How do you write a legacy system audit finding without overstating it?
I found an unsupported workstation supporting a critical process. Some controls exist, but risk acceptance and replacement planning are weak. What should the finding say?
Write the finding around evidence, not fear. A good finding acknowledges controls that exist and identifies the specific gap that remains.
A useful structure is:
- Condition: critical application runs on unsupported technology.
- Criteria: policy, risk appetite, patch-management standard, vendor lifecycle requirement, or cybersecurity framework.
- Cause: application dependency, unavailable upgrade path, funding delay, or unclear ownership.
- Risk: security exposure, operational outage, compliance issue, recovery failure, or unsupported vendor response.
- Evidence: asset record, support status, access rules, missing risk acceptance, missing restore test, or no migration date.
- Recommendation: document risk acceptance, strengthen compensating controls, assign owner, set review cadence, and approve a remediation roadmap.
For example, the finding might say that management has not documented residual risk acceptance or a funded remediation path for a critical application running on unsupported technology. That is more defensible than claiming a breach is inevitable.
The strongest report language ties the issue to governance and control effectiveness, not to an auditor's personal discomfort with old software.
Master Communicating Results with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.