ASSESS AND REPORT AUDIT FINDINGS

ASSESS AND REPORT AUDIT FINDINGS

At the conclusion of each audit, it is possible that there will be certain findings or exceptions in IT environment and IT controls of the company that need to be assessed and reported to relevant stakeholders including management and those charged with governance viz., Board of directors, Audit committee [Students may refer SA 260 (Revised) – Communication with Those Charged with Governance for more details]. 

Some points to consider are as follows:

•  Are there any weaknesses in IT controls? 
•  What is the impact of these weaknesses on overall audit? 
•  Report deficiencies to management – Internal Controls Memo or Management Letter. 
•  Communicate in writing any significant deficiencies to Those Charged With Governance. 

The auditor needs to assess each finding or exception to determine impact on the audit and evaluate if the exception results in a deficiency in internal control. Refer to the flowchart to learn how this assessment should be carried out. This approach and thought process is the same when auditing in an automated environment or when auditing in a more manual environment.

A deficiency in internal control exits if a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or the control is missing.

Evaluation and assessment of audit findings and control deficiencies involves applying professional judgement that include considerations for quantitative and qualitative measures. Each finding should be looked at individually and in the aggregate by combining with other findings/deficiencies.