IS Audit and Assurance Guideline

2401 Reporting
The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such
engagements require standards that apply specifically to IS audit and assurance. The development and
®
dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to
the audit community.

IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:
 IS audit and assurance professionals of the minimum level of acceptable performance required to meet the
professional responsibilities set out in the ISACA Code of Professional Ethics
 Management and other interested parties of the profession’s expectations concerning the work of practitioners
® ®
 Holders of the Certified Information Systems Auditor (CISA ) designation of requirements. Failure to comply
with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of
Directors or appropriate committee and, ultimately, in disciplinary action.

IS audit and assurance professionals should include a statement in their work, where appropriate, acknowledging that
the engagement has been conducted in accordance with ISACA IS audit and assurance standards or other
applicable professional standards.

ITAF™, a professional practices framework for IS audit and assurance, provides multiple levels of guidance:
 Standards, divided into three categories:
- General standards (1000 series)—Are the guiding principles under which the IS audit and assurance
profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance
professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill.
The standards statements (in bold) are mandatory.
- Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and
supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit
and assurance evidence, and the exercising of professional judgement and due care
- Reporting standards (1400 series)—Address the types of reports, means of communication and the
information communicated
 Guidelines, supporting the standards and also divided into three categories:
- General guidelines (2000 series)
- Performance guidelines (2200 series)
- Reporting guidelines (2400 series)
 Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white
®
papers, IS audit/assurance programmes, the COBIT 5 family of products

An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.

Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet
the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of
this product will assure a successful outcome. The publication should not be considered inclusive of any proper
procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific procedure or test, controls professionals should apply their own
professional judgement to the specific control circumstances presented by the particular systems or IS environment.

The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation
in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued
internationally for general public comment. Comments may also be submitted to the attention of the director of
professional standards development via email ([email protected]), fax (+1.847. 253.1443) or postal mail (ISACA
International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).

ISACA 2013-2014 Professional Standards and Career Management Committee

Steven E. Sizemore, CISA, CIA, CGAP, Chairperson Texas Health and Human Services Commission, USA
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP HP Enterprises Security Services, UK
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA Myers and Stauffer LC, USA
Alisdair McKenzie, CISA, CISSP, ITCP IS Assurance Services, New Zealand
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP University of North Texas, USA
Katsumi Sakagawa, CISA, CRISC, PMP JIEC Co. Ltd., Japan
Ian Sanderson, CISA, CRISC, FCA NATO, Belgium
Timothy Smith, CISA, CISSP, CPA LPL Financial, USA
Todd Weinman The Weinman Group, USA
IS Audit and Assurance Guideline 2401 Reporting

The guideline is presented in the following sections:

1. Guideline purpose and linkage to standards
2. Guideline content
3. Linkage to standards and COBIT 5 processes
4. Terminology
5. Effective date

1. Guideline Purpose and Linkage to Standards

1.0 Introduction This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’

1.1 Purpose 1.1.1 This guideline provides guidance for IS audit and assurance professionals on
the different types of IS audit engagements and related reports.
1.1.2 The guideline details all aspects that should be included in an audit
engagement report and provides IS audit and assurance professionals with
considerations to make when drafting and finalising an audit engagement
report.
1.1.3 IS audit and assurance professionals should consider this guideline when
determining how to implement the standard, use professional judgement in
its application, be prepared to justify any departure and seek additional
guidance if considered necessary.

1.2 Linkage to 1.2.1 Standard 1007 Assertions

Standards 1.2.2 Standard 1205 Evidence
1.2.3 Standard 1401 Reporting
1.2.4 Standard 1402 Follow-up Activities

1.3 Term Usage 1.3.1 Hereafter:

 ‘IS audit and assurance function’ is referred to as ‘audit function’
 ‘IS audit and assurance professionals’ are referred to as ‘professionals’

2. Guideline Content
2.0 Introduction The guideline content section is structured to provide information on the following
key audit and assurance engagement topics:
2.1 Types of engagements
2.2 Required contents of the audit engagement report
2.3 Subsequent events
2.4 Additional communication

©2014 ISACA All rights reserved. 2

IS Audit and Assurance Guideline 2401 Reporting

2.1 Types of 2.1.1 Professionals may perform any of the following types of audit engagements:
Engagements • Examination
• Review
• Agreed-upon procedures

Note: These terms are defined in ITAF, 2nd Edition.

2.1.2 Both examination and review engagements involve:
• Planning the engagement
• Evaluating the design effectiveness of control procedures
• Testing the operating effectiveness of the control procedures (the
nature, timing and extent of testing will vary as between both types of
engagements)
• Forming a conclusion about, and reporting on, the design and/or
operating effectiveness of the control procedures based on the
identified criteria:
- The conclusion for a reasonable assurance engagement is
expressed as a positive opinion and provides a high level of
assurance.
- The conclusion for a limited assurance engagement is expressed as
a negative opinion and provides only a moderate level of
assurance.
2.1.3 An ‘agreed-upon procedures’ engagement does not result in the expression
of any assurance by professionals. Professionals are engaged to carry out
specific procedures to meet the information needs of those parties who
have agreed to the procedures to be performed (e.g., executive
management, the board or those charged with governance). Professionals
issue a report of factual findings to those parties that have agreed to the
procedures. The recipients form their own conclusions from this report
because the nature, timing and extent of procedures do not enable the
professional to express any assurance. The report is restricted to those
parties that have agreed to the procedures to be performed because others
are not aware of the reasons for the procedures and may misinterpret the
result.
2.1.4 An agreed-upon procedures report could also be distributed to a third party
(e.g., regulatory body) when predetermined and approved by the parties
that have agreed on the procedures before the start of the actual work.
Professionals should consider this, using their professional judgement,
based on the risk of misinterpretation of the work to be performed.
2.1.5 Professionals, who before the completion of an audit engagement are
requested to change the audit engagement from an examination or review
engagement to an agreed-upon procedures engagement, need to consider
the appropriateness of doing so and cannot agree to a change where there
is no reasonable justification for the change. For example, a change is not
appropriate to avoid a qualified report.

©2014 ISACA All rights reserved. 3

IS Audit and Assurance Guideline 2401 Reporting
2.2 Required 2.2.1 In developing an audit engagement report, all relevant evidence obtained
Contents of should be considered, regardless of whether it appears to corroborate or
the Audit contradict the subject matter information. Where there is an opinion, it
Engagement should be supported by the results of the control procedures based on the
Report
identified criteria. Professionals should conclude whether sufficient and
appropriate evidence has been obtained to support the conclusions in the
audit engagement report. More detailed guidance can be found in Standard
1205 Evidence.
2.2.2 When concluding on an examination or review engagement, professionals
should come to an expression of opinion about whether, in all material
respects, the design and/or operation of control procedures in relation to
the area of activity were effective. This opinion can be:
• Unqualified—Professionals should express an unqualified opinion when
they conclude that, in all material respects, the design and/or operation
of control procedures in relation to the area of activity were effective,
in accordance with the applicable criteria.
• Qualified—Professionals should express a qualified opinion when they:
- Having obtained sufficient and appropriate evidence, conclude that
control weaknesses, individually or in the aggregate, are material,
but not pervasive to the IS audit objectives
- Are unable to obtain sufficient and appropriate evidence on which
to base the opinion, but conclude that the possible effects on the IS
audit objectives of undetected weaknesses, if any, could be
material but not pervasive
• Adverse— Professionals should express an adverseopinion when one
or more significant deficiencies aggregate to a material and pervasive
weakness
• Disclaimer—Professionals should disclaim an opinion when they are
unable to obtain sufficient and appropriate evidence on which to base
the opinion, and conclude that the possible effects on the IS audit
objectives of undetected weaknesses, if any, could be both material
and pervasive.
2.2.3 Professionals’ examination or review report about the effectiveness of
control procedures should include the following elements:
• An appropriate and distinctive title, clearly distinguishing the report
from any other type of report not subject to auditing standards
• Identification of the recipients to whom the report is directed,
according to the terms in the audit charter or engagement letter
• Identification of the responsible party, including a statement of the
party responsible for the subject matter
• Description of the scope of the audit engagement, the name of the
entity or component of the entity to which the subject matter relates,
including:
- Identification or description of the area of activity
- Criteria used as a basis for professionals’ conclusion
- The point in time or period of time to which the work, evaluation or
measure of the subject matter relates
- A statement that the maintenance of an effective internal control

©2014 ISACA All rights reserved. 4

IS Audit and Assurance Guideline 2401 Reporting
2.2 Required structure, including control procedures for the area of activity, is
Contents of the responsibility of management
the Audit • A statement identifying the source of management’s representation
Engagement
about the effectiveness of control procedures
Report cont.
• A statement that professionals have conducted the audit engagement
to express an opinion on the effectiveness of control procedures
• Identification of the purpose (i.e., IS audit objectives) for which
professionals’ report has been prepared and of those entitled to rely on
it, and a disclaimer of liability for its use for any other purpose or by any
other person
• Description of the criteria or disclosure of the source of the criteria.
Furthermore, the professionals should consider disclosing:
- Any significant interpretations made in applying the criteria
- Measurement methods used when criteria allow for a choice
between a number of measurement methods
- Changes in the standard measurement methods used
• Statement that the audit engagement has been conducted in
accordance with ISACA IS audit and assurance standards or other
applicable professional standards. Any non-compliance with these
standards should be explicitly mentioned in the report.
• Further explanatory details about the variables that affect the
assurance provided and other information as appropriate
• Findings, conclusions and recommendations for corrective action and
include management’s response. For each management response,
professionals should obtain information on the proposed actions to
implement or address reported recommendations and the planned
implementation or action date.
- Responsible management may decide to accept the risk of not
correcting a reported condition because of cost, complexity of the
corrective action or other considerations. The board of directors (or
those charged with governance) should be informed of
recommendations for which management accepts the risk of not
correcting the reported situation.
- If professionals and the auditee disagree about a particular
recommendation or audit comment, the engagement
communications may state both positions and the reasons for the
disagreement. The auditee’s written comments may be included as
an appendix to the engagement report. Alternatively, the auditee’s
views may be presented in the body of the report or in a cover
letter. Executive management, or those charged with governance,
should then make a decision as to which point of view they support.
• A paragraph stating that because of the inherent limitations of any
internal control, misstatements due to errors or fraud may occur and go
undetected. In addition, the paragraph should state that projections of
any evaluation of internal control over financial reporting to future
periods are subject to the risk that the internal control may become
inadequate because of changes in conditions, or that the level of
compliance with the policies or procedures may deteriorate. An audit

©2014 ISACA All rights reserved. 5

IS Audit and Assurance Guideline 2401 Reporting
2.2 Required engagement is not designed to detect all weaknesses in control
Contents of procedures because it is not performed continuously throughout the
the Audit period and the tests performed on the control procedures are on a
Engagement sample basis.
Report cont
• A summary of the work performed, which will help the intended users
of the report to better understand the nature of the assurance
conveyed
• An expression of opinion about whether, in all material respects, the
design and/or operation of control procedures in relation to the area of
activity were effective. When professionals’ opinion is qualified, a
paragraph describing the reasons for qualification should be included.
• Where appropriate, references to any other separate reports that
should be considered, such as a separate report that communicates
security vulnerabilities that are protected from disclosure and should
be distributed to a restricted list of recipients
• Date of issuance of the audit engagement report. In most instances, the
date of the report is based upon the issue date. It is recommended to
also mention the dates when the audit work was actually performed, if
not yet mentioned with the summary of the work performed.
• Names of individuals or entity responsible for the report, appropriate
signatures and locations
2.2.4 The agreed-upon procedures report should be in the form of procedures
and findings. The report should contain the following elements:
• An appropriate and distinctive title, clearly distinguishing the report
from any other type of report not subject to auditing standards
• Identification of the recipients to whom the report is directed,
according to the terms in the audit charter
• Identification of the responsible party, including a statement of the
party responsible for the subject matter
• A statement that the audit engagement has been conducted in
accordance with ISACA IS audit and assurance standards or other
applicable professional standards. Any non-compliance with these
standards should be explicitly mentioned in the report.
• Identification of the subject matter (or the written assertion related
thereto) and the purpose (i.e., IS audit objectives) of the audit
engagement
• A statement that the procedures performed were those agreed to by
the responsible parties identified in the report
• A statement that the sufficiency of the procedures is solely the
responsibility of the responsible parties and a disclaimer of
responsibility for the sufficiency of those procedures
• A list of the procedures performed (or reference thereto)
• A description of the findings, including sufficient details of errors and
exceptions found
• A statement that professionals only performed the agreed-upon
procedures and, as such, no assurance is expressed
• A statement that if the professionals had performed additional
procedures, other matters might have come to professionals’ attention

©2014 ISACA All rights reserved. 6

IS Audit and Assurance Guideline 2401 Reporting
2.2 Required and would have been reported
Contents of • A statement of restrictions on the use of the report because it is
the Audit intended to be used solely by the specified parties
Engagement
Report cont
• A statement that the report only relates to the elements specified and
that it does not extend beyond them
• References to any other separate reports that should be considered
• Date of issuance of the audit engagement report. In most instances, the
date of the report is based upon the issue date. It is recommended to
also mention the dates when the audit work was actually performed, if
not yet mentioned with the summary of the work performed.
• Names of individuals or entity responsible for the report, appropriate
signatures and locations
2.2.5 There are two types of examination reports:
• Direct reports—On the subject matter rather than on an assertion. The
report should make reference only to the subject of the engagement
and should not contain any reference to management’s assertion on
the subject matter.
• Indirect reports—Based on management assertions about the subject
matter.

More detailed guidance on the difference between indirect and direct

reporting can be found in Standard 1007 Assertions.

2.3 Subsequent 2.3.1 Events sometimes occur, subsequent to the point in time or period of time
Events of the subject matter being tested but prior to the date of professionals’
report, which have a material effect on the subject matter and therefore
require adjustment or disclosure in the presentation of the subject matter
or assertions. These occurrences are referred to as subsequent events. In
performing an audit engagement, professionals should consider information
about subsequent events that comes to their attention. However,
professionals have no responsibility to detect subsequent events.
2.3.2 Professionals should inquire with management as to whether they are
aware of any subsequent events, through to the date of professionals’
report, that would have a material effect on the subject matter or
assertions.

2.4 Additional 2.4.1 Professionals should discuss the draft report contents with management in
Communica- the subject area prior to finalisation and release, and include management’s
tion response to findings, conclusions and recommendations in the final report,
where applicable.
2.4.2 Professionals should communicate significant deficiencies and material
weaknesses in the control environment to those charged with governance
and, where applicable, to the responsible authority. They should also
explicitly disclose in the report that these have been communicated.
2.4.3 Professionals should communicate to management internal control
deficiencies that are less than significant but more than inconsequential. In

©2014 ISACA All rights reserved. 7

IS Audit and Assurance Guideline 2401 Reporting
2.4 Additional such cases, those charged with governance or the responsible authority
Communica- should be notified by the professionals that such internal control
tion cont. deficiencies have been communicated to management.
2.4.4 Professionals should obtain written representations from management
acknowledging, at a minimum, the following assertions:
 Management responsibility for establishing and maintaining proper and
effective internal controls, including systems of internal accounting and
administrative controls over operating activities and information systems
under review, and activities to identify all laws, rules and regulations,
which govern the subject area under review, and to ensure compliance
with them.
 All requested information relevant to the engagement objectives was
provided to the engagement team including, but not limited to:
- Records, related data, electronic files and reports
- Policies and procedures
- Pertinent personnel
- Results of relevant internal and external IS audits, reviews and
assessments
 No event(s) has occurred or matters discovered since the end of
fieldwork that would have a material effect on the engagement.
 Management has no knowledge of any fraud or suspected fraud,
irregularities and illegal acts related to the subject area under review,
including management and employees with responsibility for internal
control not already disclosed.
 Management has no knowledge of any allegations of fraud or suspected
fraud, irregularities and illegal acts affecting the area under review
received in communications from employees, clients, contractors or
others not already disclosed.
 Acknowledgement of responsibility for the design and implementation
of programs and controls to prevent and detect fraud, irregularities and
illegal acts.

3. Linkage to Standards and COBIT 5 Processes

3.0 Introduction This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance

3.1 Linkage to The table provides an overview of:

Standards  The most relevant ISACA IS audit and assurance standards that are directly
supported by this guideline
 Those standard statements that are most relevant to this guideline

Note: Only those standard statements relevant to this guideline are listed.

©2014 ISACA All rights reserved. 8

IS Audit and Assurance Guideline 2401 Reporting

Standard Title Relevant Standard Statements

1007 Assertions IS audit and assurance professionals shall review the
assertions against which the subject matter will be assessed
to determine that such assertions are capable of being
audited and that the assertions are sufficient, valid and
relevant.
1205 Evidence IS audit and assurance professionals shall obtain sufficient
and appropriate evidence to draw reasonable conclusions on
which to base the engagement results.

IS audit and assurance professionals shall evaluate the

sufficiency of evidence obtained to support conclusions and
achieve engagement objectives
1401 Reporting IS audit and assurance professionals shall provide a report to
communicate the results upon completion of engagement
including:
• Identification of the enterprise, the intended recipients,
and any restrictions on content and circulation
• The scope, engagement objectives, period of coverage
and the nature, timing and extent of the work performed
• The findings, conclusions and recommendations
• Any qualifications or limitations in scope that the IS audit
and assurance professional has with respect to the
engagement
• Signature, date and distribution according to the terms
of the audit charter or engagement letter

IS audit and assurance professionals shall ensure findings in

the audit report are supported by sufficient, reliable and
relevant evidence.
1402 Follow Up IS audit and assurance professionals shall monitor relevant
information to conclude whether management has
planned/taken appropriate, timely action to address
reported audit findings and recommendations.

3.2 Linkage to The table provides an overview of the most relevant:

COBIT 5  COBIT 5 processes
Processes  COBIT 5 process purpose

Specific activities performed as part of executing these processes are contained in

COBIT 5: Enabling Processes.

COBIT 5 Process Process Purpose

EDM05 Ensure stakeholder Make sure that the communication to stakeholders is
transparency. effective and timely, and the basis for reporting is
established to increase performance, identify areas for

©2014 ISACA All rights reserved. 9

IS Audit and Assurance Guideline 2401 Reporting

COBIT 5 Process Process Purpose

improvement and confirm that IT-related objectives and
strategies are in line with the enterprise’s strategy.
MEA01 Monitor, evaluate and assess Provide transparency of performance and conformance and
performance and conformance. drive achievement of goals.
MEA02 Monitor, evaluate and assess the Obtain transparency for key stakeholders on the adequacy of
system of internal control. the system of internal controls and thus provide trust in
operations, confidence in the achievement of enterprise
objectives and an adequate understanding of residual risk.
MEA03 Monitor, evaluate and assess Ensure that the enterprise is compliant with all applicable
compliance with external external requirements.
requirements.

3.3 Other When implementing standards and guidelines, professionals are encouraged to
Guidance seek other guidance when considered necessary. This could be from IS audit and
assurance:
 Colleagues from within the enterprise
 Management
 Governance bodies within the enterprise, e.g., audit committee
 Professional organisations
 Other professional guidance (e.g., books, papers, other guidelines)

4. Terminology
Term Definition
Appropriate The measure of the quality of the evidence
evidence
Inconsequential A deficiency is inconsequential if a reasonable person would conclude, after
deficiency considering the possibility of further undetected deficiencies, that the deficiencies,
either individually or when aggregated with other deficiencies, would clearly be
trivial to the subject matter. If a reasonable person could not reach such a
conclusion regarding a particular deficiency, that deficiency is more than
inconsequential.
Sufficient The measure of the quantity of evidence; supports all material questions to the
evidence audit objective and scope. See evidence.

5. Effective Date
5.1 Effective Date This revised guideline is effective for all IS audit/assurance engagements beginning
on or after 1 September 2014.

©2014 ISACA All rights reserved. 10