference. A well-written audit report is a call to action, whereas a poorly written report can result in erroneous action or no action at all. The ISACAInformation Technology Assurance Framework™ (ITAF™) standards have recently undergone revision. The associated guidelines are also pending revision and will be released in 2014. ITAF, 2nd Edition provides explicit guidance on reporting audit results in standard 1401, Reporting. Standard statement 1401.1 states that IS audit and assurance professionals shall provide a report to communicate the results upon completion of the engagement including:
- Identification of the enterprise, the intended recipients, and any restrictions on content and circulation
- The scope, engagement objectives, period of coverage, and the nature, timing and extent of the work performed
- The findings, conclusions and recommendations
- Any qualifications or limitations in scope that the IS audit and assurance professional has with respect to the engagement
- Signature, date and distribution according to the terms of the audit charter or engagement letter
In addition to the 1401 standard, there is an associated guideline, 2401 (G20), which expands a bit further on the standard and provides additional considerations for audit result reports. A good audit report tells the reader the severity of the issue(s) and provides an appropriate recommendation for correction of the issue(s).
The following are additional considerations for writing a concise, clear and complete report that achieves its purpose:
- Do not focus only on the bad. An audit is not an attempt to document only the nonconformities or control weaknesses. A thorough audit report should also mention the things that are working and any good points observed, e.g., “The records show evidence that operators have had training on the ABC software that is facilitating control of new projects.”
- Be specific on nonconformities. If there is a standard that defines the specification, be sure to cite it. It is better to say that you “have tested 10 transactions and none were successful” than to report that “all transactions tested were unsuccessful.”
- Offer solid, specific recommendations. The audit report should offer solid recommendations for specific actions that need to be taken. Do not say, “Management should consider reviewing administrator-level accounts on a periodic basis.” Instead, say, “All administrator-level user accounts should be reviewed on a periodic basis.”
- Avoid unnecessary technical language. The following simply stated example provides sufficient information. “Based on our review, we conclude that operations were generally satisfactory. However, we noted areas where efficiency could be improved. Issues that led to this conclusion include: insufficient controls to ensure that all costs were accounted for and properly billed and timely deposit of funds received.” Compare that to the unnecessarily technical language in the following statement. “During the aforementioned examination of the accounts undertaken by the internal auditors, the team evaluated the cumulative impact of several nonmaterial items such as insufficient controls to ensure that all costs were accounted for and properly billed; and timely deposit of funds received and concluded that the result of the combined cumulative effect does not constitute a material weakness.”
- Document interviewees and their scope of responsibility within the audit. Even if the report is written with nonattribution, it is important that you have evidence that the person or persons who supplied information are the correct, responsible and accountable parties.
It takes a lot of practice to write clear, concise and actionable audit reports. The audit report is the most important product of any audit assignment and must convey the results in order to provide the organization with a basis for action to change or improve its processes. Keeping these standards, guidelines and considerations in mind will go a long way toward improving the effectiveness of the reports.
Editor’s Note: ISACA’s Professional Standards and Career Management Committee is working on a project to provide more guidance for reporting on audit issues. This guidance is scheduled to be issued in April 2014.
Lisa R. Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.