The test and audit data has to be presented in a format suitable for making management and administrative decisions. Such a process is called audit reporting, and the outcome is an audit report. A test report can identify specific areas of administrative controls, and it provides the test results of a security-testing activity. An audit report will be a consolidated view of adherence to security policies, procedures, as well as compliance to specific legal or regulatory requirements or information security standards.

Test and audit reports need to be backed up and archived for future investigations or compliance requirements. The time period for such archival varies between standards and regulatory requirements.