Which of the following is the main requirement in reporting results of an IS audit?

Objectives of audit programs

When developing an audit program, the internal auditor and its associated audit team should start with outlining the audit's objectives, goals and obligations.

Audit program objectives help direct planning of the audit report and are based onthe policies, procedures and guidelines unique to the company. These objectives may relate to and outline how the auditors will maintain efficiency, professionalism and a specific code of conduct during audit procedure.

In addition to relevant regulatory compliance mandates, objectives for audit programs should consider aspects such as management priorities, business intentions, system requirements, business structure, legal and contractual mandates, the expectations of customers and other interested parties, potential risk management vulnerabilities, and any corrective action taken based on previous audits.

Preparing an audit program

Audit program details are specific to individual organizations based on their unique needs, but audit plan preparation will consider the audit's relevant regulatory deadlines, staff requirements and reporting structure, and overall goals.In particular, these goals will consider how the company will maintain regulatory compliance via risk assessment and management procedures. The audit program should also include a timeline detailing when specific aspects of the audit program should take place and how they should be prioritized.

Audit program planning is usually a continual and iterative process. During audit planning and development, companies can build on lessons learned from previous audits by implementing newly learned best practices that alleviate risk and maintain compliance. Audit development guidelines and best practices vary by industry, but local and regional auditing certifications are available, as are internationally recognized audit certifications. These certifications include Certified Internal Auditor and Certified Information Systems Auditor, and membership in the International Register of Certificated Auditors.

Types of audit programs

Different types of audit programs include standardized audit programs, tailored audit programs and compliance audit programs. Standardized audit programs, which are available for many different industries, can be used proactively to help an organization create its own internal compliance framework and internal audit program. For example, the International Federation of Accountants publishes financial audit standards called the International Standards on Auditing. A standardized audit program is different than a fixed audit program, which is defined as an audit program that cannot be changed during the course of an audit.

Tailored audit programs are different from standardized audit programs in that they cater audit procedures to match specific needs of the auditing entity.These audit programs are "tailored" to reference specific areas such as business procedures, legal documents and assets. By targeting these specific requirements through tailored audit programs, the company can more quickly identify potential compliance lapses and develop internal controls to offset these vulnerabilities.

A compliance audit program outlines how an organization will adhere to regulatory guidelines. The details of compliance audit program will vary depending upon factors such as whether an organization is a public or private company, what kind of data it handles and if it transmits or stores sensitive financial data. For instance, Sarbanes-Oxley Act requirements state that electronic communication must be backed up and secured with disaster recovery infrastructure, while financial services companies that transmit credit card data are subject to Payment Card Industry Data Security Standard (PCI DSS) requirements. In the Unites States, publicly traded companies must report results of internal control audits to the Securities and Exchange Commission (SEC). In each case, an organization's audit program outlines how the company will maintain compliance with regulatory compliance rules.