Audit and testing

Findings report and action plan

What is an audit findings report and action plan?

An audit findings report is the written result of an IT review. It records what was examined, what was found and how serious each individual finding is. The action plan puts those findings in order of urgency and names the concrete remedy for each one.

A usable findings report starts with the scope and the date of the review, so it stays clear later which systems and which state the report speaks about. Each finding then follows the same structure: the observation, the system affected, the risk in plain language and the recommended measure. A one page summary is written for the owner or managing director and works without technical vocabulary.

The action plan sorts the findings by urgency. Anything that opens a path into the network today is treated immediately, for example remote access without a second factor or the still active account of a former employee. Missing security updates and untested backups follow in the short term. The medium term holds the points that need time and coordination, such as a permissions concept, meaning a written rule on who may access which data, dividing the network into separate zones, or staff training.

A report turns into security once every measure has a named owner, a deadline and a review date. Put the action plan on the agenda of your regular meetings and tick the points off with evidence. Where your IT service provider carries out the work, the report serves as common ground: it states the situation, the reason and the goal, and both sides work from the same text.

The report also carries weight outside the company. Article 32(1)(d) of the GDPR requires a process for regularly testing the effectiveness of your security measures, and a dated audit report with tracked measures documents exactly such testing. Insurers and larger clients ask for comparable evidence. At the same time the report describes your weak points precisely. Store it encrypted, send it encrypted and keep the circle of people with access small.

With the IT Check you receive the documented findings and a prioritised action plan within 14 working days of the visit. A non-disclosure agreement is signed before the review begins. An initial 20 minute conversation is at no charge and settles in advance which systems belong in the scope.

All terms in the knowledge base

From the term to practice

Where does your business actually stand?

The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.

Book a first call