ISACA ITAF (Reporting Standards/Guidelines) Flashcards
Guidelines: Reporting (1401)
What should be included in reporting if the auditee disagrees with the auditor’s finding/recommendation to correct the finding?
If practitioners and the auditee disagree about a particular recommendation or audit comment, the engagement communications (i.e. audit report) may state both positions and the reasons for the differences.
The auditee’s written comments may be included as an appendix to the audit report, in the body of the report or in a cover letter. Executive management or those charged with governance of the IT audit and assurance function should decide which point of view it supports.
It’s important that practitioners discuss significant deficiencies and weaknesses with management prior to communication with those charged with governance and, where applicable, to the responsible authority. Disclose in the report that significant deficiencies and weaknesses have been communicated.
Also, communicate to auditee management internal control deficiencies that are less than significant but more than inconsequential. In such cases, those charged with governance of the audit function or the responsible authority should be notified that such internal control deficiencies have been communicated to auditee management.
Standards: Follow-Up Activities (1402)
- 1) IT audit and assurance practitioners shall monitor and periodically report to those charged with governance and oversight of the audit function (e.g., the board of directors and/or the audit committee) management’s progress on findings and recommendations. The reporting should include a conclusion on whether management has planned and taken appropriate, timely action to address reported audit findings and recommendations.
- 2) Progress on the overall status of the implementation of audit findings should be regularly reported to the audit committee, if one is in place.
- 3) Where it is determined that the risk related to a finding has been accepted and is greater than the enterprise’s risk appetite, this risk acceptance should be discussed with senior management. The acceptance of the risk (particularly failure to resolve the risk) should be brought to the attention of the audit committee (if one is in place) and/or the board of directors.
Guidelines: Follow-Up Activities (1402)
Auditee/Auditor coordination of correction actions/responses to findings identified by the auditor.
As part of their discussions with the auditee, practitioners should obtain agreement on the results of the audit engagement and on a plan of action to improve operations, as needed.
Practitioners should discuss with management the proposed actions to implement or address reported recommendations and audit comments.
Proposed actions should be provided to practitioners and should be recorded as a management response in the final report with a committed implementation and/or action date.