An extract of the audit report is included below.

Summary of audit findings

Recognition needs to be given to the management of the IT department. The management team is doing good work and managed to formally document policies and procedures. The security policy includes all aspects of the change management process and reflects current and leading practices. In line with good practice relating to production migration, positive assurance may be provided that programmers who develop or modify configuration items do not have the ability to access and migrate changes into the production environment.

In our opinion, the security team is making a mess of managing the risks that the organisation are exposed to$.$ The following each have a RED criticality relating to Cybersecurity risk which pose a significant level of exposure to the achievement of the protection of information security of process level objectives. Each of the five deficiencies identified needs immediate$/$urgent management attention at the process level:

$$ Firewalls are not configured in line with good practice

$$ Two$-$factor authentication is not in place.

Required

Evaluate the summary included above against the seven characteristics that internal audit reports must adhere to$.$ Provide a motivation to substantiate your evaluation.

Your Answers

Characteristics Evaluation Motivation

Accurate

Objective

Clear

Concise

Constructive

Complete

Timely