When preparing an audit report, what should the IS auditor ensure the results are supported by?

In preparing an audit report, it is essential that the results presented by the IS auditor are backed by sufficient and appropriate audit evidence. This is fundamental to maintaining the integrity and reliability of the audit process. Sufficient audit evidence refers to the quantity of evidence collected, while appropriate audit evidence refers to its quality and relevance to the audit objectives.

Gathering adequate evidence allows the auditor to form a well-founded opinion about the subject matter being audited. It not only supports the findings and conclusions drawn during the audit but also reinforces the overall credibility of the audit report. This evidence can come from various sources such as interviews, documentation, observation, and analytical procedures, ensuring that the auditor can substantiate their claims and recommendations with a solid foundation.

While gathering statements from IS management, work papers of other auditors, and organizational control self-assessments can be helpful in an audit process, they do not take precedence over the need for comprehensive audit evidence. These sources may provide useful insights or supplementary information, but they should not replace the auditor's obligation to gather and evaluate their own evidence that meets the necessary criteria for sufficiency and appropriateness.