07. Communicating and Reporting on IS Audits

So far, we have explored the nuances of Information Systems (IS) auditing, examining the various frameworks, methodologies, and practices that serve as the foundation of this critical function. We explored the importance of risk assessment, the nature and evaluation of controls, and the strategic role of IS auditing in safeguarding organizational information assets.

We will focus on the final phase of the audit process — communicating and reporting on IS audits. Effective communication is one of the more critical enabling competencies of information systems auditing. Through clear, concise, and well-structured communication, we convey the results of our audits to stakeholders, enabling them to understand the identified risks, vulnerabilities, and potential impacts and to make informed decisions about mitigating these issues.

This chapter will explore the essential aspects of communicating and reporting on IS audits. We will begin by examining the significance of accurate and objective audit findings and exploring the methods for detecting and documenting these findings. This also includes categorizing findings by severity and impact and establishing a framework for prioritizing audit recommendations.

Next, we will turn our attention to the IS audit report by exploring the elements of a comprehensive IS audit report. We will emphasize the importance of clarity, readability, and stakeholder-centric communication, which play a crucial role in conveying audit findings in an understandable and actionable manner. We will also review the need for tailored communication strategies for different stakeholders. This includes using data visualization and graphics to enhance clarity and engagement while communicating technical findings to non-technical audiences. We will discuss strategies for maintaining professionalism, tact, and objectivity. We will emphasize the importance of open dialogue and collaboration, fostering a culture of constructive feedback and shared responsibility for addressing identified risks. Collectively, these aspects help reinforce the value-added role of IS auditing by supporting achieving the organization’s objectives.

Lastly, we will conclude the chapter by highlighting the importance of post-audit activities. These activities, also known as “follow-up on findings,” focus on determining that corrective actions and remediation plans are implemented effectively and promptly. We will discuss the nature, role, and purpose of follow-up procedures and timelines. We will explore escalation protocols for unresolved findings, ensuring that critical issues are not overlooked. We will also discuss the importance of reporting on follow-up results and audit closure, providing stakeholders with a comprehensive picture of the audit process and its outcomes.

Learning Objectives

By the end of this chapter, you should be able to

• Discuss the importance of documenting accurate, constructive, precise, and objective IS audit findings.
• Demonstrate proficiency in methods for detecting and documenting audit findings effectively.
• Develop a comprehensive IS audit report, including essential elements for clarity and readability.
• Gain strategies for presenting critical audit findings and engaging stakeholders in constructive dialogue.
• Understand the importance of and methods for post-audit follow-up, monitoring corrective actions, and reporting on audit closure.