I. PHASE ONE—PREPARING TO WRITE
Objectives of Audit Reporting
The six objectives of audit reporting are:
Formally present the audit results to the auditee.
Serve as formal closure of the audit engagement.
Provide statements of assurance and, if needed, identification of areas requiring corrective action and
Serve as a valued reference for any party researching the audit entity or audit topic.
Serve as the basis for a follow-up audit if audit findings were presented.
Promote audit credibility when well developed and well written.
IS AUDIT REPORT
Reporting is an important phase of the audit process. The value of the audit is communicated to the readers
of the report.
The value of the IS audit report lies in its ability to communicate the scope, objectives, results and recommendations
of the audit. The value also lies in the report’s ability to provide information to persuade and assist management in
reducing risk, achieving organisational objectives and taking corrective action
Types of IS Audit Reports
1.type of audit engagement—whether it is a review, an audit (examination)
or an agreed-upon procedures engagement
2.The organisation and specific content of the report
The format and protocols
for audit report presentation can also depend on any requirements and expectations set forth between the audit
organisation and the auditee.
Types of Audit Engagements:
2.Agreed-upon Procedures Engagement
IS Audit Engagements
• General control examination or facility audit
• Application audit
• System development audit
• Technical or special topic audit
Identifying and Understanding the Users of the Report
Compliance With Auditing Standards
Auditors who are holders of the Certified Information Systems Auditor® (CISA®) designation or members of ISACA,
must comply with ISACA IS Audit and Assurance Standards and IS Audit and Assurance Guidelines when preparing
and issuing IS audit reports. The auditor is responsible for ensuring that audit work, including audit reporting,
complies with relevant auditing standards
II. PHASE TWO—WRITING THE REPORT
Key Success Factors
Length and Content of an IS Audit Reportdepend on the following:
• Predefined requirements that are mandated by auditing standards
• Additional requirements that are dictated by the needs of various readers
• Complexity of the material
• Reporting protocols that are established by the audit organisation
IS Audit Reports
Most IS audit reports include the following main sections
Signatory and Transmittal Page
Table of Contents
Executive Summary (optional depending on the length and complexity of the report
Audit Results (mandatory depending on the results of the audit
Audit Conclusion or Opinion
Recommendation (mandatory depending on the results of the audit
Management Response (mandatory depending on the results of the audit
Audit Report Template
Using the IS Audit Report Template
Constructing Well-written IS Audit Reports
Report Drafting Process
1.Guideposts for Writing Effective IS Audit Reports
2.Formal Draft Report
3.Cover Letter or Memo
III. PHASE THREE—FINALISING THE REPORT
Including Additional Information
Final Editing, Review and Approval
IV. OTHER CONSIDERATIONS FOR REPORT DISTRIBUTION
Compliance With Legal Requirements
1.Information to Include in the Final Report
3.Identify Legally Mandated Reporting Requirements
Communicating Possibility of Illegal or Fraudulent Activity
When and to Whom to Report Possible Fraud
What Is Fraud?
must involve intentional deception or misrepresentation known to be such by the
Reporting Possible Fraud in the Final Report
Issuing Separate Confidential Reports
Meeting Future Reporting Expectations
Objective of Integrated Reporting
4.Use of Technology in Reporting.