A.7. Compliance audit report

Previous | Next | Up | Contents

Objective

The compliance audit report formally reports on the findings from the compliance audit which measures the extent to which an organisation's IT meets a new requirement such as a legal obligation.

The compliance audit is a simple factual report that states the level of compliance, and what would be required to achieve further compliance. It does not recommend whether corrective action should actually be carried out, as that requires an analysis of issues outside the scope of the audit.

When produced

The report is produced as part of the compliance audit.

Roles

The report is produced by the system governance manager or their team.

The report is initially reviewed by the compliance owner, and then circulated to IT decision makers, system governance sponsor, system governance committee and compliance stakeholders.

Template

  1. Introduction

    Describe the background to the audit, explaining the objective of the audit, and its scope. Explain why it was managed as a separate audit rather than as part of the normal system governance review cycle. Refer to any relevant documents produced during the initiation of the compliance audit.

  2. Audit process

    Briefly describe the audit process.

    Describe what new criteria have been defined. Briefly explain the weighting and scoring scheme for the new criteria. Explain that these will from now on be managed as part of the standard system governance criteria, and what the weighting of these criteria is within the standard criteria. State when the next system governance annual review will take place, and that the new criteria will be included within it.

    Describe what systems fall within the scope of the audit, and the target level of coverage.

  3. Findings

    State the level of coverage achieved, and whether this was within target.

    State the score achieved for the new criteria across all systems in scope.

    Describe each of the compliance issues that have been identified (which might be as simple as “not compliant”). List the systems that have each issue, and describe what action is required to make them compliant.

    Note any other relevant issues and observations. For example, indicate systems that are not compliant, but where the assessment has found definite plans to become compliant.

  4. Conclusions

    State any general conclusions that can be drawn from the audit. Do not recommend corrective action – leave that to the compliance owner's follow-up.

Previous: A.6. Evaluation review report | Next: Appendix B. Example reports | Up | Contents