Summary of Findings

An audit finding is a documented conclusion of a control or process. It involves noncompliance to policies and industry norms. The objective of the audit determines how findings need to be documented. As findings are discovered, further investigation might be required to satisfy the objectives, which will be summarized in the final report. The following four elements constitute a finding:

• Criteria—This identifies the expected or desired state. This provides the context for evaluating the evidence collected by the auditor and the subsequent procedures the auditor performs. The criteria might be based, for example, on regulations, policies, standards, and external frameworks.

• Condition—This identifies the situation within the IT environment that exists.

• Cause—This identifies the reason for the gap between the circumstance and the criteria. The cause also provides a starting point from which the auditor can make a recommendation to correct the situation.

• Consequence—This identifies the effect or potential impact on the IT landscape based on the contrast between the circumstance and the desired state. Essentially, this includes consequences that might occur as a result of this difference. It might also reveal negative consequences that have already been occurring.

• Corrective action —This identifies what management action is required to remediate the related risks.

Within each of the different areas of IT, audit findings can get very specific. A summary of findings across the seven domains of a typical IT infrastructure should be broader. To provide this in a meaningful, yet concise, way requires an analysis of the gaps. This includes a measure of where the organization is and where it would like to be. This requires a complete understanding of the systems across the IT domains as well as the level of control the enterprise needs. Factors that affect the level of control may include regulatory requirements and risk analysis. An auditor might also compare the organization with industry peers and the organization’s practices with other recommended practices.

Management action plans and appropriate follow-up are critical to closing the process. Recommendations provide the action that management should take to deal with deficiencies. It is the documented action plan, however, that provides the guidance for correcting those deficiencies. This includes assigning responsibility for each recommendation and assigning deadlines. Agreed-upon actions should be documented within the recommendations if this information is provided by management prior to the final report.

As part of the document-gathering process of an audit, the auditor should consider previous audit results and past recommendations. Likewise, documented results and recommendations will be examined with the next audit. This provides a process for continual awareness of changing environments and constant improvement.