Reporting and Communication Techniques

Audit reporting and following up for closure are the last steps of the audit process. The effectiveness of an audit largely depends on how the audit results are communicated and how follow-up is done for the closure of recommendations. Effective verbal and written communication skills are key attributes of a good auditor. A CISA candidate is expected to have a thorough understanding of the elements of an exit interview, audit report objectives, the process and structure, and follow-up activities. These are discussed in the following subsections.

Exit Interview

Auditing is not about finding errors. It is about adding value to the existing processes of an organization. A formal exit interview is essential before the audit report is released as it ensures that facts are not misunderstood or misinterpreted. The following are the objectives of an exit interview:

• To ensure that the facts are appropriately and correctly presented in the audit report
• To discuss recommendations with auditee management
• To discuss an implementation date

Exit meetings help align the audit team and auditee management on the findings that are presented, discussed, and agreed upon.

Audit Reporting

An audit report is a formal document that presents the findings, conclusions, and recommendations resulting from an audit. A CISA candidate should note the following best practices with respect to audit reporting:

• The IS auditor is ultimately responsible for reporting to senior management and the final audit report should be sent to the audit committee of the board (ACB). If the IS auditor has no access to the top officials and the ACB, it will impact the auditor’s independence.
• Before the report is placed with the ACB, the IS auditor should meet with auditee management to determine the accuracy of the audit observations and to understand the correction plan.
• Sometimes, auditee management may not agree with the audit findings and recommendations. In such cases, IS auditors should emphasize the significance of the audit findings and the risk of not taking any corrective action.
• If there is any control weakness that is not within the scope of the audit, it should be reported to management during the audit process. This should not be overlooked. Generally, accepted audit procedures require audit results to be reported even if the auditee takes corrective action prior to reporting.
• To support the audit results, the IS auditor should have clear and accurate audit facts.

Audit Report Objectives

An audit report’s primary goal is to communicate the findings of an audit clearly and effectively. The following are the six objectives of audit reporting:

• The presentation of audit findings/results to all the stakeholders (that is, the auditees).
• Providing a formal closure for the audit committee.
• Providing assurance to the organization. The audit report identifies the areas that require corrective action and associated suggestions.
• Providing a reference for any party researching the auditee or audit topic.
• Helping in follow-ups of audit findings presented in the audit reports for closure.
• Promoting audit credibility. This depends on the report being well developed and well written.

Audit Report Structure

An audit report is generally submitted to senior management, and hence, proper structuring of the report is very important. An audit report includes the following content:

• An introduction to the report, which includes the scope of the audit, the limitations of the audit, a statement of the audit objective, the audit period, and so on
• Audit findings and recommendations
• Opinions about the adequacy, effectiveness, and efficiency of the control environment

The next section will take you through a rundown of the main objectives of follow-up activities.

Follow-Up Activities

The main objective of follow-up activities is to validate whether management has implemented the audit recommendations. An IS auditor needs to determine whether management has acted on corrective actions to close the audit findings. It is essential to have a structured process to determine that corrective actions have been implemented. Having a structured process for implementing corrective actions ensures accountability and timely follow-up, helping to address issues effectively and prevent them from recurring.

Follow-up activities should be taken up on the basis of the timeline agreed on by auditee management for the closure of audit findings. The status of compliance should be placed at the appropriate level of management.

Although audit follow-ups are primarily applicable to internal audit functions, external audit firms may be required to do the follow-up if it is included in the letter of engagement.

Key Aspects for the CISA Exam

The following table covers important aspects from the CISA exam perspective:

Table 2.14: Key aspects for the CISA exam

While reporting and monitoring methods are crucial for tracking performance and detecting potential risks, control self-assessment enables organizations to proactively assess their internal controls; this is discussed in detail next.