SlideShare une entreprise Scribd logo
1  sur  13
Audit Report:
Model and
Sample

JOHN KYRIAZOGLOU
First published in July 2013
Summary of Contents
This book, ‘Audit Report: Model and Sample’, contains a model of an audit report and a real
sample from an IT Audit assignment (data of client not disclosed for privacy and confidentiality
issues).
This has been used effectively in various types of internal and external audit assignments as well
as consulting assignments, especially in reviewing internal controls for all types of companies.
These types of audit include:
(1) Financial Auditing (also called ‘statutory auditing’), which involves reviewing the adequacy
of internal accounting controls of the organization in terms of accuracy, completeness and
validity of financial information, financial reports and of the underlying accounting systems and
records,
(2) Operational (Performance) Auditing, which includes reviewing the strategic and
operational performance of the whole organization or specific business processes or departments,
focusing on the efficiency and effectiveness of these processes and the associated management
controls,
(3) Compliance Auditing, which relates to reviews of compliance or conformity of the
organization with relevant legislation, regulations, standards, internal policies and guidelines,
and
(4) IT Systems Auditing, which pertains to reviews of effectiveness, accuracy and efficiency of
IT general (e.g., IT organization, administration, security, etc.) controls as well as the IT
application controls (e.g. accuracy of data and transactions processed and maintained of specific
corporate computerized application systems) related to information technology and
telecommunications systems, facilities and projects of the organization.
Other types of audits are: Follow-up audits, Investigating audits, Integrated audits, Quality
audits, ISO audits, Tax audits, IT Security audits, Continuous audits, Due Diligence Process
audits, etc.
The work of all these audits is carried out by Internal and External Auditors and Management
Consultants on the basis of an audit or evaluation strategy, a plan, and a methodology with
specific audit objectives, and with the assistance of audit programs, audit checklists, test
computerized application systems, and computer assisted audit tools and techniques, like
CAATTs, etc.
The objective of this book is to provide any business owner, company director, senior manager,
auditor, other stakeholder, etc., with a useful set of practical tools to assist and support them in
their business performance management system audit and implementation, using any
performance model (BSC, EFQM, Six Sigma, etc.).
Reference Number:

EXECUTIVE SUMMARY
1. Introduction

2. Objectives

3. Scope

4. Opinion

Issued:
5.5

Enter title of area reviewed or Risk

Rationale
Recommendation
Management Response

5.6

Enter title of area reviewed or Risk

Rationale
Recommendation
Management Response

5.7

Enter title of area reviewed or Risk

Rationale
Recommendation
Management Response

5.8

Enter title of area reviewed or Risk

Rationale
Recommendation
Management Response
5.13

Enter title of area reviewed or Risk

Recommendation
Rationale
Management Response

5.14

Enter title of area reviewed or Risk

Recommendation
Rationale
Management Response

5.15

Enter title of area reviewed or Risk

Recommendation
Rationale
Management Response

5.16

Enter title of area reviewed or Risk

Recommendation
Rationale
Management Response
IT Audit Report for Company ‘ABCXZ’ (a fictitious entity)
This report is based on the Audit Report Model described previously in this book.
1. Scope of IT Audit Coverage
During this IT audit, as per the Internal Audit Annual Plan and further to the agreement with the
Audit Committee, we reviewed and evaluated the controls of the following areas of IT activities
of Company ‘ABCXYZ’ (a fictitious private business entity or public organization).
These areas are:
(a) IT Organization,
(b) IT Administration,
(c) IT Strategy,
(d) Systems Development,
(e) IT Security,
(f) Data Center Operational and Support Services, and
(g) Systems Software.
The area of Enterprise Architecture and operating specific IT Applications in the data center or
in end user personal computers will not be examined. Also testing in a test environment with real
or ‘dummy’ transactions, scanning the facility for eavesdropping devices, and security
penetration testing will not be undertaken.
The audit findings and recommendations per area audited, both in summary and in detail form,
are presented next.
2. Summary of Audit Findings and Recommendations
Our recommendations according to an audit priority scheme are presented next.
‘High’ priority means that these recommendations should be considered first for
implementation, because their impact level is deemed to be of the highest importance to the
specific IT operations.
‘Medium’ priority denotes that these may be examined for implementation next, as their impact
level may be important, but not as important as the impact level of ‘High’ priority
recommendations.
Finally ‘Low’ priority ones, does not mean that these should be disregarded all-together, but
may be implemented, as the last step.
IT management and other corporate officers (e.g., CEO, Compliance Officer, Risk Officer, Chief
Finance Officer, etc.) may change this priority, should they wish. The important thing here is to
set priorities and do what is right to rectify and improve the situation.
3. Analysis of Detail Audit Findings and Recommendations
The detail audit findings and recommendations are presented next, by IT area audited.
The IT areas audited are: IT Organization, IT Administration, IT Strategy, Systems
Development, Data Center Operations, Personal Computers, and Systems Software.

*3.1. IT Organization Area: Audit Findings and Recommendations
The IT audit objectives for auditing the area of IT Organization were to determine the quality
and effectiveness of the organization’s management of information technology.
The following types of IT Organization controls were reviewed during the audit process, to
ascertain both their use and potential effectiveness, at this organization: IT Department
Functional Description Controls, IT Organizational Controls, IT Vision, Mission and Values
Statements, IT Control Frameworks, Monitoring and Review Controls.
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 1: Formal IT Steering Committee required, and
Audit Recommendation 2: Creation of a CIO Position required.
Other minor findings and recommendations are not included to make report easier.
3.1.1. Title of area reviewed: IT Steering Committee
Audit Findings: IT Steering Committee duties, responsibilities and guidelines necessary for
managing the IT Function on a continuous and effective basis have not been adequately defined
by the board.
Audit Evaluation: This has resulted in approved corporate objectives going unfulfilled or
extending them far beyond estimated schedules and budgets. The present informal IT Steering
Committee consists of senior executives and is not in a position to assume responsibilities at the
operational or strategic levels or monitor accountability and IT results.
Audit Recommendation 1: Formal IT Steering Committee required (Priority High)
We recommend that duties and responsibilities of the IT Steering Committee should be clearly
defined in a formal charter and should include the review and approval for: Major changes in
hardware or software, the results of any IT project cost/benefit analysis, software application
development or acquisitions, IT project priorities, emergency procedures, contingency and
physical security plans, budgets and plans pertaining to the IT function, etc.
Management Response: Management will take this up with the board for a permanent solution
to be established.
Audit Recommendation 3: Job Descriptions need formalization (Priority Low)
We recommend that job descriptions for all IT positions should be established and
communicated to all IT staff. These job descriptions should be accepted and signed by both
corporate management and IT staff. Also these should be maintained throughout the employment
cycle of each IT employee.
Management Response: IT Management will look into this and take the proper actions with
support from the Human Resources Department.
3.2.2. Title of area reviewed: IT Vacation Policy
Audit Findings: The Organization does not have a mandatory vacation policy for IT personnel.
Audit Evaluation: Requiring employees in sensitive IT positions to take annual vacations is a
good control that reduces the risk of an employee undertaking and continuing a fraud scheme
and being able to conceal it over a long period of time.
Audit Recommendation 4: Vacation Policy needs to be made mandatory (Priority Low)
We recommend that consideration be given to the establishment of a vacation policy that would
require all IT employees to take their vacation within a calendar year (and preferably
consecutively). Exceptions should be approved by the CIO and the Senior Manager of Human
Resources and properly documented.
Management Response: IT Management with support from Human Resources will look into
this and take the proper actions.

3.2.3. Title of area reviewed: IT Training
Audit Findings: IT employees have not been adequately trained on the latest IT and
Communications issues on the basis of what technologies are currently used by IT and upon
reviewing the IT budget (planned and actual expenditures) over the last year.
Audit Evaluation: Adequate IT training may improve programming practices and therefore
result in fewer errors, reduced system implementation times resulting in reduced development
costs, and fewer operational and other labor costs.
Audit Recommendation 5: Training of IT personnel requires improvement (Priority Low)
We recommend that a formal IT training program be developed for each employee, which will
address methods and techniques required to improve the use of technologies for the organization
and bring the performance of the particular IT personnel in line with corporate strategic and
operational objectives.
Management Response: IT Management will look into this in relation to budget constraints and
take the proper actions.
Audit Recommendation 7: Formal IT Strategic Plan required (Priority High)
We recommend that the organization develop a written three to five year strategic IT plan that is
based on the organization’s long term corporate strategic or business plan. This plan should be a
working document that addresses such key issues as: hardware requirements, systems software
requirements, communications, application development, budgeting, emergency procedures and
contingency plans and review of relationships with outside IT vendors, etc.
Management Response: IT Management will look into this and take the proper actions.

*3.4. Systems Development Area: Audit Findings and Recommendations
The IT audit objectives of this area were to determine the quality and effectiveness of the
organization’s systems development policies, procedures and practices in designing, developing
and deploying information systems and services throughout the organization, including its
stakeholders.
The following types of IT strategic controls were reviewed during the audit process, to ascertain
both their use and potential effectiveness, at this organization: Application Development
Controls, IT Systems Testing Methodology, End User Application Development Controls, Audit
Trails, Software Package Controls, and System Development Quality Controls.
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 8: Application Systems Development Standards required,
Audit Recommendation 9: Formal Application Testing Procedures required, and
Audit Recommendation 10: End User Documentation requires improvement.
Other minor findings and recommendations are not included to make report easier.
3.4.1. Title of area reviewed: Application Systems Development
Audit Findings: We noted during our review that application system development standards
including documentation standards are informal and not ratified by the IT steering committee or
other senior executive body of the organization.
Audit Evaluation: The use of formalized application system development standards when
properly customized and implemented by the IT staff of the organization ensures, as much as
possible that: (a) Controls within each application system and program are suitably designed and
maintained, (b) development of application systems and related program changes satisfy
management objectives, (c) the implemented controls operate in accordance with specifications
of the internal corporate controls framework, (d) application systems and related program
changes are adequately tested, and (e) potential production errors are corrected before they
occur, etc.
Audit Recommendation 8: Application Systems Development Standards required (Priority
High)
Audit Recommendation 10: End User Documentation requires improvement (Priority
Medium)
We recommend that all end user application system manuals be brought up to date. Minimum
documentation and procedures necessary for an end user application system manual may include:
System narrative, applications system features and constraints, explanation of input fields,
samples of all screens and forms, end user related codes and formulas, report samples, report
descriptions defining field sources and calculations, balancing procedures, explanation of data
error messages, other controls, etc.
Management Response: IT Management will look into this and take the proper actions.

*3.5. IT Security Area: Audit Findings and Recommendations
The IT audit objectives of this area were to determine the quality and effectiveness of the
organization’s IT security policies, procedures and practices in designing, developing and
deploying information systems and services throughout the organization, including its
stakeholders.
The following types of IT security controls were reviewed during the audit process, to ascertain
both their use and potential effectiveness, at this organization: IT Security Governance
Guidelines, Standards, and Legal Frameworks, IT Security Plans, Policies and Procedures,
Personnel Security Management Controls, Specialized IT Technical Protection Controls, etc.
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 11: Formal IT Security Policy and related Procedures required,
Audit Recommendation 12: Access Controls on production elements by IT personnel require
improvement, and
Audit Recommendation 13: Password Controls require improvement.
Other minor findings and recommendations are not included to make report easier.
3.5.1. Title of area reviewed: IT Security
Audit Findings: The organization has not published an IT security policy for all of its
employees and managers which defines the responsibilities of all end users for maintaining the
confidentiality and integrity of all Company data. Also both management and line staff are not
required to sign a non-disclosure and confidentiality statement at the point of joining the
company and every year thereafter which defines their duties toward the Company, the data
maintained and other security considerations. Moreover, procedures have also not been
documented regarding all IT security issues (like password administration, etc.) which would
have to be identified in the security policy.
Audit Evaluation: Without formal IT security standards, a policy and related procedures,
management and employees of the organization do not have clear guidelines and instructions as
to what to do in IT security matters.
established to guide or enforce users to monitor password changes and in fact change their
passwords regularly.
Audit Evaluation: The practice of not monitoring and not changing passwords regularly may
allow the initiation of fraudulent acts, data abuse and information processing errors, and
intrusion by unauthorized internal and external parties easier to achieve.
Audit Recommendation 13: Password Controls require improvement (Priority High)
We recommend that IT management craft and implement a policy and related procedures to
enforce changing all user passwords (end user, IT) on a regular basis and when personnel
terminations occur or employees change job duties and responsibilities.
Management Response: IT Management will look into this and take the proper actions.

*3. 6. Data Center Operations: Audit Findings and Recommendations
The IT audit objectives of this area were to determine the quality and effectiveness of the
organization’s data center operational and support policies, procedures and practices in
designing, developing and deploying information systems and services throughout the
organization, including its stakeholders.
The following types of data center operational and support controls were reviewed during the
audit process, to ascertain both their use and potential effectiveness, at this organization: Data
Centre Design and Infrastructural Controls, Data Centre Physical Access Controls, Computer
Hardware Management Controls, IT Contingency Planning and Disaster Recovery Controls, etc.
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 14: Computer Room Access Controls require improvement,
Audit Recommendation 15: Safe Off-Site Storage for Backups required, and
Audit Recommendation 16: IT Contingency and Disaster Recovery Plan required.
Other minor findings and recommendations are not included to make report easier.
3.6.1. Title of area reviewed: Computer Room Access
Audit Findings: During our review, we noted that all employees of the organization, whether
users of the information systems or not, entered the computer room by the use of their employee
access card, without any controls whatsoever. Also external maintenance personnel and other
visitors, entered this computer room, just by calling the operators, or knocking on the computer
door.
Audit Evaluation: Almost free access to the computer room is prone to result in damage or loss
or theft or misallocation to hardware, reports, digital media, tape files, documentation,
consumables, pre-printed forms (such as invoices, checks, etc.), etc.
Audit Recommendation 14: Computer Room Access Controls require improvement
(Priority High)
procedures for damage assessment,
plan activation procedures,
notification procedures,
emergency recovery teams roles and responsibilities,
insurance coverage,
written vendor agreements to provide,
backup processing facilities,
off-site storage procedure,
backup procedures and data recovery procedures,
vendor contact list,
inventory of forms, etc.,
testing procedures, and
plan maintenance responsibilities, etc.
Management Response: IT Management will look into this and take the proper actions.

*3.7. Personal Computers: Audit Findings and Recommendations
The following audit findings and recommendations for resolving these findings are included in
this part of the report:
Audit Recommendation 17: Personal Computers Policies and Procedures required.
Other minor findings and recommendations are not included to make report easier.
3.7.1. Title of area reviewed: Personal Computers Environment
Audit Findings: During our review we noted that the organization is increasingly using personal
computers in almost all business areas. End users develop various spreadsheet applications and
use them widely, without any control what-so-ever. Also no written policies and procedures have
been developed for controlling personal computers and the development and use of spreadsheet
applications by end users.
Audit Evaluation: Comprehensive policies and procedures for the use of personal computers
and the development of spreadsheet applications by end users will ensure that the environment
will be controlled better. Also that data entered into these applications will likely produce more
accurate results.
Audit Recommendation 17: Personal Computers Policies and Procedures required
(Priority Medium)
We recommend that the organization develops formal policies and procedures for the control
personal computers and the development of end user applications.
Management Response: IT Management will look into this and take the proper actions.
*3.9. IT Applications Operation: Audit Findings and Recommendations
The area of IT Applications Operation is not within the agreed scope of this IT audit, and
therefore, no full review was conducted of the relevant controls related to operating
computerized applications in the data center of the organization at the time of this audit.
However, we noted the following for which we make the corresponding recommendations.
3.9.1. Title of area reviewed: Forms Control
Audit Findings: We noted during our review that critical forms, such as: invoices, accounts
payable checks, purchase orders, etc., are not properly controlled (e.g., are not stored in locked
area, they are released with no authorization, etc.).
Audit Evaluation: The risk that a potential fraud will go unnoticed is very great. Also the risk
that critical business activities will be delayed is quite apparent.
Audit Recommendation 19: Critical Forms require improved control (Priority High)
We recommend that all critical forms should be under the control of an authorized manager, and
should only be release to authorized personnel only.
Management Response: IT management will take appropriate actions to remedy this situation.
3.9.2. Title of area reviewed: Logs Control
Audit Findings: We noted during our review that the various computer operations logs are not
examined by the relevant computer manager, responsible for the jobs running in the data center.
Audit Evaluation: By reviewing computer operations logs on a regular basis, problems or
unauthorized use of application systems, files and utilities can be detected.
Audit Recommendation 20: Review of Logs may assist in problem solutions (Priority Low)
We recommend that the company computer operations manager regularly review all applications
logs to identify possible production problems and potential breaches of security.
Management Response: IT management will take appropriate actions to remedy this situation.

Contenu connexe

Tendances

Internal audit manual template
Internal audit manual templateInternal audit manual template
Internal audit manual templateCenapSerdarolu
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit MethodologyManoj Agarwal
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Audit Process: How to Successfully Plan Audit
Audit Process: How to Successfully Plan Audit Audit Process: How to Successfully Plan Audit
Audit Process: How to Successfully Plan Audit complianceonline123
 
Internal Audit Methodology.docx
Internal Audit Methodology.docxInternal Audit Methodology.docx
Internal Audit Methodology.docxAminAbdullah26
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Internal Control
Internal ControlInternal Control
Internal ControlSalih Islam
 
The Role of Internal Audit
The Role of Internal AuditThe Role of Internal Audit
The Role of Internal AuditArmeniaFED
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing PresentationVernon Benjamin
 
Internal Process Audit
Internal Process AuditInternal Process Audit
Internal Process Auditintellisenseit
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
INTERNAL CONTROLS & INTERNAL AUDIT.ppt
INTERNAL CONTROLS & INTERNAL AUDIT.pptINTERNAL CONTROLS & INTERNAL AUDIT.ppt
INTERNAL CONTROLS & INTERNAL AUDIT.pptGoharSaeed6
 
Basic internal auditing
Basic internal auditingBasic internal auditing
Basic internal auditingKhalid Aziz
 
Checklist internal audit
Checklist internal auditChecklist internal audit
Checklist internal auditAli Khardani
 

Tendances (20)

Internal audit manual template
Internal audit manual templateInternal audit manual template
Internal audit manual template
 
Internal Audit Methodology
Internal Audit MethodologyInternal Audit Methodology
Internal Audit Methodology
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit ppt
 
Audit Process: How to Successfully Plan Audit
Audit Process: How to Successfully Plan Audit Audit Process: How to Successfully Plan Audit
Audit Process: How to Successfully Plan Audit
 
Presentation on Audit Findings
Presentation on Audit FindingsPresentation on Audit Findings
Presentation on Audit Findings
 
Internal Audit Methodology.docx
Internal Audit Methodology.docxInternal Audit Methodology.docx
Internal Audit Methodology.docx
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Internal Control
Internal ControlInternal Control
Internal Control
 
Audit & compliance
Audit & complianceAudit & compliance
Audit & compliance
 
The Role of Internal Audit
The Role of Internal AuditThe Role of Internal Audit
The Role of Internal Audit
 
Basic Internal Auditing Presentation
Basic Internal Auditing PresentationBasic Internal Auditing Presentation
Basic Internal Auditing Presentation
 
Internal Process Audit
Internal Process AuditInternal Process Audit
Internal Process Audit
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Audit ratings guide
Audit ratings guideAudit ratings guide
Audit ratings guide
 
INTERNAL CONTROLS & INTERNAL AUDIT.ppt
INTERNAL CONTROLS & INTERNAL AUDIT.pptINTERNAL CONTROLS & INTERNAL AUDIT.ppt
INTERNAL CONTROLS & INTERNAL AUDIT.ppt
 
Internal Audit Manual
Internal Audit ManualInternal Audit Manual
Internal Audit Manual
 
Internal audit
Internal auditInternal audit
Internal audit
 
Basic internal auditing
Basic internal auditingBasic internal auditing
Basic internal auditing
 
Checklist internal audit
Checklist internal auditChecklist internal audit
Checklist internal audit
 

En vedette

TPM FACTORY AUDIT
TPM FACTORY AUDITTPM FACTORY AUDIT
TPM FACTORY AUDITSubang Jaya
 
Glidein Factory Operations
Glidein Factory OperationsGlidein Factory Operations
Glidein Factory OperationsIgor Sfiligoi
 
Factory compliance check_list_163
Factory compliance check_list_163Factory compliance check_list_163
Factory compliance check_list_163CMDubey
 
AccuInspection introduction 07 2012
AccuInspection introduction 07 2012AccuInspection introduction 07 2012
AccuInspection introduction 07 2012AccuInspection
 
Internal audit checklist process purchasing category exicise
Internal audit checklist process purchasing category exiciseInternal audit checklist process purchasing category exicise
Internal audit checklist process purchasing category exiciseSiddharth KADAKIA
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls FactoryNathan Anderson
 
Internal Audit of Manufacturing Companies
Internal Audit of Manufacturing CompaniesInternal Audit of Manufacturing Companies
Internal Audit of Manufacturing Companiesvikas_k
 
Internal Audit Report Writing Best Practice
Internal Audit Report Writing Best PracticeInternal Audit Report Writing Best Practice
Internal Audit Report Writing Best PracticeDJones68
 
Auditing (Introduction to Auditing)
Auditing (Introduction to Auditing) Auditing (Introduction to Auditing)
Auditing (Introduction to Auditing) Noorulhadi Qureshi
 
Factory overhead slides
Factory overhead slidesFactory overhead slides
Factory overhead slideslililalalala
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writingNeha Kothari
 
Audit Process, Audit Procedures, Audit Planning, Auditing
Audit Process, Audit Procedures, Audit Planning, AuditingAudit Process, Audit Procedures, Audit Planning, Auditing
Audit Process, Audit Procedures, Audit Planning, AuditingAdvance Business Consulting
 
Introduction to auditing
Introduction to auditingIntroduction to auditing
Introduction to auditingWINNERbd.it
 

En vedette (15)

TPM FACTORY AUDIT
TPM FACTORY AUDITTPM FACTORY AUDIT
TPM FACTORY AUDIT
 
Glidein Factory Operations
Glidein Factory OperationsGlidein Factory Operations
Glidein Factory Operations
 
TARGET Factory Audit
TARGET Factory AuditTARGET Factory Audit
TARGET Factory Audit
 
Factory compliance check_list_163
Factory compliance check_list_163Factory compliance check_list_163
Factory compliance check_list_163
 
AccuInspection introduction 07 2012
AccuInspection introduction 07 2012AccuInspection introduction 07 2012
AccuInspection introduction 07 2012
 
Internal audit checklist process purchasing category exicise
Internal audit checklist process purchasing category exiciseInternal audit checklist process purchasing category exicise
Internal audit checklist process purchasing category exicise
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory
 
Sample Audit Report
Sample Audit ReportSample Audit Report
Sample Audit Report
 
Internal Audit of Manufacturing Companies
Internal Audit of Manufacturing CompaniesInternal Audit of Manufacturing Companies
Internal Audit of Manufacturing Companies
 
Internal Audit Report Writing Best Practice
Internal Audit Report Writing Best PracticeInternal Audit Report Writing Best Practice
Internal Audit Report Writing Best Practice
 
Auditing (Introduction to Auditing)
Auditing (Introduction to Auditing) Auditing (Introduction to Auditing)
Auditing (Introduction to Auditing)
 
Factory overhead slides
Factory overhead slidesFactory overhead slides
Factory overhead slides
 
Internal audit report writing
Internal audit report writingInternal audit report writing
Internal audit report writing
 
Audit Process, Audit Procedures, Audit Planning, Auditing
Audit Process, Audit Procedures, Audit Planning, AuditingAudit Process, Audit Procedures, Audit Planning, Auditing
Audit Process, Audit Procedures, Audit Planning, Auditing
 
Introduction to auditing
Introduction to auditingIntroduction to auditing
Introduction to auditing
 

Similaire à Audit Report Model and Sample

Strategic evaluation & control
Strategic evaluation & controlStrategic evaluation & control
Strategic evaluation & controlNARENDRA KUMAR
 
Techniques of Strategic Evaluation & Strategic
Techniques of Strategic Evaluation & Strategic Techniques of Strategic Evaluation & Strategic
Techniques of Strategic Evaluation & Strategic Manik Kudyar
 
It management audits it management templates
It management audits   it management templatesIt management audits   it management templates
It management audits it management templatesIT-Toolkits.org
 
For model i 4a - 11 - risk assessment in the internal audit department
For model  i   4a - 11 - risk assessment in the internal audit departmentFor model  i   4a - 11 - risk assessment in the internal audit department
For model i 4a - 11 - risk assessment in the internal audit departmentRajeswaran Muthu Venkatachalam
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxjeffsrosalyn
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Developmentessbaih
 
IT-Governance.pptx
IT-Governance.pptxIT-Governance.pptx
IT-Governance.pptxJayLloyd8
 
Strategicevaluationcontrol 150402015327-conversion-gate01
Strategicevaluationcontrol 150402015327-conversion-gate01Strategicevaluationcontrol 150402015327-conversion-gate01
Strategicevaluationcontrol 150402015327-conversion-gate01Bandri Nikhil
 
Strategicevaluationcontrol 150402015327-conversion-gate01
Strategicevaluationcontrol 150402015327-conversion-gate01Strategicevaluationcontrol 150402015327-conversion-gate01
Strategicevaluationcontrol 150402015327-conversion-gate01Bandri Nikhil
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013Mike Wright
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAHTommy Seah
 
Strategic evaluation control
Strategic evaluation controlStrategic evaluation control
Strategic evaluation controlshubhagyaldh
 
Strategic evaluation & control
Strategic evaluation & controlStrategic evaluation & control
Strategic evaluation & controlBandri Nikhil
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Matthew Green
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007David Cunningham
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3aGene Kim
 

Similaire à Audit Report Model and Sample (20)

Strategic evaluation & control
Strategic evaluation & controlStrategic evaluation & control
Strategic evaluation & control
 
Techniques of Strategic Evaluation & Strategic
Techniques of Strategic Evaluation & Strategic Techniques of Strategic Evaluation & Strategic
Techniques of Strategic Evaluation & Strategic
 
It management audits it management templates
It management audits   it management templatesIt management audits   it management templates
It management audits it management templates
 
For model i 4a - 11 - risk assessment in the internal audit department
For model  i   4a - 11 - risk assessment in the internal audit departmentFor model  i   4a - 11 - risk assessment in the internal audit department
For model i 4a - 11 - risk assessment in the internal audit department
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
 
Auditing Systems Development
Auditing Systems DevelopmentAuditing Systems Development
Auditing Systems Development
 
IT-Governance.pptx
IT-Governance.pptxIT-Governance.pptx
IT-Governance.pptx
 
Strategicevaluationcontrol 150402015327-conversion-gate01
Strategicevaluationcontrol 150402015327-conversion-gate01Strategicevaluationcontrol 150402015327-conversion-gate01
Strategicevaluationcontrol 150402015327-conversion-gate01
 
Strategicevaluationcontrol 150402015327-conversion-gate01
Strategicevaluationcontrol 150402015327-conversion-gate01Strategicevaluationcontrol 150402015327-conversion-gate01
Strategicevaluationcontrol 150402015327-conversion-gate01
 
Module18
Module18Module18
Module18
 
WLS Services Brochure March 2013
WLS Services Brochure March 2013WLS Services Brochure March 2013
WLS Services Brochure March 2013
 
SEATA by TOMMY SEAH
SEATA by TOMMY SEAHSEATA by TOMMY SEAH
SEATA by TOMMY SEAH
 
It governance
It governanceIt governance
It governance
 
Strategic evaluation control
Strategic evaluation controlStrategic evaluation control
Strategic evaluation control
 
Strategic evaluation & control
Strategic evaluation & controlStrategic evaluation & control
Strategic evaluation & control
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013
 
It Audit
It AuditIt Audit
It Audit
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007
 
3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a3 2006 06 cs6 4 gait principles v3a
3 2006 06 cs6 4 gait principles v3a
 
The Internal Audit Framework
The Internal Audit FrameworkThe Internal Audit Framework
The Internal Audit Framework
 

Plus de Flevy.com Best Practices

100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdfFlevy.com Best Practices
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success FactorsFlevy.com Best Practices
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement ScorecardFlevy.com Best Practices
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce DigitizationFlevy.com Best Practices
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of CompetitionFlevy.com Best Practices
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...Flevy.com Best Practices
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines ModelFlevy.com Best Practices
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...Flevy.com Best Practices
 
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...Flevy.com Best Practices
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?Flevy.com Best Practices
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain ManagementFlevy.com Best Practices
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...Flevy.com Best Practices
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...Flevy.com Best Practices
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...Flevy.com Best Practices
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative BehaviorsFlevy.com Best Practices
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...Flevy.com Best Practices
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...Flevy.com Best Practices
 

Plus de Flevy.com Best Practices (20)

100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf100 Case Studies on Strategy & Transformation.pdf
100 Case Studies on Strategy & Transformation.pdf
 
Project Management for MBA (in French)
Project Management for MBA (in French)Project Management for MBA (in French)
Project Management for MBA (in French)
 
4 Stages of Disruption
4 Stages of Disruption4 Stages of Disruption
4 Stages of Disruption
 
Customer-centric Culture
Customer-centric CultureCustomer-centric Culture
Customer-centric Culture
 
[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors[Whitepaper] Business Transformation Success Factors
[Whitepaper] Business Transformation Success Factors
 
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
[Whitepaper] 5 Dimensions of Employee Engagement Scorecard
 
[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization[Whitepaper] Digital Transformation: Workforce Digitization
[Whitepaper] Digital Transformation: Workforce Digitization
 
[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition[Whitepaper] Strategic Human Resources: Evolution of Competition
[Whitepaper] Strategic Human Resources: Evolution of Competition
 
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
[Whitepaper] 8 Key Steps of Data Integration: Restructuring Redeployment Asse...
 
[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model[Whitepaper] Strategy Classics: Value Disciplines Model
[Whitepaper] Strategy Classics: Value Disciplines Model
 
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
[Whitepaper] The Definitive Guide to Strategic Planning: Here’s What You Need...
 
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
[Whitepaper] The Definitive Introduction to Strategy Development and Strategy...
 
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
[Whitepaper] The “Theory of Constraints:” What’s Limiting Your Organization?
 
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management[Whitepaper] Transportation Cost Reduction in Supply Chain Management
[Whitepaper] Transportation Cost Reduction in Supply Chain Management
 
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
[Whitepaper] A Great Leadership Experience: Dr. Rachid Yazami, Inventor of th...
 
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
[Whitepaper] Finding It Hard to Manage Conflict at the Workplace? Use the Tho...
 
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
[Whitepaper] Key Account Management: Handling Large Global Accounts the Right...
 
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
[Whitepaper] Nudge Theory: An Effective Way to Transform Negative Behaviors
 
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
[Whitepaper] Business Model Innovation: Creation of Scalable Business Models ...
 
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
[Whitepaper] Shareholder Value Traps: How to Evade Them and Focus on Value Cr...
 

Dernier

Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGlokeshwarmaha
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsWristbands Ireland
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...Brian Solis
 
Slicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinSlicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinAnton Skornyakov
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZKanakChauhan5
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsyasinnathani
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato pptElizangelaSoaresdaCo
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...Khaled Al Awadi
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examplesamberjiles31
 

Dernier (20)

Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISINGUNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
UNLEASHING THE POWER OF PROGRAMMATIC ADVERTISING
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and Festivals
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
 
Slicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup BerlinSlicing Work on Business Agility Meetup Berlin
Slicing Work on Business Agility Meetup Berlin
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZ
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story points
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato ppt
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examples
 

Audit Report Model and Sample

  • 1. Audit Report: Model and Sample JOHN KYRIAZOGLOU First published in July 2013
  • 2. Summary of Contents This book, ‘Audit Report: Model and Sample’, contains a model of an audit report and a real sample from an IT Audit assignment (data of client not disclosed for privacy and confidentiality issues). This has been used effectively in various types of internal and external audit assignments as well as consulting assignments, especially in reviewing internal controls for all types of companies. These types of audit include: (1) Financial Auditing (also called ‘statutory auditing’), which involves reviewing the adequacy of internal accounting controls of the organization in terms of accuracy, completeness and validity of financial information, financial reports and of the underlying accounting systems and records, (2) Operational (Performance) Auditing, which includes reviewing the strategic and operational performance of the whole organization or specific business processes or departments, focusing on the efficiency and effectiveness of these processes and the associated management controls, (3) Compliance Auditing, which relates to reviews of compliance or conformity of the organization with relevant legislation, regulations, standards, internal policies and guidelines, and (4) IT Systems Auditing, which pertains to reviews of effectiveness, accuracy and efficiency of IT general (e.g., IT organization, administration, security, etc.) controls as well as the IT application controls (e.g. accuracy of data and transactions processed and maintained of specific corporate computerized application systems) related to information technology and telecommunications systems, facilities and projects of the organization. Other types of audits are: Follow-up audits, Investigating audits, Integrated audits, Quality audits, ISO audits, Tax audits, IT Security audits, Continuous audits, Due Diligence Process audits, etc. The work of all these audits is carried out by Internal and External Auditors and Management Consultants on the basis of an audit or evaluation strategy, a plan, and a methodology with specific audit objectives, and with the assistance of audit programs, audit checklists, test computerized application systems, and computer assisted audit tools and techniques, like CAATTs, etc. The objective of this book is to provide any business owner, company director, senior manager, auditor, other stakeholder, etc., with a useful set of practical tools to assist and support them in their business performance management system audit and implementation, using any performance model (BSC, EFQM, Six Sigma, etc.).
  • 3. Reference Number: EXECUTIVE SUMMARY 1. Introduction 2. Objectives 3. Scope 4. Opinion Issued:
  • 4. 5.5 Enter title of area reviewed or Risk Rationale Recommendation Management Response 5.6 Enter title of area reviewed or Risk Rationale Recommendation Management Response 5.7 Enter title of area reviewed or Risk Rationale Recommendation Management Response 5.8 Enter title of area reviewed or Risk Rationale Recommendation Management Response
  • 5. 5.13 Enter title of area reviewed or Risk Recommendation Rationale Management Response 5.14 Enter title of area reviewed or Risk Recommendation Rationale Management Response 5.15 Enter title of area reviewed or Risk Recommendation Rationale Management Response 5.16 Enter title of area reviewed or Risk Recommendation Rationale Management Response
  • 6. IT Audit Report for Company ‘ABCXZ’ (a fictitious entity) This report is based on the Audit Report Model described previously in this book. 1. Scope of IT Audit Coverage During this IT audit, as per the Internal Audit Annual Plan and further to the agreement with the Audit Committee, we reviewed and evaluated the controls of the following areas of IT activities of Company ‘ABCXYZ’ (a fictitious private business entity or public organization). These areas are: (a) IT Organization, (b) IT Administration, (c) IT Strategy, (d) Systems Development, (e) IT Security, (f) Data Center Operational and Support Services, and (g) Systems Software. The area of Enterprise Architecture and operating specific IT Applications in the data center or in end user personal computers will not be examined. Also testing in a test environment with real or ‘dummy’ transactions, scanning the facility for eavesdropping devices, and security penetration testing will not be undertaken. The audit findings and recommendations per area audited, both in summary and in detail form, are presented next. 2. Summary of Audit Findings and Recommendations Our recommendations according to an audit priority scheme are presented next. ‘High’ priority means that these recommendations should be considered first for implementation, because their impact level is deemed to be of the highest importance to the specific IT operations. ‘Medium’ priority denotes that these may be examined for implementation next, as their impact level may be important, but not as important as the impact level of ‘High’ priority recommendations. Finally ‘Low’ priority ones, does not mean that these should be disregarded all-together, but may be implemented, as the last step. IT management and other corporate officers (e.g., CEO, Compliance Officer, Risk Officer, Chief Finance Officer, etc.) may change this priority, should they wish. The important thing here is to set priorities and do what is right to rectify and improve the situation.
  • 7. 3. Analysis of Detail Audit Findings and Recommendations The detail audit findings and recommendations are presented next, by IT area audited. The IT areas audited are: IT Organization, IT Administration, IT Strategy, Systems Development, Data Center Operations, Personal Computers, and Systems Software. *3.1. IT Organization Area: Audit Findings and Recommendations The IT audit objectives for auditing the area of IT Organization were to determine the quality and effectiveness of the organization’s management of information technology. The following types of IT Organization controls were reviewed during the audit process, to ascertain both their use and potential effectiveness, at this organization: IT Department Functional Description Controls, IT Organizational Controls, IT Vision, Mission and Values Statements, IT Control Frameworks, Monitoring and Review Controls. The following audit findings and recommendations for resolving these findings are included in this part of the report: Audit Recommendation 1: Formal IT Steering Committee required, and Audit Recommendation 2: Creation of a CIO Position required. Other minor findings and recommendations are not included to make report easier. 3.1.1. Title of area reviewed: IT Steering Committee Audit Findings: IT Steering Committee duties, responsibilities and guidelines necessary for managing the IT Function on a continuous and effective basis have not been adequately defined by the board. Audit Evaluation: This has resulted in approved corporate objectives going unfulfilled or extending them far beyond estimated schedules and budgets. The present informal IT Steering Committee consists of senior executives and is not in a position to assume responsibilities at the operational or strategic levels or monitor accountability and IT results. Audit Recommendation 1: Formal IT Steering Committee required (Priority High) We recommend that duties and responsibilities of the IT Steering Committee should be clearly defined in a formal charter and should include the review and approval for: Major changes in hardware or software, the results of any IT project cost/benefit analysis, software application development or acquisitions, IT project priorities, emergency procedures, contingency and physical security plans, budgets and plans pertaining to the IT function, etc. Management Response: Management will take this up with the board for a permanent solution to be established.
  • 8. Audit Recommendation 3: Job Descriptions need formalization (Priority Low) We recommend that job descriptions for all IT positions should be established and communicated to all IT staff. These job descriptions should be accepted and signed by both corporate management and IT staff. Also these should be maintained throughout the employment cycle of each IT employee. Management Response: IT Management will look into this and take the proper actions with support from the Human Resources Department. 3.2.2. Title of area reviewed: IT Vacation Policy Audit Findings: The Organization does not have a mandatory vacation policy for IT personnel. Audit Evaluation: Requiring employees in sensitive IT positions to take annual vacations is a good control that reduces the risk of an employee undertaking and continuing a fraud scheme and being able to conceal it over a long period of time. Audit Recommendation 4: Vacation Policy needs to be made mandatory (Priority Low) We recommend that consideration be given to the establishment of a vacation policy that would require all IT employees to take their vacation within a calendar year (and preferably consecutively). Exceptions should be approved by the CIO and the Senior Manager of Human Resources and properly documented. Management Response: IT Management with support from Human Resources will look into this and take the proper actions. 3.2.3. Title of area reviewed: IT Training Audit Findings: IT employees have not been adequately trained on the latest IT and Communications issues on the basis of what technologies are currently used by IT and upon reviewing the IT budget (planned and actual expenditures) over the last year. Audit Evaluation: Adequate IT training may improve programming practices and therefore result in fewer errors, reduced system implementation times resulting in reduced development costs, and fewer operational and other labor costs. Audit Recommendation 5: Training of IT personnel requires improvement (Priority Low) We recommend that a formal IT training program be developed for each employee, which will address methods and techniques required to improve the use of technologies for the organization and bring the performance of the particular IT personnel in line with corporate strategic and operational objectives. Management Response: IT Management will look into this in relation to budget constraints and take the proper actions.
  • 9. Audit Recommendation 7: Formal IT Strategic Plan required (Priority High) We recommend that the organization develop a written three to five year strategic IT plan that is based on the organization’s long term corporate strategic or business plan. This plan should be a working document that addresses such key issues as: hardware requirements, systems software requirements, communications, application development, budgeting, emergency procedures and contingency plans and review of relationships with outside IT vendors, etc. Management Response: IT Management will look into this and take the proper actions. *3.4. Systems Development Area: Audit Findings and Recommendations The IT audit objectives of this area were to determine the quality and effectiveness of the organization’s systems development policies, procedures and practices in designing, developing and deploying information systems and services throughout the organization, including its stakeholders. The following types of IT strategic controls were reviewed during the audit process, to ascertain both their use and potential effectiveness, at this organization: Application Development Controls, IT Systems Testing Methodology, End User Application Development Controls, Audit Trails, Software Package Controls, and System Development Quality Controls. The following audit findings and recommendations for resolving these findings are included in this part of the report: Audit Recommendation 8: Application Systems Development Standards required, Audit Recommendation 9: Formal Application Testing Procedures required, and Audit Recommendation 10: End User Documentation requires improvement. Other minor findings and recommendations are not included to make report easier. 3.4.1. Title of area reviewed: Application Systems Development Audit Findings: We noted during our review that application system development standards including documentation standards are informal and not ratified by the IT steering committee or other senior executive body of the organization. Audit Evaluation: The use of formalized application system development standards when properly customized and implemented by the IT staff of the organization ensures, as much as possible that: (a) Controls within each application system and program are suitably designed and maintained, (b) development of application systems and related program changes satisfy management objectives, (c) the implemented controls operate in accordance with specifications of the internal corporate controls framework, (d) application systems and related program changes are adequately tested, and (e) potential production errors are corrected before they occur, etc. Audit Recommendation 8: Application Systems Development Standards required (Priority High)
  • 10. Audit Recommendation 10: End User Documentation requires improvement (Priority Medium) We recommend that all end user application system manuals be brought up to date. Minimum documentation and procedures necessary for an end user application system manual may include: System narrative, applications system features and constraints, explanation of input fields, samples of all screens and forms, end user related codes and formulas, report samples, report descriptions defining field sources and calculations, balancing procedures, explanation of data error messages, other controls, etc. Management Response: IT Management will look into this and take the proper actions. *3.5. IT Security Area: Audit Findings and Recommendations The IT audit objectives of this area were to determine the quality and effectiveness of the organization’s IT security policies, procedures and practices in designing, developing and deploying information systems and services throughout the organization, including its stakeholders. The following types of IT security controls were reviewed during the audit process, to ascertain both their use and potential effectiveness, at this organization: IT Security Governance Guidelines, Standards, and Legal Frameworks, IT Security Plans, Policies and Procedures, Personnel Security Management Controls, Specialized IT Technical Protection Controls, etc. The following audit findings and recommendations for resolving these findings are included in this part of the report: Audit Recommendation 11: Formal IT Security Policy and related Procedures required, Audit Recommendation 12: Access Controls on production elements by IT personnel require improvement, and Audit Recommendation 13: Password Controls require improvement. Other minor findings and recommendations are not included to make report easier. 3.5.1. Title of area reviewed: IT Security Audit Findings: The organization has not published an IT security policy for all of its employees and managers which defines the responsibilities of all end users for maintaining the confidentiality and integrity of all Company data. Also both management and line staff are not required to sign a non-disclosure and confidentiality statement at the point of joining the company and every year thereafter which defines their duties toward the Company, the data maintained and other security considerations. Moreover, procedures have also not been documented regarding all IT security issues (like password administration, etc.) which would have to be identified in the security policy. Audit Evaluation: Without formal IT security standards, a policy and related procedures, management and employees of the organization do not have clear guidelines and instructions as to what to do in IT security matters.
  • 11. established to guide or enforce users to monitor password changes and in fact change their passwords regularly. Audit Evaluation: The practice of not monitoring and not changing passwords regularly may allow the initiation of fraudulent acts, data abuse and information processing errors, and intrusion by unauthorized internal and external parties easier to achieve. Audit Recommendation 13: Password Controls require improvement (Priority High) We recommend that IT management craft and implement a policy and related procedures to enforce changing all user passwords (end user, IT) on a regular basis and when personnel terminations occur or employees change job duties and responsibilities. Management Response: IT Management will look into this and take the proper actions. *3. 6. Data Center Operations: Audit Findings and Recommendations The IT audit objectives of this area were to determine the quality and effectiveness of the organization’s data center operational and support policies, procedures and practices in designing, developing and deploying information systems and services throughout the organization, including its stakeholders. The following types of data center operational and support controls were reviewed during the audit process, to ascertain both their use and potential effectiveness, at this organization: Data Centre Design and Infrastructural Controls, Data Centre Physical Access Controls, Computer Hardware Management Controls, IT Contingency Planning and Disaster Recovery Controls, etc. The following audit findings and recommendations for resolving these findings are included in this part of the report: Audit Recommendation 14: Computer Room Access Controls require improvement, Audit Recommendation 15: Safe Off-Site Storage for Backups required, and Audit Recommendation 16: IT Contingency and Disaster Recovery Plan required. Other minor findings and recommendations are not included to make report easier. 3.6.1. Title of area reviewed: Computer Room Access Audit Findings: During our review, we noted that all employees of the organization, whether users of the information systems or not, entered the computer room by the use of their employee access card, without any controls whatsoever. Also external maintenance personnel and other visitors, entered this computer room, just by calling the operators, or knocking on the computer door. Audit Evaluation: Almost free access to the computer room is prone to result in damage or loss or theft or misallocation to hardware, reports, digital media, tape files, documentation, consumables, pre-printed forms (such as invoices, checks, etc.), etc. Audit Recommendation 14: Computer Room Access Controls require improvement (Priority High)
  • 12. procedures for damage assessment, plan activation procedures, notification procedures, emergency recovery teams roles and responsibilities, insurance coverage, written vendor agreements to provide, backup processing facilities, off-site storage procedure, backup procedures and data recovery procedures, vendor contact list, inventory of forms, etc., testing procedures, and plan maintenance responsibilities, etc. Management Response: IT Management will look into this and take the proper actions. *3.7. Personal Computers: Audit Findings and Recommendations The following audit findings and recommendations for resolving these findings are included in this part of the report: Audit Recommendation 17: Personal Computers Policies and Procedures required. Other minor findings and recommendations are not included to make report easier. 3.7.1. Title of area reviewed: Personal Computers Environment Audit Findings: During our review we noted that the organization is increasingly using personal computers in almost all business areas. End users develop various spreadsheet applications and use them widely, without any control what-so-ever. Also no written policies and procedures have been developed for controlling personal computers and the development and use of spreadsheet applications by end users. Audit Evaluation: Comprehensive policies and procedures for the use of personal computers and the development of spreadsheet applications by end users will ensure that the environment will be controlled better. Also that data entered into these applications will likely produce more accurate results. Audit Recommendation 17: Personal Computers Policies and Procedures required (Priority Medium) We recommend that the organization develops formal policies and procedures for the control personal computers and the development of end user applications. Management Response: IT Management will look into this and take the proper actions.
  • 13. *3.9. IT Applications Operation: Audit Findings and Recommendations The area of IT Applications Operation is not within the agreed scope of this IT audit, and therefore, no full review was conducted of the relevant controls related to operating computerized applications in the data center of the organization at the time of this audit. However, we noted the following for which we make the corresponding recommendations. 3.9.1. Title of area reviewed: Forms Control Audit Findings: We noted during our review that critical forms, such as: invoices, accounts payable checks, purchase orders, etc., are not properly controlled (e.g., are not stored in locked area, they are released with no authorization, etc.). Audit Evaluation: The risk that a potential fraud will go unnoticed is very great. Also the risk that critical business activities will be delayed is quite apparent. Audit Recommendation 19: Critical Forms require improved control (Priority High) We recommend that all critical forms should be under the control of an authorized manager, and should only be release to authorized personnel only. Management Response: IT management will take appropriate actions to remedy this situation. 3.9.2. Title of area reviewed: Logs Control Audit Findings: We noted during our review that the various computer operations logs are not examined by the relevant computer manager, responsible for the jobs running in the data center. Audit Evaluation: By reviewing computer operations logs on a regular basis, problems or unauthorized use of application systems, files and utilities can be detected. Audit Recommendation 20: Review of Logs may assist in problem solutions (Priority Low) We recommend that the company computer operations manager regularly review all applications logs to identify possible production problems and potential breaches of security. Management Response: IT management will take appropriate actions to remedy this situation.