The report should be complete, accurate, objective, convincing, and as clear and concise as the subject permits. The report should include all significant audit findings. When a finding requires explanation, the auditor should describe the finding, its cause and its risk. IT audit is not effective if audits are performed and reports issued, but no follow-up is conducted to determine if audited organization has taken appropriate corrective action. The auditor should have a follow-up program to determine if agreed corrective actions have been implemented.