When reporting internal audit findings related to Enterprise Resource Planning (ERP) systems, IT audit findings must be relevant to business objectives. Business leaders may not fully understand technical IT risks, so reports should translate IT risks into business impacts to ensure actionable decision-making.
(A) Draft separate audit reports for business and IT management.
Incorrect: Fragmenting reports could create misalignment, reducing the effectiveness of integrated risk management.
(B) Connect IT audit findings to business issues. (Correct Answer)
IT auditors should explain how IT risks impact operations, financial reporting, and strategic goals.
IIA Standard 2410 – Criteria for Communicating requires audit findings to be clear, relevant, and actionable for all stakeholders.
IIA GTAG 8 – Auditing Application Controls emphasizes aligning IT controls with business risks.
(C) Include technical details to support IT issues.
Incorrect: While technical details help IT teams, business executives need risk-based insights, not just technical specifics.
(D) Include an opinion on financial reporting accuracy and completeness.
Incorrect: While ERP systems impact financial data, IT auditors should focus on system risks, not directly on financial reporting opinions (which is the role of financial auditors).
IIA Standard 2410 – Criteria for Communicating: Requires clear and business-relevant communication of audit findings.
IIA GTAG 8 – Auditing Application Controls: Advises IT auditors to relate technical risks to business objectives.
Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) because IT audit findings should be framed in a way that connects technical risks to business implications, making them more relevant to management.
Submit