Your Audit Reports Have Consequences

Your Audit Reports Have Consequences
Author: Ian Cooke, CISA, CRISC, CGEIT, CDPSE, COBIT 5 Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, FIP, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt
Date Published: 12 February 2020

A report is defined as a spoken or written description of an event or situation. As such, reports can have positive or sometimes negative impacts upon people or subsequent events. Can you remember the first time your brought back a bad school report to your parents or guardian? What about that formal report you received when you passed your Certified Information Systems Auditor (CISA) exam? Or how about the relief you felt when you read that report after a medical check-up? Indeed, as reports can influence our lives, great care is taken to ensure that they are well crafted, and the reader is left in no doubt as to their meaning. A report describes an event or events, and events can have consequences.

ISACA defines an audit as a formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. Putting the two definitions together, an audit report describes the events or situation regarding, for example, whether standards or guidelines are being followed. Audit reports are mandated by the IT Assurance Framework (ITAF) reporting standard 1401, which states, “IS audit and assurance professionals shall provide a report to communicate the results upon completion of the engagement.”

However, if you review the conversations on the Audit and Assurance Topic on ISACA’s Engage online forum, you will note that many ISACA members are looking to understand how to perform the formal inspection and verification (an audit program), while few wish to discuss how to describe the subsequently derived events. This makes sense on one hand since this can since this can affect the quality of the work performed and, ultimately, the assurance provided to the enterprise.

However, rarely discussing the contents of the audit report makes little sense because, as we have noted previously, reports have consequences. For example, an IT audit report can result in the diversion of key IT resources and will often result in expenditure to the enterprise. As such, audit reports should be carefully crafted. ISACA has provided guidance on the contents of audit report, which I discuss in my latest IS Audit Basics column, The Components of the IT Audit Report in the ISACA Journal, volume 1, 2020.

Editor’s note: For further insights on this topic, read Ian Cooke’s latest Journal column, “The Components of the IT Audit Report,” ISACA Journal, volume 1, 2020.

ISACA Journal