The report is the audit's deliverable — the thing that survives after the fieldwork is forgotten. It records what was checked, what was found, how serious each finding is, and what has to happen next. A finding that can't be acted on is a finding wasted, so the craft is in making every one specific, evidenced, graded, and tracked to closure.
What a defensible report must contain
A report that will stand up to an auditee's pushback or a regulator's review states all of the following. Scope and criteria matter as much as the findings — they bound what the audit does and does not assure.
Scope — what was audited and, just as important, what was not.
Criteria — the regulation, clauses, and standards audited against. "Compliant" is meaningless without "with what."
Dates and people — when the fieldwork happened, who audited, who was interviewed.
Methodology — the techniques used and the samples taken (so a reader can judge the weight of the conclusions).
Findings — each one evidenced and graded (below).
Conclusion — the overall assurance opinion, consistent with the findings.
Corrective-action section — owners and dates for each nonconformity.
Grade every finding by severity
A flat list of findings forces management to guess what to fix first, and they'll guess wrong. Grade them. The grade drives the urgency and the tracking. A widely used three-tier scheme:
Grade
Means
Response
Major nonconformity
A required control is absent or has failed, with real exposure
Prompt, tracked correction; may need interim mitigation now
Minor nonconformity
A control exists but a lapse or partial gap was found
Corrected in the normal cycle, with an owner and date
Observation / OFI
No breach, but a weakness worth addressing before it becomes one
Optional improvement; logged, not mandatory
Write findings that can be acted on
A weak finding states a verdict; a strong finding states the requirement, the evidence, and the gap between them. The reader should finish a finding knowing exactly what is wrong, how you know, and what to fix — without asking you a single follow-up question.
Unactionable
"Access control is poor. Some leavers still had accounts. This should be improved." — a verdict with no requirement cited, no evidence, no scale, and a vague instruction. Management can neither judge its severity nor act on it.
Actionable
"Requirement: access must be removed promptly on departure (criteria: org access-control policy §4; supports GDPR Art. 32 / NIS2 Art. 21). Evidence: of 25 leavers sampled (HR leaver list cross-checked against a live directory export, 12 March), 4 retained active accounts 30+ days past their exit date, including 1 administrator. Gap: the revocation control is not operating within the required timeframe for a material share of leavers. Grade: Major." — actionable, evidenced, graded.
The CAPA loop — corrective and preventive action to closure
The audit isn't finished when the report is issued; it's finished when the actions are closed and confirmed. Each nonconformity should run through a corrective-action loop:
Correction — fix the immediate instance (disable the four accounts now).
Root-cause analysis — why did it happen? (No automated link between HR offboarding and account revocation.) Treating the symptom without the cause guarantees a repeat finding.
Corrective action — address the root cause so it doesn't recur (automate the HR-to-directory trigger).
Owner and due date — a named person and a real date, not "the team, soon."
Verification — an auditor confirms the action worked and the cause is closed, ideally by re-testing, not by taking "done" on trust.
Deliver the report so it lands
No surprises. Major findings should be raised with the auditee during fieldwork, not sprung in the report. The closing discussion confirms facts, not verdicts.
Lead with the conclusion. Busy management reads the summary and the majors; structure the report so the most important thing is first.
Separate fact from opinion. Findings are evidenced fact; recommendations (if any) are clearly labelled opinion.
Keep it as evidence. The signed, dated report — with its scope, samples, and findings — is part of your accountability trail and the starting point for the next audit of that unit.
This guide explains the method. To apply it across a whole regulation —
every obligation scored and traceable — see the
audit checklists, each with a free Regulatory
Compliance Matrix you can review before buying.
