Audit report & control self-assessment ( CSA )

Updated: Jan 3

Today we mainly study audit reports and control self-assessment CSA-related knowledge points.

Audit report & control self-assessment ( CSA )

#CISACertification #AuditReport #Control #SelfAssessment #CertifiedInformationSystemsAuditor #CSA #ControlSelfAssessment #ITAuditor #Management

Audit report

It is the final result of IT audit work, used by IT auditors to report audit findings and recommendations to management.

Audit reports usually have the following structure and content:

①The summary of the report describes the audit objectives, scope and limitations, the audit period, a general description of the nature and scope of the audit procedures and tests performed during the audit, and a description of IS audit methods and guidance.

②It is best to describe the audit findings in sections, which can be divided according to the importance of the audit findings or the intended recipients.

③Make overall conclusions and opinions on the adequacy of the controls and procedures tested in the audit, as well as the potential risks caused by the defects found.

④The IS auditor’s qualifications and limitations on the audit, stating whether the controls or procedures tested are sufficient or inadequate. The audit report should support the audit conclusion, and all the evidence collected during the audit should also provide a higher level of support for the audit conclusion.

⑤Detailed audit findings and recommendations. IS auditors should decide which audit findings to include in the report. This should be based on the significance of the findings and the expected recipients of the audit report.

⑥Various audit findings are in nature, some are important, some are not. Auditors can submit unimportant audit findings to management in other formats such as memos.

Audit document

Audit documents are evidence supporting the audit conclusions, so they should be clear, complete, easy to retrieve, and understand.

Audit documents are usually the property of the auditing entity and can only be accessed by authorized persons. When external organizations need to access these documents, the auditor should obtain approval from the senior management or the client.

IT auditors or audit departments should also formulate policies for keeping, retaining, and publishing audit documents.

The audit documentation should include at least the following records:

1. Planning and preparation of audit objectives and scope

2. Describe the defined audit areas or perform walkthroughs

3. Audit procedures

4. Audit steps performed and audit evidence collected

5. Use the services of other auditors and experts

6. Audit findings, conclusions, and recommendations

7. The relationship between audit documents and document appraisal and time

8. It is recommended that the audit document also include:

9. A copy of the audit report as the result of the audit work

10. Evidence of audit supervision and inspection

Control Self-Assessment CSA

Control Self-assessment (CSA) can be seen as a management technique that assures stakeholders, customers, and other organizations that a company's internal control system is reliable and that employees are aware of the risks facing the business and proactively implement periodic control checks.

CSA is also a method. It is a series of formal and written procedures used to check key business objectives, the risks faced in achieving the objectives, and the internal controls for managing business risks.

In the control self-assessment activities, the management and CSA team will directly participate in the judgment and monitoring of existing controls.

In this activity, the information system auditors act as control experts and facilitators of evaluation activities.

CSA basic tools include management meetings, seminars, worksheets, and CSA project methods.

Control self-assessment CSA goal

The main goal of CSA is to give full play to the internal audit function by decentralizing some control and supervision responsibilities to functional departments. This is not to replace the audit responsibilities, but to strengthen them.

The CSA program also educates managers on how to design and monitor controls, especially in high-risk areas.

The key success factor is the main goal of the business unit that has been discussed with the representatives of the business unit (appropriate and relevant employees or managers) to determine the reliability of the internal control system.

COBIT is a governance and control framework that can provide guidance for designing control self-assessment methods.

The advantages of controlling self-assessment CSA:

① Detect risks early

②Improve internal control more effectively

③ Strengthen team spirit through employee participation

④Increase employees' understanding of organizational goals, understanding of risks and internal control

⑤Enhance communication between operations and senior management

⑥Highly stimulate the initiative of employees

⑦Improve the audit evaluation process

⑧ Reduce control costs

⑨Provide guarantee to stakeholders and customers

⑩In terms of meeting the requirements of various legal institutions and regulations (such as the Sarbanes-Oxley Act) for internal control, make necessary guarantees to senior management

The disadvantages of control self-assessment CSA:

① May be mistaken for replacing the audit function

②It is considered that the workload has increased (an additional report must be submitted to the management)

③Failure to implement improvement suggestions will destroy the rusticity of employees

④ Lack of motivation may limit the effectiveness of inspection of control deficiencies

The role of auditors in CSA:

When the audit department establishes a CSA procedure, it should consider strengthening the auditor's responsibilities in the CSA. In the established procedure, the auditor should act as an internal control expert and evaluation promoter.

When managers take the initiative to supervise and improve the process structure, assume the responsibility of internal control within their authorized management, and clarify the identity of the owner, the value of auditors in CSA can be reflected. To become effective CSA promoters and innovators, auditors must understand business processes, which can be achieved through various traditional audit methods (such as pre-investigation, walkthrough, etc.).At the same time, auditors should keep in mind that they are only the promoters of CSA, and only managers are the specific implementers of CSA procedures.

29 views0 comments


Launched in 2016 as 591Lab International. We are committed to offering our clients excellent experience on ISACA, PMI, Cisco and Huawei examination preparatory services. We focus strongly on popular exams, and exam preparations services. We provide our customers with the complete training needed to earn the best scores for their respective Management and IT career certifications. We have a huge list of satisfied customers with top grades to back up all the claims we make.

Quick Links


#1    Emma Xiu

Whatsapp: +86 135 2066 9321


#2    Zoey Pei

Whatsapp: +86 157 3679 8918


#3    Jenny Zhang

Whatsapp: +86 185 1429 4188


This material is not sponsored by, endorsed by, or affiliated with Cisco Systems, Inc & Huawei Technologies Co., Ltd. Cisco Certified Internetworking Engineer, the Cisco Systems logo and the CCIE™ logo are trademarks or registered trademarks of Cisco Systems, Inc. in the United States and certain other countries.Huawei Certified Internetwork Expert, the Huawei logo and the HCIE™ logo are trademarks or registered trademarks of Huawei Technologies Co., Ltd . in China and certain other countries All other trademarks are trademarks of their respective owners. 

© Copyright 591Lab 2020. All Rights Reserved.