English for IT Audit Analysts: Writing Findings, Evidence, and Remediation Plans
Learn the English vocabulary and structure for writing IT audit findings, documenting evidence, and crafting clear remediation plans for SOX and ISO 27001 compliance.
IT Audit Writing: Precision Is Everything
IT audit reports have direct consequences — they influence regulatory decisions, executive actions, and sometimes legal proceedings. Writing them clearly and precisely in English is not optional. This guide covers the structure of an audit finding, evidence vocabulary, remediation plan language, and the key terms you will encounter in SOX and ISO 27001 audits.
The Four-Part Finding Structure
Every well-written audit finding follows a standard four-part structure. Knowing this structure — and the vocabulary associated with each part — lets you write findings that are clear, defensible, and actionable.
1. Condition
The condition is what you found — the factual observation. Write it in plain, specific language. Avoid conclusions or blame at this stage.
“Access provisioning logs for the financial reporting system showed that 14 user accounts retained elevated privileges for more than 90 days after the users’ role changes.”
2. Criteria
The criteria is the standard, policy, or control objective against which the condition is measured. This is the “what should be” statement.
“Per the organisation’s Access Management Policy (v2.3), elevated privileges must be revoked within five business days of a role change.”
3. Cause
The cause explains why the condition exists. Causes are typically related to process gaps, lack of automation, unclear ownership, or missing controls.
“The access review process relies on manual notification from the HR system, which does not generate automated alerts when role changes are recorded.”
4. Effect
The effect describes the risk or impact resulting from the condition — what could go wrong, or what has gone wrong, as a result.
“Retained elevated access increases the risk of unauthorised modification of financial data, potentially affecting the integrity of regulatory reports.”
Evidence Vocabulary
Evidence in an audit is the information gathered to support findings and conclusions. Different types of evidence carry different weight.
Documentary evidence — written records such as policies, contracts, configuration screenshots, or email correspondence. “We obtained documentary evidence in the form of the access provisioning request log exported from the ITSM system.”
Testimonial evidence — statements obtained from interviews with staff. “Testimonial evidence from the system administrator confirmed that the manual review process was last performed in Q3 of the previous year.”
Observation — evidence gathered by watching a process or examining a system directly. “Through direct observation of the change management process, the auditor noted that peer review steps were being bypassed under time pressure.”
Population — the full set of items from which the audit sample is drawn. “The population for this control test was all 342 user accounts with access to the production database.”
Sample — the subset of the population selected for testing. “A random sample of 25 accounts was selected for detailed access rights review.”
Remediation Plan Language
A remediation plan describes how management will address a finding. As an audit analyst, you may write these on behalf of management or review plans submitted by the control owner.
Key phrases:
- “Management agrees with the finding and will implement the following corrective actions.”
- “The root cause has been identified as [cause]; the remediation will address this by [action].”
- “The target remediation date is [date], subject to resource availability.”
- “Compensating controls will be in place by [date] to mitigate the risk in the interim period.”
- “Progress will be tracked in the risk register and reviewed at the next quarterly audit committee meeting.”
SOX and ISO 27001 Terminology
SOX (Sarbanes-Oxley Act) — US legislation requiring strong internal controls over financial reporting. IT systems that process financial data fall under SOX scope. Key terms: ITGC (IT General Controls), segregation of duties, change management control, logical access control.
ISO 27001 — the international standard for information security management systems. Key terms: Statement of Applicability (SoA), risk treatment plan, Annex A control, nonconformity, corrective action.
Control objective — the purpose or goal that a control is designed to achieve. “The control objective is to ensure that only authorised individuals can approve changes to production systems.”
Nonconformity — in ISO 27001, a failure to meet a requirement of the standard. “The absence of a formal asset inventory is a nonconformity against ISO 27001 Clause 8.1.”
Five Example Sentences
- “The condition identified during fieldwork is that privileged access reviews for the ERP system were not performed during the audit period.”
- “Per ISO 27001 Annex A Control 9.2.5, privileged access rights shall be reviewed at regular intervals, which the organisation’s policy specifies as quarterly.”
- “The cause of the deficiency was the absence of an automated workflow to schedule and evidence access reviews in the ITSM platform.”
- “Management has agreed to implement an automated access certification campaign by the end of Q2, with the CISO as the designated control owner.”
- “Documentary evidence in the form of signed approval records was obtained for all 25 sampled change requests, confirming the control was operating effectively.”
A Final Note on Tone
Audit reports should be factual, objective, and professional. Avoid language that sounds accusatory or speculative. Write “the log did not contain evidence of approval” rather than “no one approved this change”. Let the facts speak, and let management interpret causes and intent. This approach makes your findings harder to dispute and builds lasting credibility with auditees.