Reporting and Communication Techniques

Audit reporting and following up for closure are the last steps of the audit process. The effectiveness of an audit largely depends on how the audit results are communicated and how follow-up is done for the closure of recommendations. Effective verbal and written communication skills are key attributes of a good auditor. A CISA candidate is expected to have a thorough understanding of the elements of an exit interview, audit report objectives, the process and structure, and follow-up activities.

Exit Interview

Auditing is not about finding errors. It is about adding value to the existing processes of an organization.

A formal exit interview is essential before the audit report is released. The following are the objectives of an exit interview:

• To ensure that the facts are appropriately and correctly presented in the report
• To discuss recommendations with auditee management
• To discuss an implementation date

The exit meeting ensures that facts are not misunderstood or misinterpreted. Exit meetings help to align the audit team and auditee management on the findings that are presented, discussed, and agreed upon.

Audit Reporting

A CISA candidate should note the following best practices with respect to audit reporting:

• The IS auditor is ultimately responsible for senior management and the final audit report should be sent to the Audit Committee of the Board (ACB). If the IS auditor has no access to the top officials and the audit committee, it will impact the auditor’s independence.
• Before the report is placed with the ACB, the IS auditor should discuss with auditee management to determine the accuracy of the audit observations and to understand the correction plan.
• Sometimes, auditee management may not agree with the audit findings and recommendations. In such cases, IS auditors should emphasize the significance of the audit findings and the risk of not taking any corrective action.
• If there is any control weakness that is not within the scope of the audit, it should be reported to management during the audit process. This should not be overlooked. Generally, accepted audit procedures require audit results to be reported even if the auditee takes corrective action prior to reporting.
• To support the audit results, the IS auditor should have clear and accurate audit facts.

Audit Report Objectives

The following are the six objectives of audit reporting:

• The presentation of audit findings/results to all the stakeholders (that is, the auditees).
• The audit report serves as a formal closure for the audit committee.
• The audit report provides assurance to the organization. It identifies the areas that require corrective action and associated suggestions.
• The audit report serves as a reference for any party researching the auditee or audit topic.
• It helps in follow-ups of audit findings presented in the audit reports for closure.
• A well-defined audit report promotes audit credibility. This depends on the report being well developed and well written.

Audit Report Structure

An audit report includes the following content:

• An introduction to the report, which includes the scope of the audit, the limitations of the audit, a statement of the audit objective, the audit period, and so on
• Audit findings and recommendations
• Opinion about the adequacy, effectiveness, and efficiency of the control environment

Now you will see a rundown of the main objectives of follow-up activities.

Follow-Up Activities

The main objective of follow-up activities is to validate whether management has implemented the recommendations. An IS auditor needs to determine whether management has acted on corrective actions to close the audit findings. It is essential to have a structured process to determine that corrective actions have been implemented.

Follow-up activities should be taken on the basis of the timeline agreed on by auditee management for the closure of audit findings. The status of compliance should be placed at the appropriate level of management.

Although audit follow-ups are primarily applicable to internal audit functions, external audit firms may be required to do the follow-up if it is included in the letter of engagement.

Key Aspects from the CISA Exam Perspective

The following table covers important aspects from the CISA exam perspective:

Table 2.14: Key aspects from the CISA exam perspective