Previous Table of Contents Next


Section 29
Review and Report Audit Findings

During this step, the IT auditor develops the audit report, distributes it, and follows up on the recommendations. Good ideas are of little value unless they are accepted and implemented, and the value of the audit is frequently rated on acceptance of the audit report by both auditee and senior management. The report must be comprehensive, identifying the scope of the audit, explaining the factual findings, and suggesting recommendations to overcome any weaknesses or problems discovered during the audit. The report must be written clearly and effectively enough to cause action to be taken and must therefore include all information necessary to attain that end.

CREATE THE AUDIT REPORT

This task describes how to write a report for an IT application audit. The genera] principles of writing any audit report apply to an IT audit report; however, the technology discussed in this report is different and may present the IT auditor with such problems as the following:

  If the report is written in the technical jargon of the IT department, it will be incomprehensible to audit and senior management.
  The report may not contain enough technical information or practical detail for the IT department to implement the recommendations.
  The IT department may not understand the magnitude of the audit findings and recommendations.

The audit department may not have the support of the IT department in making IT-oriented recommendations. Most of these problems can be easily resolved. The IT auditor should be able to keep IT-oriented language at a level that can be understood by management (readability will be specifically addressed later). Support for the audit, recognition of the importance of the audit findings and objectives, and the problem of insufficient technical information from an IT perspective can be handled by discussing and reviewing the initial reports by the IT project team.

Writing a successful audit report requires a clear understanding of both the report objectives (what the IT auditor hopes that the report will accomplish) and the desired action (what the IT auditor wants management to do after reading the report). A good audit report includes no more than three objectives and three actions. An audit report with too much data or too many requests overwhelms the reader. If several items need reporting to management, the objectives should be ranked according to priority, and only the three most important should be included in the report. Small items can be reported in an appendix or a supplemental letter to the auditee. The IT auditor must keep them clearly in mind because these objectives and actions help limit the scope of the audit report. The IT auditor will also be able to arrange exit conferences and management presentations around the critical pertinent points.

Finally, the IT auditor must ensure that adequate time is available to write the report in an appropriate manner, incorporating relevant evidence into the report to support the findings and recommendations. Failure to do so will adversely affect the credibility of the audit department, and auditee management will almost certainly disagree with the factual information in the report.

REVIEW REPORT REASONABLENESS

This task involves verifying that the audit workpapers adequately support the findings and recommendations in the audit report and reviewing the means by which that information is presented. Reviewing the workpapers and audit report is the responsibility of audit management. In smaller audit departments, the review is performed by the director of internal audit; in large organizations, audit managers or supervisors may perform this function. Evidence of the audit management review must be included in the workpapers.

The IT audit review is a special challenge for management. The assumption that audit management can effectively review the IT audit workpapers implies:

  An understanding of computer terminology
  An understanding of IT principles and concepts
  An understanding of how systems are structured, how they operate, and how they are controlled
  Sufficient knowledge to understand the effect of the audit findings and recommendations
  Sufficient background to recognize whether the procedures are adequate to identify significant control problems

It is important that audit management be qualified to review the reasonableness of the audit report. If audit management lacks some of these skills, an outside consultant may be needed to assist with some of the reviews; internal audit departments might wish to use the services of their independent public accountants. Larger internal audit departments normally have sufficient IT expertise to conduct both the audit and review. The IT auditor should be certain that the workpapers adequately support the audit findings and recommendations.

REVIEW READABILITY OF REPORT

The audit report is designed not only to convey information but also to change behavior. A good audit report has the objective of persuading management to take certain actions and must, in this context, be considered a marketing document. The objective of this task is to assess the impact of the audit report in terms of its appearance, wording, and effectiveness in changing managerial behavior. This task requires audit management to view the report from the perspective of the auditee and senior management. Audit management must assess the impression, on the basis of both appearance and content, that the audit report will make on these readers, asking such questions as the following:

  If I were to receive this report, would I judge it to have been developed by a professional and knowledgeable group?
  Is it clear what the report is trying to tell me?
  If I were the auditee, would I find the information in this audit report offensive or disparaging? If so, would I be more concerned with developing countermeasures than with implementing the recommendations?
  If I were the recipient of this report, would it adequately build a case for me to implement the recommendations?
  Does this report clearly differentiate between important items and those that are less critical?

It is important to remember that although the report contains valid findings and recommendations, the auditee will not accept it if it is poorly written. The recipient of the report must understand the information included in the report and must be able to distinguish between important and unimportant information.

PREPARE AND DISTRIBUTE REPORT

The result of a good audit report is the acceptance of the findings and implementation of the recommendations by the auditee—an audit report that elicits no action has not accomplished its mission. The audit is of little use if the audit team is told that it did a good job and that its findings and recommendations are sound but that, for whatever reason, the auditee is not going to accept the findings or implement the recommended actions.

The objective of this task is to ensure implementation of the audit recommendations. The IT auditor should first meet with auditee management to explain the audit report and to obtain their concurrence. The IT auditor then issues the final report to the appropriate parties, following up as appropriate to ensure that action is taken. This task deals with obtaining concurrence, marketing the report, and other steps needed to ensure that the report findings and recommendations are accepted. It involves the exit conference and report issuance and follow-up procedures.

The Exit Conference. The exit conference provides an opportunity for the auditee to review and react to the audit findings and recommendations. If the exit conference is the auditee’s first chance to see a copy of the audit report, the IT auditor will be able to deal with any immediate reactions before a defensive posture can be developed.

Report Issuance and Follow-up. The IT auditor can ensure certain action by sending copies of the report to the appropriate people; this is a pressure tactic, however, and it should be used cautiously. Nevertheless, auditing standards obligate the IT auditor to follow up on the actions taken. If no action has been taken, the IT auditor must initiate whatever procedures are necessary to instigate action, including calling on senior management.

The successful completion of this task requires strict adherence to a timely follow-up schedule. If the IT auditor does not follow up at all, recommendations may not be implemented; if follow-up is delayed, the system may have so changed that the recommendation is no longer appropriate.


Previous Table of Contents Next