1.10. Identifying Conditions and Defining Reportable Findings

As audit work is performed, evidence is reviewed, and work papers are documented, the auditor forms an opinion on whether the controls in place are sufficient to mitigate the risks to a level that meets the audit objective and business needs of the auditee. Deficiencies between the expected or required control effectiveness and the desired level of control are referred to as control weaknesses. Weaknesses can be systemic across the audit area or specific and unique to a single test or piece of audit work. During the course of the audit work, all deficiencies should be noted in and annotated with work paper shorthand for review and summarizing.

At times, weaknesses are pronounced and significant, requiring the auditor to consider bringing the issues immediately to management's attention for correction or disposition. Depending on the prior audit arrangements and the nature of the audit, this is a prudent course of action. If irregularities are identified that could involve an illegal act, the auditor should either consider seeking legal advice directly or recommend that management do so. Identifying the appropriate level of management or the appropriate responsible person to report issues of this nature to can be tricky and may take some special considerations and professional judgment. Again, outside legal counsel or audit committee reporting may need to be considered to appropriately handle situations like this. It ...

Get The CISA® Prep Guide: Mastering the Certified Information Systems Auditor Exam now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.