Guidelines for Writing Audit Reports

sponsored by the Henderson Group
Computer Security Consulting and Training

Every organization has its own format for audit reports. Your reports will be more effective however if you keep these guidelines in mind, and consider following them unless there is some overriding reason not to:

These suggestions come from Please send comments and suggestions for additional suggestions to

Return to HG Home Page (

About the Author

Stuart Henderson is an experienced consultant and trainer who specializes in effective information technology audits and information security. He has helped hundreds of organizations make better use of security software such as RACF, ACF2, and TopSecret. He has also helped these organizations address the technical and organizational issues surrounding cross-platform security. As President of the Henderson Group, he directs a variety of activities in support of the information security and IT audit communities. These include: seminars, consulting services, articles, and speeches. He is an experienced system programmer who has earned the Certified Internal Auditor, Certified Management Accountant, and Certified Data Processor designations. His seminars on computer security and audit of: MVS, DB2, RACF, VTAM, Windows NT, Windows 2000, and other subjects are taught nationwide. He teaches Certified Information Systems Auditor review courses for the National Capital Area Chapter of the ISACA.

He speaks to groups such as the Vanguard conference, the DPMA, the ISSA, and the ISACA. Some of his topics have been: "What System Programmers Know that DSOs and EDP Auditors Should (or How I Would Break into Your System and What You Should be Doing to Stop Me)", What Non-Data Processing Executives Should Know and Do About Computer Security", "Combining VAX/VMS Security with IBM Mainframe Security", and "Tools for Maintaining Single Point of Control for Security". He is founder of the New York RACF Users Group and Editor of its newsletter. He also edits the free, email newsletter "Mainframe Audit News". His website is He can be reached at (301) 229-7187 or

Return to Home Page