REPORTING AND COMMUNICATION

TECHNIQUES
MODULE 10
- Diba sa module 1 and module 2 natin, the
Effective and clear communication can significantly auditor should add value to avoid conflict
improve the quality of audits and maximize their - As an auditor, di ka mag-iinitiate ng away
results. Audit findings should be reported and - Deal conflict in a professional manner
communicated to stakeholders, with appropriate
buy-in from the auditees, for the audit process to be
COMMUNICATING AUDIT RESULTS
successful. An IS auditor should also consider the
motivations and perspectives of the recipients of the The exit interview, conducted at the end of the
audit report so their concerns may be properly audit, provides an IS auditor with the opportunity
addressed. to discuss findings and recommendations with the
auditee management. During the exit interview, an
IS auditor should:
SKILLS NEEDED FOR COMMUNICATING
AUDIT RESULTS
EXPECTATIONS DURING EXIT INTERVIEW
● Ensure that the facts presented in the report
COMMUNICATION SKILLS are correct and material.
Communication skills (both written and verbal) ○ Some organizations may tinatawag na
determine the effectiveness of the audit reporting advanced report, or summary of findings,
process. Communication and negotiation skills are ito dinidiscuss sa auditee
required throughout the audit. Successful resolution ○ Minsan nirerecord
of audit findings with auditees is essential so that ○ Ngayon need may consent yuing
auditees will adopt the recommendations in the inaaudit mo (wiretapping pag walang
report and initiate prompt corrective action. To consent)
achieve this goal, an IS auditor should be skilled in ○ Should be correct or material, kasi
the use of techniques such as facilitation, macocompriimise inaaudit mo pag mali
negotiation and conflict resolution. An IS auditor mali inaaudit mo
should also understand the concept of materiality ○ Material lang dapat ipepresent mo
(i.e., the relative importance of audit findings based ■ Concept of materiality depends on
on business impact) when reporting on audit results. the judgment of auditor and the
policy
FACILITATION ● Ensure that the recommendations are realistic
and cost-effective and, if not, seek
Facilitation - Si facilitator yung nagfafacilitate ng
alternatives through negotiation with auditee
meeting
management.
○ Yung recommendations pinaguusapan na
NEGOTIATION
dito
Negotiation - Nagmemeet halfway with the ○ Auditors add value by giving
auditors. Dapat agree yung auditor and auditee recommendations para maadress yung
The decision depends on the finding of the auditor mga findings
○ Recommendations: dapat iincorporate
CONFLICT RESOLUTION yung SMART
- Minsan di naman talaga maiiwasan ng di ■ Specific, Measurable, Attainable or
pagkakaintindihan during the audit Achievable, Realistic, Time-bound
- Kahit gaano ka kaporfessional ka magdiscuss ○ May problema sales module ng computer
doon sa mga auditee mo, pag nagkakita ka ng mo, let’s say EDI
weaknesses, may magagalit ○ Pag pinalitan ba yung buong system
- Robust sa internal organization, internal ratings maaadress ba yung problem sa sales?
- one of the factor there is the ______ ■ Possible. Kasi papalitan mo na yung
- Pag mababa ang audit rating mo, baka buong system
mababa rin makuha mo ○ Is it practical? No
- Watchdog- tagasumbong, rinereport lang ang ○ Dapat viable pag gagawa ka ng
problems recommendation

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 1

 Module 10: Reporting and Communication Techniques

○ Dapat cinocinsider din ang cost benefit Before communicating the results of an audit to
analysis senior management, an IS auditor should discuss the
○ Pinag uusapan sa exit conference din ang findings with the auditee management to gain
recommendations agreement on the findings and develop an
● Recommend implementation dates for agreed-upon course of corrective action. In cases
agreed-on recommendations. where there is disagreement, an IS auditor should
○ Hindi naman pwede kasi yung reply lang ni elaborate on the significance of the findings, risk and
auditee sa findings mo ay “we will comply” effects of not correcting the control weakness.
○ Dapat may binibigay kang specific na Sometimes the auditee management may request
actions to address the findings assistance from an IS auditor in implementing the
○ Dapat may timeline ka rin recommended control enhancements. An IS auditor
○ Pag 1st quarter, expected na 1st quarter should communicate the difference between an IS
iaaddress yung findings auditor’s role and that of a consultant and consider
○ Reasonable ba yung timeline pag 2 years? how assisting the auditee may adversely affect an IS
○ We should also use our judgment auditor’s independence.
○ Dapat yung timeline inaaddress in a timely
manner After agreement has been reached with auditee
○ Pag high risk, dapat immediate iaddress management, IS audit management should brief
yun senior auditee management. A summary of audit
○ Pag di ganon kalaki yung impact, pwede activities should be presented periodically to the
medyo maraming time audit committee. Audit committees typically are
composed of individuals who do not work directly for
- Exit interview - exit meeting/exit conference the organization and, thus, provide an IS audit and
- Exit meeting happen after the audit itself assurance professional with an independent route to
- Kasama rito ang mga auditors and auditee report sensitive findings.
- Sa part ng mga auditors, depende pa rin sa
audit policy
AUDIT REPORT OBJECTIVES
- Sa part ng auditee, you can also invite other
stakeholders doon sa process or dept na
inaaudit mo, THE SIX OBJECTIVES OF AUDIT REPORTING:
- Higher management - pwede rin isama sa exit 1. Formally present the audit results to the
interview auditee (and the audit client, if different from
- During this, the auditors present their findings the auditee).
to the auditee ● Ito na yung part ng audit report na
- Parang due process din, hindi naman lahat ng ipapakita sa auditee
nasa field work lalabas sa audit report 2. Serve as formal closure of the audit
- Kala ng auditor may findings pero wala naman engagement.
talaga ● Tapos na yung pag audit mo sa audittee,
- Nagkakaroon pa rin talaga ng oversight? sa kanyang business or process.
- Baka mamaya sobrang hirap ng ● It does not necessarily mean na wala ka
recommendation ng auditor, hindi kaya ng ng gagawin after.
auditee ● Thought tapos na yung filed work mo,
- Dapat nagmimeet halfway expected natin na dapat ma-comply yung
- In case na meron pa rin talagang findings and timeliness
disagreement, resort is to communicate w/ 3. Provide statements of assurance and, if
senior management needed, identification of areas requiring
- Pag di parin, pwede na dumerecho sa BOD corrective action and related
recommendations.
IS auditors should be aware that, ultimately, they are ● Kung sa audit, anong klaseng assurance
responsible to senior management and the audit ang binibigay? Reasonable assurance.
committee and they should feel free to communicate ● Kasama sa audit report
issues or concerns to these groups. An attempt to 4. Serve as a valued reference for any party
deny access by levels lower than senior management researching the auditee or audit topic.
would limit the independence of the audit function.

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 2

 Module 10: Reporting and Communication Techniques

● With the audit report, reaching ● IT audit and assurance practitioners shall
information with the business process monitor and periodically report to those
being audited charged with governance and oversight of the
● Yung mga audit report, confidential yan, audit function (e.g., the board of directors
hindi siya basta basta binibigay kahit and/or the audit committee) management’s
kanino progress on findings and recommendations.
● Sino pwede gumamit ng audit report para The reporting should include a conclusion on
magresearch about sa auditee? whether management has planned and taken
○ Audit committee appropriate, timely action to address
○ Senior management audit committee reported audit findings and recommendations
○ Other auditor - pag next audit ano ● From time to time the audit
kakailanganin for the next business, ● For high risk dapat regular
babalikan yung dating inaudit ● Kailangan periodic yung reporting mo sa board
5. Serve as the basis for a follow-up audit if and committee
audit findings were presented. ● Pag annual yung audit mo parang weak na
● We have a separate discussion regarding ang internal audit mo don, ang self-assessment
the follow up of audit findings mo sa organization
● Dapat yung cinommit na timelines and ● Walang frequency kung kailan ang reporting
corrective actions ay magagawa basta ang mahalaga ni-rereport siya
● Final findings and recommendations that periodically
are agreed upon by the audit
management ITAF 1402.2
6. Promote audit credibility. This depends on the
● Progress on the overall status of the
report being well developed and well written.
implementation of audit findings should be
● Mamaya ididisscuss ang mga criteria for
regularly reported to the audit committee, if
audit report credibility
one is in place.
● Kasi di mo alam kung sino pwede tumingin
● Yung maliliit na org baka wala silang audit
ng audit reports mo
commitee, pag ganun derecho na sa BOD
● Mahirap naman kung lahat iaasa sa BOD
ITAF 1401.1
● IT audit and assurance practitioners shall ITAF 1402.3
provide a report to communicate the results
● Where it is determined that the risk related to
of each engagement.
a finding has been accepted and is greater
● Dapat may audit report na binibigay sa
than the enterprise’s risk appetite, this risk
committee
acceptance should be discussed with senior
management. The acceptance of the risk
ITAF 1401.2 (particularly failure to resolve the risk) should
● IT audit and assurance practitioners shall be brought to the attention of the audit
ensure findings in the audit report are committee (if one is in place) and/or the
supported by sufficient and appropriate board of directors
evidence ● Ex. inaudit mo ang organization mo, dapat
● Sa previous discussion, nabanggit na yung sa merong hot site pero cold site lang meron
evidence ● Dapat hot site talaga kasi very high risk
● Our findings must be supported by evidence ● Dapat naka mirror
○ Physical ● Yung RTO mo masyadong maiksi dapat
○ Testimonial ● Disaster/crisis management dept, willing to
○ Analytical assess
● Dapat kung ano nilagay mong findings dyan, ● Pag dating kay president okay pa rin, wag na
kaya ibackup with evidence raw gumawa ng BCP at hot site
● Auditor kayo so dapat lahat ay based sa facts ● Ang choice mo is to report that to BOD
and evidence ang ilalagay sa audit report ● Kung sa tingin mo masyado malaki ang
residual risk, i-report mo sa BOD
ITAF 1402.1
❖ The IS audit-specific reporting objectives are
developed based on report requirements from

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 3

 Module 10: Reporting and Communication Techniques

auditee management and other users of the the audit, followed by a statement on the IS
report and in compliance with IS audit and audit methodology and guidelines
assurance standards and audit organization ○ Dito ineexplain kung bakit inaudit mo
protocols. yung business process/department
❖ The auditee or other stakeholders, such as ○ Bakit mo ginawa yung audit na yun
oversight organizations, are identified during ○ Iba dinadagdagan, nilalagay din yung
audit planning. brief history about the department,
❖ An IS auditor develops the audit scope and functions of the dept, etc.
objectives by considering these requirements ○ At a minimum, dapat presented ang
and other elements of audit planning, such as hinihingi sa introduction
the assessments of risk, materiality, and
appropriateness of stated controls together Example:
with regulatory and IT governance The audit of the Electronic Data Interchange
requirements. Facility (EDI) of ABC Corp. with reference date of
❖ The audit report formally presents the purpose December 31, 20x1 commenced on January 14,
and the results of the audit in line with these 20x2 and was completed on February 2, 20x2. The
requirements. audit was conducted to assess the effectiveness of
❖ Every audit report should provide unbiased, internal controls, risk management and governance
well supported responses to the audit’s of the EDI. The results of the audit were discussed
objectives. with the Management on February 2, 20x2. The
❖ For example, if the audit objective is to replies during the exit meeting were considered in
determine whether adequate controls are in this report. The previous audit with reference date
effect to provide reasonable assurance that of September 30, 20x0 was completed on
only authorized physical access can be gained December 4, 20x0.
to the data center, then the report should state
an IS auditor’s conclusion or opinion as to the Sampled transactions from October 1, 20x0 up to
adequacy of the controls to achieve that December 31, 20x1 was covered in this audit.
objective. Compliance testing was undertaken on the internal
❖ If controls need to be implemented or controls of the process and substantive testing was
strengthened to achieve the objective, then the performed to assess the reliability of generated
report should provide a recommendation to transactions. Review of the policies and procedures
meet that need. was performed as well as ABC Corp’s compliance
with relevant laws and regulations
- Pwede rin ilagay yung sampling methodology
AUDIT REPORT STRUCTURE AND CONTENTS
● Introduction 2. AUDIT FINDINGS
● Audit Findings
● Audit findings included in separate sections
● IS Auditor’s Overall Conclusion
and often grouped in sections by materiality
● IS Auditor’s Reservations or Qualifications
and/or intended recipient
Audit reports are the end product of the IS audit
work. The exact format of an audit report will vary by ELEMENTS OF A DEFICIENCY AUDIT FINDING
organization; however, an IS auditor should
understand the basic components of an audit report
CRITERIA
and how it communicates audit findings to
management. ● standards used to determine whether an
operation, function, or program meets or
1. INTRODUCTION exceeds expectations
● Best practice: globally accepted standards
● An introduction to the report, including a ● Gagamitin mo dapat yung related sa findings
statement of audit objectives, limitations to mo
the audit and scope, the period of audit ● Policy ABC Section 123 – All purchaser orders
coverage, and a general statement on the above P500,000 should be approved by the
nature and extent of audit procedures Division Head
conducted and processes examined during

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 4

 Module 10: Reporting and Communication Techniques

CONDITION ● An IS auditor’s overall conclusion and

opinion on the adequacy of controls and
● situation that exists. It has been observed
procedures examined during the audit, and
and documented during the audit. It
the actual potential risk identified as a
represents “what is” at the time of the audit
consequence of detected deficiencies
● Ilan yung misstatement na nakalagay sa
○ Reasonable assurance
substantive findings mo
○ Based on our opinion, there were
● 17 out of 25 sampled purchased orders above
reasonable assurance that the controls
P500,000 from October 1, 20x0 up to
were working effectively
December 31, 20x1
○ Results may be qualitative (Very
Satisfactory, Satisfactory, etc.) or
CAUSE
quantitative (100, 95, 90, etc.)
● explains why the poor (or good) performance ■ There are no standards on how to
observed in the audit happened create the auditee
● Hinahanap natin dito yung good cause
● We keep asking the question why, hanggang sa 4. IS AUDITOR’S RESERVATIONS OR
wala nang ma-question na why QUALIFICATIONS
● This can be attributable to the weak
● An IS auditor’s reservations or
configuration management of the XYZ
qualifications with respect to the audit
computer system that failed to consider
○ This may state that the controls or
authorization of certain transactions
procedures examined were found to be
adequate or inadequate. The balance of
EFFECT
the audit report should support that
● actual or potential consequences of a conclusion, and the overall evidence
condition that varies (either positively or gathered during the audit should provide
negatively) from the criteria identified in the an even greater level of support for the
audit audit conclusions.
● Ano yung mangyayari pag di na-correct yung ○ support ng conclusion/opinion mo. 2-3
findings paragraphs
● As much as possible, kung kaya mong ○ ano ang main reason bat naging ganon
i-quantify yung effect ng findings mo gawin ang conclusion
mo
● Ex. ano effect sa net income ADDITIONAL FROM BOOK
● This increases the risk of unauthorized or
● Detailed audit findings and recommendations
illegal purchases
○ An IS auditor decides whether to include
specific findings in an audit report. This
RECOMMENDATION
should be based on the materiality of the
● state what an audit organization believes findings and the intended recipient of the
should be done to accomplish beneficial audit report. An audit report directed to
results. They do not direct what must be done the audit committee of the board of
but seek to convince others (e.g., the auditee) directors, for example, may not include
of what needs to be done findings that are important only to local
● Hindi dapat tayo parang nagbibigay ng management but have little control
command significance to the overall organization.
● Dapat i-convince sila na gawin yung corrective The decision on what to include in various
actions na yun levels of audit reports depends on the
● SMART guidance provided by upper management.
● Request for a change management on the ● A variety of findings, some of which may be
XYZ computer system to incorporate the user quite material while others are minor in nature
authorization matrix on the purchase order ○ An IS auditor may choose to present
module. minor findings to management in an
alternate format, such as by
3. IS AUDITOR’S OVERALL CONCLUSION memorandum.

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 5

 Module 10: Reporting and Communication Techniques

An IS auditor should make the final decision about communication of significant findings should not
what to include or exclude from the audit report. alter the intent or content of the report.
Generally, an IS auditor should be concerned with
providing a balanced report, describing not only CHARACTERISTICS OF REPORT PRESENTATION
negative issues in terms of findings but positive
constructive comments regarding improved
processes and controls or effective controls already COMPLETE
in place. Overall, an IS auditor should exercise ● the report contain all information needed to
independence in the reporting process. satisfy the audit objectives, promote an
adequate and correct understanding of the
Auditee management evaluates the findings, stating matters reported, and meet the applicable
corrective actions to be taken and timing for report content requirements
implementing these anticipated corrective actions.
Management may not be able to implement all audit ACCURATE
recommendations immediately. For example, an IS
● the evidence presented be true and that
auditor may recommend changes to an information
findings be correctly portrayed
system that is also undergoing other changes or
○ Dito masasabi na credible ang audit
enhancements. An IS auditor should not necessarily
report mo
expect that the other changes will be suspended until
○ Kung hindi accurate, it would already put
their recommendations are implemented. Rather, all
a question on your credibility
may be implemented at once.
○ As an auditor, ayaw mong mabigyan ng
comment na hindi maayos ang audit
An IS auditor should discuss the recommendations
report mo
and any planned implementation dates while in the
process of releasing the audit report. Various
constraints—such as staff limitations, budgets or OBJECTIVITY
other projects— may limit immediate ● the presentation of the entire report be
implementation. Management should develop a firm balanced in content and tone
program for corrective actions. It is important to ○ Dapat you maintain an unbiased attitude
obtain a commitment from auditee management on
the date by which the action plan will be CONVINCING
implemented (the solution can take a long time for
● the audit results are responsive to the audit
implementation) and the manner in which it will be
objectives, the findings are presented
performed because the corrective action may bring
persuasively, and the conclusions and
risk that may be avoided if identified while
recommendations follow logically from the
discussing and finalizing the audit report. If
facts presented
appropriate, an IS auditor may want to report to
○ Persuasive yung finding mo
senior management on the progress of implementing
recommendations.
CLEAR
The report should include all significant audit ● the report is easy to read and understand
findings. When a finding requires explanation, an IS ○ Hindi lang naman si auditee ang user ng
auditor should describe the finding, its cause and audit report mo
risk. When appropriate, an IS auditor should provide ○ Pinapadala mo rin yan kay senior
the explanation in a separate document and refer to management, auditee
it in the report. For example, this approach may be ○ Avoid using jargons
appropriate for highly confidential matters. An IS ○ Dapat maintindihan ng lahat, use layman’s
auditor should also identify the organizational, term
professional and governmental criteria applied. The
report should be issued in a timely manner to CONCISE
encourage prompt corrective action. When ● the report be no longer than necessary to
appropriate, an IS auditor should promptly convey the message
communicate significant findings to the appropriate ○ Ayaw natin ng maraming details, yung
persons prior to the issuance of the report. Prior paikot ikot
○ Dapat direct to the point

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 6

 Module 10: Reporting and Communication Techniques

○ Avoid using flowery words only to authorized personnel under specific or

○ Walang magtitayaga na magbasa ng 100 general permission. When access to audit
pages documentation is requested by external parties, an
○ Dapat vital information lang IS audit and assurance professional should obtain
appropriate prior approval of senior management
and legal counsel before providing it to those
AUDIT DOCUMENTATION
external parties.
Audit documentation is the written record that
provides the support for the representations in the ● Policies should be developed regarding
auditor’s report. It should: custody, retention requirements and release
1. Demonstrate that the engagement complied of audit documentation.
with the standards. ○ Gaano ba dapat tagala i-retain yung audit
2. Support the basis for the auditor’s reports kasi di naman sinabi ng standard
conclusions. kung gaano ba dapat katagal
- Para rin siyang working paper ○ Kung magdedevelop ng standards, dapat
- Dapat naka document yung ginawa from the aligned sa retention policy ng organization
start hanggang matapos ○ Hindi naman pwede habang buhay yan sa
org
Audit documentation should include, at a ○ Pwede after 5 or 10 years i-shred na or
minimum, a record of the following: dyan na yan sa cloud storage.
● Planning and preparation of the audit scope ○ Minsan may third party na nanghihingi ng
and objectives audit report. Hindi basta-basta dapat
● Description and/or walk-throughs on the nagrerelease, dapat may policy kung pano
scoped audit area magrelease kasi confidential yon.
● Audit program
● Audit steps performed and audit evidence ● IS auditor should take care to ensure that the
gathered evidence gathered and documented will be
● Use of services of other auditors and experts able to support audit findings and conclusions
● Audit findings, conclusions and
recommendations The documentation format and media are optional,
● Audit documentation relation with document but due diligence and good practices require that
identification and dates work papers be dated, initialed, page-numbered,
○ Final audit report relevant, complete, clear, self-contained and properly
labeled, filed, and kept in custody. Work papers may
It is also recommended that documentation be automated. An IS auditor should consider how to
include these items: maintain integrity and protection of audit test
evidence to preserve its proof value in support of
● A copy of the report issued as a result of the audit results.
audit work
● Evidence of audit supervisory review An IS auditor should be able to prepare adequate
work papers, narratives, questionnaires and
THINGS TO CONSIDER understandable system flowcharts. Audit
documentation or work papers can be considered
● Documents should include audit information
the bridge or interface between the audit objectives
that is required by laws and regulations,
and the final report. They should provide a seamless
contractual stipulations, and professional
transition— with traceability and
standards.
accountability—from objectives to report and from
○ From planning until the end of the audit
report to objectives. The audit report, in this context,
○ Yung minemeaintain na documents ay
can be viewed as a set of particular work papers.
depende sa policies and procedures
The quest for integrating work papers in the auditor’s
Audit documentation is the necessary evidence
environment has resulted in all major audit and
supporting the conclusions reached and should be
project management packages, CAATs, and expert
clear, complete, easily retrievable and sufficiently
systems offering a complete array of automated
comprehensible. Audit documentation is generally
documentation and import-export features.
the property of the auditee and should be accessible

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 7

 Module 10: Reporting and Communication Techniques

management. The level of an IS auditor’s follow-up

The concept of materiality is a key issue when review will depend on several factors. In some
deciding which findings to bring forward in an audit instances, an IS auditor may merely need to inquire
report. Key to determining the materiality of audit as to the current status. In other instances, an IS
findings is the assessment of what would be auditor who works in an internal audit function may
significant to different levels of management. have to perform certain audit steps to determine
Assessment requires judging the potential effect of whether the corrective actions agreed on by
the finding if corrective action is not taken. The management have been implemented.
following are examples:
● A weakness in information security physical TYPES OF IS AUDIT REPORTS
access controls at a remote distributed
computer site may be significant to
management at the site but will not necessarily AUDIT/EXAMINATION
be material to upper management at ● To provide reasonable or high level of
headquarters. However, there may be other assurance
matters at the remote site that would be ● Opinion is stated in positive form (i.e., “The
material to upper management. general controls are functioning effectively)
● A review of access deprovisioning discovers
that a terminated user’s access was not REVIEW
removed after the user’s termination date, but
it was caught during management’s review of ● To limited reasonable assurance
security access, at which time the terminated ● Opinion is stated in negative form (i.e.,
user’s access was removed. This type of Nothing has come to our attention that the
discovery would not likely be brought to the general controls are not working effectively)
attention of upper management but would be
documented and discussed with auditee AGREED UPON PROCEDURES
management. ● No assurance provided
● Objectives and specific procedures depends
FOLLOW-UP ACTIVITIES on the agreement of the IS auditor and client

● Follow-up program determines if agreed-on The IS audit report is driven mainly by the type of
corrective actions have been implemented audit engagement and the reporting requirements
● An IS auditor is not effective if audits are from IS audit and assurance standards. While most
performed and reports issued, but no follow-up IS audits result in a single IS audit report, in some
is conducted to determine whether situations, more than one report can be applicable.
management has taken appropriate corrective For example, in addition to a report for a general
actions audience, a separate confidential security report
● The timing of the follow-up will depend on the containing detailed technical information may need
criticality of the findings and is subject to an IS to be created to ensure that security risk is not made
auditor’s judgment available to unintended parties.

Auditing is an ongoing process. An IS auditor is not The organization and specific content of the report
effective if audits are performed and reports also depend on the scope and objectives of the audit
issued, but no follow-up is conducted to determine engagement and the degree to which IT processes
whether management has taken appropriate and systems are examined or require explanation.
corrective actions. IS auditors should have a The format and protocols for audit report
follow-up program to determine if agreed-on presentation can also depend on any requirements
corrective actions have been implemented. and expectations set forth between the audit
Although IS auditors who work for external audit organization and the auditee. Requirements for audit
firms may not necessarily follow this process, they report contents or format may be requested by the
may achieve these tasks if agreed to by the auditee. audit client who may or may not be from the
organization as the auditee.
The timing of the follow-up will depend on the
criticality of the findings and is subject to an IS Although review, examination and agreed-upon
auditor’s judgment. The results of the follow-up procedure engagements have similar reporting
should be communicated to appropriate levels of

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 8

 Module 10: Reporting and Communication Techniques

requirements, each type of engagement stipulates

different reporting requirements and limitations. The
primary distinctions among reviews, examinations
and agreed-upon procedures engagements are the
audit objectives, the nature and extent of audit work,
and the level of assurance to be provided. While all
three types of audits include review work, performing
audit tests is far more prevalent in audits or
examinations that require stronger evidence upon
which to base an opinion. Agreed-upon procedures
may also include testing, but because of other
limitations, an audit opinion is not expressed.
Although audit scope may be the same for reviews
and examinations, scope is likely to be more narrowly
defined for agreed-upon procedure audits.

MARIA BERNISE DIMZON • ELEINA BEA BERNARDO • JONAS ROSQUILLO 9