Communicating Audit Results

The IS auditor is ultimately responsible to senior management and to the audit committee of the board of directors. Before communicating the results to senior management, the IS auditor should discuss the findings with the management staff of the audited entity to gain agreement on the findings and to develop a course of corrective action.

An internal audit department that organizationally reports exclusively to the chief financial officer (CFO) rather than to an audit committee is very likely to have its audit independence questioned.

Because audit reports are the final work product of the audit process, it is imperative that the IS auditor be concerned with the following:

• Providing a balanced objective report based on the evidence that is material to the audit

• Ensuring that the facts presented in the report are correct

• Ensuring that recommendations are feasible and cost-effective

• Describing negative issues in conjunction with positive, constructive comments

• Focusing on improving processes and controls while reporting on controls already in place

• Ensuring independence in the reporting process

The structure and content of the report will vary by organization but will usually have the following parts:

• Introduction to the report

  • Statement of audit objectives

  • Statement of scope

  • Period of audit coverage

  • Statement on the nature and extent of the audit

  • Statement of procedures examined during the audit

• Auditor's conclusion and opinion

  • Adequacy of controls and procedures examined during the audit

• Auditor's reservations or qualifications

  • Statement of whether the controls were adequate or inadequate

  • Support for the conclusion and overall evidence

• Detailed audit findings

  • Evidence included or not included in the report, based on materiality

  • A restatement of the guidance provided by upper management

• Limitations to the auditor

  • Any limitations of evidence, access, and so on

• Statement of the IS audit guidelines followed

The report might vary, depending on the audience to which it is presented and management guidance with regard to the report. The IS auditor might present findings and recommendations to the auditee, senior management, and the board of directors; in each case, the audit would contain not only a different focus, but possibly subsets of information gathered during the audit.

As an example, if an auditor discovers that the organization's computers contain unauthorized software, the auditor should report the use of the unauthorized software to auditee management and highlight the need to prevent recurrence.

The audit report should provide specific recommendations to management. As a result of the findings and recommendations, management should create an action plan to implement corrective actions. Keep in mind that resource constraints might prevent management from implementing all the audit recommendations; however, the auditor should obtain a commitment with expected dates for corrective action.

An exit interview should be conducted at the conclusion of the audit. This provides the auditor with an opportunity to discuss the scope and the findings and recommendations of the audit. The exit interview also assures the auditor that the facts presented in the report are correct and that the recommendations are realistic (cost-effective), and establishes the implementation dates for corrective action.

Responsibility, authority, and accountability of the IS audit function must be documented and approved by the highest level of management.