4.2.3: Information Security Audit (continued)
- Page ID
- 88867
Preparing the Audit Report
After the audit examination is completed, the audit findings and suggestions for corrective actions can be communicated to responsible stakeholders in a formal meeting. This ensures better understanding and support of the audit recommendations. It also gives the audited organization an opportunity to express its views on the issues raised.
Writing a report after such a meeting and describing where agreements have been reached on all audit issues can greatly enhance audit effectiveness. Exit conferences also help finalize recommendations that are practical and feasible.
Issuing the review report
The data center review report should summarize the auditor's findings and be similar in format to a standard review report. The review report should be dated as of the completion of the auditor's inquiry and procedures. It should state what the review entailed and explain that a review provides only "limited assurance" to third parties.
Typically, a data center review report consolidates the entirety of the audit. It also offers recommendations surrounding proper implementation of physical safeguards and advises the client on appropriate roles and responsibilities of its personnel. Its contents may include:
- The auditors’ procedures and findings
- The auditors’ recommendations
- Objective, scope, and methodologies
- Overview/conclusions
The report may optionally include rankings of the security vulnerabilities identified throughout the performance of the audit and the urgency of the tasks necessary to address them. Rankings like “high”, “low”, and “medium” can be used to describe the imperativeness of the tasks.
Adapted from:
"Information security audit" by Various authors, Wikipedia is licensed under CC BY-SA 3.0