My audit reports have morphed a bit over the years into a pretty straight forward form that presents everything in risk chunks. It looks like this:
Intro
Scope
Kudos (gotta have positive reinforcement)
Table of Contents (if there's more than a few findings)
Findings
Thank you's and conclusion
The findings section looks like this:
o Control Gap (FYI/Low/Med/High):
o Recommendation:
o Response:
All findings are reported one at a time in this format. Allows for easy response that is incorporated into the original report. The findings are broken up into sections such as Documentation, User Controls, General Concerns, etc. Definitions to each of the risk levels is also provided.
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.