Auditing and the production of clear audit reports are crucial activities in ensuring the effective management of information systems. They are also mandatory requirements for the implementation of IT best practices and standards that include ITIL®, PRINCE2®, COBIT® 5, PCI DSS and ISO27001.
ISACA® recently published Information Systems Auditing: Tools and Techniques, which provides a practical guide to writing an information systems (IS) audit report. Written by John W. Beveridge, this document is available as a free download and provides a detailed explanation of how to create a well-written, properly supported audit report that clearly communicates the objectives of the audit, what was performed, and focuses on the conclusions and any actions the auditee needs to take.
The importance of well-written audit reports should never be underestimated
We have all seen reports that did not explain the audit methodology, presented the results in an illogical order or failed to provide adequate recommendations for remediation. Depending on the scope of the audit, the quality of the report can have a significant impact on the decisions senior managers take with respect to compliance, performance, continual process improvement, staff and costs. It goes without saying that the key responsibilities of the auditor (external or internal) are to perform an adequate audit, AND to write and present an accurate and relevant audit report.
Effective auditing and the creation of clear audit reports are at the heart of our Lead Auditor and Internal Auditor training course portfolio, which covers the ISO27001 Information Security, ISO22301 Business Continuity and ISO20000 Service Management standards. They are also crucial skills covered in our COBIT 5 Foundation, Implementation and Assessor classroom courses. Last – but definitely not least – all delegates attending our CISA Exam Preparation course will know that they will be examined on Domain 1 – The Process of Auditing Information Systems. This will include answering questions on audit planning, reporting on audit findings, and making recommendations to key stakeholders to communicate the results and effect change when necessary.