This lesson covers how to create a report to show what was discovered in an audit. The report contains the following: 1. Audit scope 2. Audit objectives 3. Methods and criteria used 4. Nature of findings 5. Extent of work performed 6. Applicable date of coverage 7. A qualified opinion 8. An unqualified opinion This lesson also covers recommendations for what the report should include. Participants also learn about follow up procedures. The lessons concludes with what participants need to know in order to pass their exam. [toggle_content title="Transcript"] Alright, so we finally get to the end of the module where we report the findings. This is where you prepare a report to present all of the evidence and the conclusions of the auditor. So the report should contain some obvious sections. It should include the scope: what the objectives were, which methods were used, which criteria were used, the kind of findings that were discovered, the nature of those findings. How much work was performed? What are the dates of coverage? Meaning when was the audit begun and when was it concluded? Then there is the concept of a qualified opinion. That means that there's some restrictions on the auditor's opinion. The auditor believes this, but it's only because of this situation or this factor here. An unqualified opinion means that there's no restrictions. So that means that the findings have no reservations. Everything is presented as is, it's factual and it's truthful. Big list of recommendations to think about here, as far as how the report should be constructed. The title of the report should have the word 'independent', if it's an external audit. We should have the date of the report. We want to look at the executive summary. If there's any charts or graphs, or any other kind of information graphics that should be clearly shown. We want to have a statement of the standards that were followed. This is important because it puts everything into the proper context to know that 'this was a standard that was used' or 'that was a standard that was used'. We want to know what the procedures were that were performed. Especially because they should have been agreed to by everyone that was party to the audit. The auditor and the auditee should have agreed on those procedures before the audit began. So this reiterates that fact and makes sure that everyone is still in agreement. There might be disclaimers; any extra procedures that were performed should be detailed. Any concerns that the auditor had, any reservations. Or, as we mentioned earlier, any qualifications to the opinion. Then the detailed findings would be presented, along with the auditor's opinion, and then finally a signature and some contact information that basically proves that the auditor prepared this report they signed it, they dated it, now it's a correct legal document. Then we have the follow-up, or the closing meeting. So this is effectively an exit interview that the auditor conducts with management to make sure that they are committed to whatever was discovered or what the findings were in the audit itself. Alright, so let's talk about what the exam essentials are for module 3. We've got a pretty big list here. First we'll start with knowing how to implement a risk-based audit strategy. Knowing what the benefits are to auditing information systems as far as the standards, guidelines and best practices as they apply to I.T. You have to be familiar with how to plan for your audits. Know the practices and techniques that are applicable to the particular type of audit that you're doing. Be familiar with your IS control objectives; knowing how the controls work, the planned inputs, expected behaviors and planned outputs. That's a good way to summarize what a control should do. Be familiar with some of the computer-assisted audit tools, or CAT, and some of the capabilities that they offer to assist the auditor in getting the audit done more efficiently and more accurately. Understanding continuous auditing methods. We talked about some of those. Techniques for gathering information and understanding what the evidence life-cycle is. Everything from identifying evidence and analyzing it, reporting it and then returning it to the original owner. So know the evidence types and the different ways to grade that evidence. You need to understand the different audit tests and how the sample selection is performed, whether it's random sampling or continuous sampling. Understand how the evidence is analyzed, so we can determine if it's conforming or non-conforming evidence. Understanding how to deal with illegal or fraudulent acts and how you should assess that information before deciding to contact upper management or law enforcement. Advising clients and implementing risk control practices or risk control policies. Being able to communicate the issues accurately and effectively to the client, whether it's the results of the audit, issues that were discovered during the audit, or the potential risks that were discovered. And then lastly we want to think about the role of traditional audits compared to control self-assessments. So a pretty good list of things to think about for the exam. And so let's go ahead and do the domain 3 review questions. See you in domain 4. Thank you. [/toggle_content]
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.