This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/audit-report-model-and-sample-268
This document "Audit Report: Model and Sample" contains a model of an audit report and a real sample from an IT Audit assignment (data of client not disclosed for privacy and confidentiality issues).
This has been used effectively in various types of internal and external audit assignments as well as consulting assignments, especially in reviewing internal controls for all types of companies.
2. Summary of Contents
This book, ‘Audit Report: Model and Sample’, contains a model of an audit report and a real
sample from an IT Audit assignment (data of client not disclosed for privacy and confidentiality
issues).
This has been used effectively in various types of internal and external audit assignments as well
as consulting assignments, especially in reviewing internal controls for all types of companies.
These types of audit include:
(1) Financial Auditing (also called ‘statutory auditing’), which involves reviewing the adequacy
of internal accounting controls of the organization in terms of accuracy, completeness and
validity of financial information, financial reports and of the underlying accounting systems and
records,
(2) Operational (Performance) Auditing, which includes reviewing the strategic and
operational performance of the whole organization or specific business processes or departments,
focusing on the efficiency and effectiveness of these processes and the associated management
controls,
(3) Compliance Auditing, which relates to reviews of compliance or conformity of the
organization with relevant legislation, regulations, standards, internal policies and guidelines,
and
(4) IT Systems Auditing, which pertains to reviews of effectiveness, accuracy and efficiency of
IT general (e.g., IT organization, administration, security, etc.) controls as well as the IT
application controls (e.g. accuracy of data and transactions processed and maintained of specific
corporate computerized application systems) related to information technology and
telecommunications systems, facilities and projects of the organization.
Other types of audits are: Follow-up audits, Investigating audits, Integrated audits, Quality
audits, ISO audits, Tax audits, IT Security audits, Continuous audits, Due Diligence Process
audits, etc.
The work of all these audits is carried out by Internal and External Auditors and Management
Consultants on the basis of an audit or evaluation strategy, a plan, and a methodology with
specific audit objectives, and with the assistance of audit programs, audit checklists, test
computerized application systems, and computer assisted audit tools and techniques, like
CAATTs, etc.
The objective of this book is to provide any business owner, company director, senior manager,
auditor, other stakeholder, etc., with a useful set of practical tools to assist and support them in
their business performance management system audit and implementation, using any
performance model (BSC, EFQM, Six Sigma, etc.).
4. 5.5
Enter title of area reviewed or Risk
Rationale
Recommendation
Management Response
5.6
Enter title of area reviewed or Risk
Rationale
Recommendation
Management Response
5.7
Enter title of area reviewed or Risk
Rationale
Recommendation
Management Response
5.8
Enter title of area reviewed or Risk
Rationale
Recommendation
Management Response
5. 5.13
Enter title of area reviewed or Risk
Recommendation
Rationale
Management Response
5.14
Enter title of area reviewed or Risk
Recommendation
Rationale
Management Response
5.15
Enter title of area reviewed or Risk
Recommendation
Rationale
Management Response
5.16
Enter title of area reviewed or Risk
Recommendation
Rationale
Management Response
6. IT Audit Report for Company ‘ABCXZ’ (a fictitious entity)
This report is based on the Audit Report Model described previously in this book.
1. Scope of IT Audit Coverage
During this IT audit, as per the Internal Audit Annual Plan and further to the agreement with the
Audit Committee, we reviewed and evaluated the controls of the following areas of IT activities
of Company ‘ABCXYZ’ (a fictitious private business entity or public organization).
These areas are:
(a) IT Organization,
(b) IT Administration,
(c) IT Strategy,
(d) Systems Development,
(e) IT Security,
(f) Data Center Operational and Support Services, and
(g) Systems Software.
The area of Enterprise Architecture and operating specific IT Applications in the data center or
in end user personal computers will not be examined. Also testing in a test environment with real
or ‘dummy’ transactions, scanning the facility for eavesdropping devices, and security
penetration testing will not be undertaken.
The audit findings and recommendations per area audited, both in summary and in detail form,
are presented next.
2. Summary of Audit Findings and Recommendations
Our recommendations according to an audit priority scheme are presented next.
‘High’ priority means that these recommendations should be considered first for
implementation, because their impact level is deemed to be of the highest importance to the
specific IT operations.
‘Medium’ priority denotes that these may be examined for implementation next, as their impact
level may be important, but not as important as the impact level of ‘High’ priority
recommendations.
Finally ‘Low’ priority ones, does not mean that these should be disregarded all-together, but
may be implemented, as the last step.
IT management and other corporate officers (e.g., CEO, Compliance Officer, Risk Officer, Chief
Finance Officer, etc.) may change this priority, should they wish. The important thing here is to
set priorities and do what is right to rectify and improve the situation.
7. 3. Analysis of Detail Audit Findings and Recommendations
The detail audit findings and recommendations are presented next, by IT area audited.
The IT areas audited are: IT Organization, IT Administration, IT Strategy, Systems
Development, Data Center Operations, Personal Computers, and Systems Software.
*3.1. IT Organization Area: Audit Findings and Recommendations
The IT audit objectives for auditing the area of IT Organization were to determine the quality
and effectiveness of the organization’s management of information technology.
The following types of IT Organization controls were reviewed during the audit process, to
ascertain both their use and potential effectiveness, at this organization: IT Department
Functional Description Controls, IT Organizational Controls, IT Vision, Mission and Values
Statements, IT Control Frameworks, Monitoring and Review Controls.
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 1: Formal IT Steering Committee required, and
Audit Recommendation 2: Creation of a CIO Position required.
Other minor findings and recommendations are not included to make report easier.
3.1.1. Title of area reviewed: IT Steering Committee
Audit Findings: IT Steering Committee duties, responsibilities and guidelines necessary for
managing the IT Function on a continuous and effective basis have not been adequately defined
by the board.
Audit Evaluation: This has resulted in approved corporate objectives going unfulfilled or
extending them far beyond estimated schedules and budgets. The present informal IT Steering
Committee consists of senior executives and is not in a position to assume responsibilities at the
operational or strategic levels or monitor accountability and IT results.
Audit Recommendation 1: Formal IT Steering Committee required (Priority High)
We recommend that duties and responsibilities of the IT Steering Committee should be clearly
defined in a formal charter and should include the review and approval for: Major changes in
hardware or software, the results of any IT project cost/benefit analysis, software application
development or acquisitions, IT project priorities, emergency procedures, contingency and
physical security plans, budgets and plans pertaining to the IT function, etc.
Management Response: Management will take this up with the board for a permanent solution
to be established.
8. Audit Recommendation 3: Job Descriptions need formalization (Priority Low)
We recommend that job descriptions for all IT positions should be established and
communicated to all IT staff. These job descriptions should be accepted and signed by both
corporate management and IT staff. Also these should be maintained throughout the employment
cycle of each IT employee.
Management Response: IT Management will look into this and take the proper actions with
support from the Human Resources Department.
3.2.2. Title of area reviewed: IT Vacation Policy
Audit Findings: The Organization does not have a mandatory vacation policy for IT personnel.
Audit Evaluation: Requiring employees in sensitive IT positions to take annual vacations is a
good control that reduces the risk of an employee undertaking and continuing a fraud scheme
and being able to conceal it over a long period of time.
Audit Recommendation 4: Vacation Policy needs to be made mandatory (Priority Low)
We recommend that consideration be given to the establishment of a vacation policy that would
require all IT employees to take their vacation within a calendar year (and preferably
consecutively). Exceptions should be approved by the CIO and the Senior Manager of Human
Resources and properly documented.
Management Response: IT Management with support from Human Resources will look into
this and take the proper actions.
3.2.3. Title of area reviewed: IT Training
Audit Findings: IT employees have not been adequately trained on the latest IT and
Communications issues on the basis of what technologies are currently used by IT and upon
reviewing the IT budget (planned and actual expenditures) over the last year.
Audit Evaluation: Adequate IT training may improve programming practices and therefore
result in fewer errors, reduced system implementation times resulting in reduced development
costs, and fewer operational and other labor costs.
Audit Recommendation 5: Training of IT personnel requires improvement (Priority Low)
We recommend that a formal IT training program be developed for each employee, which will
address methods and techniques required to improve the use of technologies for the organization
and bring the performance of the particular IT personnel in line with corporate strategic and
operational objectives.
Management Response: IT Management will look into this in relation to budget constraints and
take the proper actions.
9. Audit Recommendation 7: Formal IT Strategic Plan required (Priority High)
We recommend that the organization develop a written three to five year strategic IT plan that is
based on the organization’s long term corporate strategic or business plan. This plan should be a
working document that addresses such key issues as: hardware requirements, systems software
requirements, communications, application development, budgeting, emergency procedures and
contingency plans and review of relationships with outside IT vendors, etc.
Management Response: IT Management will look into this and take the proper actions.
*3.4. Systems Development Area: Audit Findings and Recommendations
The IT audit objectives of this area were to determine the quality and effectiveness of the
organization’s systems development policies, procedures and practices in designing, developing
and deploying information systems and services throughout the organization, including its
stakeholders.
The following types of IT strategic controls were reviewed during the audit process, to ascertain
both their use and potential effectiveness, at this organization: Application Development
Controls, IT Systems Testing Methodology, End User Application Development Controls, Audit
Trails, Software Package Controls, and System Development Quality Controls.
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 8: Application Systems Development Standards required,
Audit Recommendation 9: Formal Application Testing Procedures required, and
Audit Recommendation 10: End User Documentation requires improvement.
Other minor findings and recommendations are not included to make report easier.
3.4.1. Title of area reviewed: Application Systems Development
Audit Findings: We noted during our review that application system development standards
including documentation standards are informal and not ratified by the IT steering committee or
other senior executive body of the organization.
Audit Evaluation: The use of formalized application system development standards when
properly customized and implemented by the IT staff of the organization ensures, as much as
possible that: (a) Controls within each application system and program are suitably designed and
maintained, (b) development of application systems and related program changes satisfy
management objectives, (c) the implemented controls operate in accordance with specifications
of the internal corporate controls framework, (d) application systems and related program
changes are adequately tested, and (e) potential production errors are corrected before they
occur, etc.
Audit Recommendation 8: Application Systems Development Standards required (Priority
High)
10. Audit Recommendation 10: End User Documentation requires improvement (Priority
Medium)
We recommend that all end user application system manuals be brought up to date. Minimum
documentation and procedures necessary for an end user application system manual may include:
System narrative, applications system features and constraints, explanation of input fields,
samples of all screens and forms, end user related codes and formulas, report samples, report
descriptions defining field sources and calculations, balancing procedures, explanation of data
error messages, other controls, etc.
Management Response: IT Management will look into this and take the proper actions.
*3.5. IT Security Area: Audit Findings and Recommendations
The IT audit objectives of this area were to determine the quality and effectiveness of the
organization’s IT security policies, procedures and practices in designing, developing and
deploying information systems and services throughout the organization, including its
stakeholders.
The following types of IT security controls were reviewed during the audit process, to ascertain
both their use and potential effectiveness, at this organization: IT Security Governance
Guidelines, Standards, and Legal Frameworks, IT Security Plans, Policies and Procedures,
Personnel Security Management Controls, Specialized IT Technical Protection Controls, etc.
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 11: Formal IT Security Policy and related Procedures required,
Audit Recommendation 12: Access Controls on production elements by IT personnel require
improvement, and
Audit Recommendation 13: Password Controls require improvement.
Other minor findings and recommendations are not included to make report easier.
3.5.1. Title of area reviewed: IT Security
Audit Findings: The organization has not published an IT security policy for all of its
employees and managers which defines the responsibilities of all end users for maintaining the
confidentiality and integrity of all Company data. Also both management and line staff are not
required to sign a non-disclosure and confidentiality statement at the point of joining the
company and every year thereafter which defines their duties toward the Company, the data
maintained and other security considerations. Moreover, procedures have also not been
documented regarding all IT security issues (like password administration, etc.) which would
have to be identified in the security policy.
Audit Evaluation: Without formal IT security standards, a policy and related procedures,
management and employees of the organization do not have clear guidelines and instructions as
to what to do in IT security matters.
11. established to guide or enforce users to monitor password changes and in fact change their
passwords regularly.
Audit Evaluation: The practice of not monitoring and not changing passwords regularly may
allow the initiation of fraudulent acts, data abuse and information processing errors, and
intrusion by unauthorized internal and external parties easier to achieve.
Audit Recommendation 13: Password Controls require improvement (Priority High)
We recommend that IT management craft and implement a policy and related procedures to
enforce changing all user passwords (end user, IT) on a regular basis and when personnel
terminations occur or employees change job duties and responsibilities.
Management Response: IT Management will look into this and take the proper actions.
*3. 6. Data Center Operations: Audit Findings and Recommendations
The IT audit objectives of this area were to determine the quality and effectiveness of the
organization’s data center operational and support policies, procedures and practices in
designing, developing and deploying information systems and services throughout the
organization, including its stakeholders.
The following types of data center operational and support controls were reviewed during the
audit process, to ascertain both their use and potential effectiveness, at this organization: Data
Centre Design and Infrastructural Controls, Data Centre Physical Access Controls, Computer
Hardware Management Controls, IT Contingency Planning and Disaster Recovery Controls, etc.
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 14: Computer Room Access Controls require improvement,
Audit Recommendation 15: Safe Off-Site Storage for Backups required, and
Audit Recommendation 16: IT Contingency and Disaster Recovery Plan required.
Other minor findings and recommendations are not included to make report easier.
3.6.1. Title of area reviewed: Computer Room Access
Audit Findings: During our review, we noted that all employees of the organization, whether
users of the information systems or not, entered the computer room by the use of their employee
access card, without any controls whatsoever. Also external maintenance personnel and other
visitors, entered this computer room, just by calling the operators, or knocking on the computer
door.
Audit Evaluation: Almost free access to the computer room is prone to result in damage or loss
or theft or misallocation to hardware, reports, digital media, tape files, documentation,
consumables, pre-printed forms (such as invoices, checks, etc.), etc.
Audit Recommendation 14: Computer Room Access Controls require improvement
(Priority High)
12. procedures for damage assessment,
plan activation procedures,
notification procedures,
emergency recovery teams roles and responsibilities,
insurance coverage,
written vendor agreements to provide,
backup processing facilities,
off-site storage procedure,
backup procedures and data recovery procedures,
vendor contact list,
inventory of forms, etc.,
testing procedures, and
plan maintenance responsibilities, etc.
Management Response: IT Management will look into this and take the proper actions.
*3.7. Personal Computers: Audit Findings and Recommendations
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 17: Personal Computers Policies and Procedures required.
Other minor findings and recommendations are not included to make report easier.
3.7.1. Title of area reviewed: Personal Computers Environment
Audit Findings: During our review we noted that the organization is increasingly using personal
computers in almost all business areas. End users develop various spreadsheet applications and
use them widely, without any control what-so-ever. Also no written policies and procedures have
been developed for controlling personal computers and the development and use of spreadsheet
applications by end users.
Audit Evaluation: Comprehensive policies and procedures for the use of personal computers
and the development of spreadsheet applications by end users will ensure that the environment
will be controlled better. Also that data entered into these applications will likely produce more
accurate results.
Audit Recommendation 17: Personal Computers Policies and Procedures required
(Priority Medium)
We recommend that the organization develops formal policies and procedures for the control
personal computers and the development of end user applications.
Management Response: IT Management will look into this and take the proper actions.
13. *3.9. IT Applications Operation: Audit Findings and Recommendations
The area of IT Applications Operation is not within the agreed scope of this IT audit, and
therefore, no full review was conducted of the relevant controls related to operating
computerized applications in the data center of the organization at the time of this audit.
However, we noted the following for which we make the corresponding recommendations.
3.9.1. Title of area reviewed: Forms Control
Audit Findings: We noted during our review that critical forms, such as: invoices, accounts
payable checks, purchase orders, etc., are not properly controlled (e.g., are not stored in locked
area, they are released with no authorization, etc.).
Audit Evaluation: The risk that a potential fraud will go unnoticed is very great. Also the risk
that critical business activities will be delayed is quite apparent.
Audit Recommendation 19: Critical Forms require improved control (Priority High)
We recommend that all critical forms should be under the control of an authorized manager, and
should only be release to authorized personnel only.
Management Response: IT management will take appropriate actions to remedy this situation.
3.9.2. Title of area reviewed: Logs Control
Audit Findings: We noted during our review that the various computer operations logs are not
examined by the relevant computer manager, responsible for the jobs running in the data center.
Audit Evaluation: By reviewing computer operations logs on a regular basis, problems or
unauthorized use of application systems, files and utilities can be detected.
Audit Recommendation 20: Review of Logs may assist in problem solutions (Priority Low)
We recommend that the company computer operations manager regularly review all applications
logs to identify possible production problems and potential breaches of security.
Management Response: IT management will take appropriate actions to remedy this situation.