Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / IT in Audit
Microlesson · 5-min read

Assessing and Reporting IT Audit Findings

## Assess and Report Audit Findings in IT Environment

### Context

At the conclusion of each audit, IT-related findings and exceptions must be systematically assessed and communicated to appropriate stakeholders.

---

### Key Questions the Auditor Must Answer

1. Are there any weaknesses in IT controls?

2. What is the impact of these weaknesses on the overall audit? (Does it increase substantive testing? Does it affect the audit opinion?)

---

### Communication Channels

Finding SeverityCommunication ChannelRecipient
General IT control deficienciesInternal controls memo / Management letterManagement
Significant deficienciesWritten communication (mandatory)Those Charged with Governance (TCWG)

> SA 265 governs communication of deficiencies in internal control to TCWG and management.

---

### Practical Impact Assessment

When IT controls are weak, the auditor typically:

  • Reduces reliance on automated controls → increases substantive testing.
  • Expands the period of testing.
  • Considers whether the weakness could enable fraud or material misstatement.
  • Evaluates whether a modification to the audit opinion is necessary.

Worked example

### Example 1

Example — Impact assessment of IT control weakness:

An auditor finds that access controls in the payroll system are inadequate — multiple HR staff have the ability to both create employee records AND approve payroll runs (segregation of duties failure).

Assessment: This is a significant deficiency. Impact on audit: The auditor cannot rely on automated payroll controls; substantive testing of payroll must be expanded to cover a larger sample. Communication: The weakness must be reported in writing to TCWG (Board/Audit Committee) and to management via a management letter.

⚠️ Common exam mistakes

  • Communicating IT deficiencies only to management and not to TCWG — significant deficiencies must be communicated in writing to TCWG; this is not discretionary.
  • Failing to translate IT weaknesses into audit impact — identifying a control weakness is step one; the auditor must explicitly assess how it changes audit risk and procedure design.
  • Assuming all IT findings require a modified opinion — most IT control deficiencies affect the nature and extent of substantive testing, but only pervasive unresolved issues would affect the opinion itself.
Reference:
Next →
Data Analytics and CAATs
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic