<Confidential>

Audit Report Format

Report Release Date dd.mm.yyyy

Type of Audit Eg. Application Security, Vulnerability
Assessment etc

Type of Audit Report First Audit Report / Follow up audit report

Period Audit start date to Audit completion date

Page 1 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Document Control

Document Preparation

Document Title
Document ID
Document Version
Prepared by
Reviewed by
Approved by
Released by
Release date

Document Change History

Version Date Remarks / Reason of

change

Document Distribution List

Name Organization Designation Email Id

Page 2 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Contents
Introduction ........................................................................................................... 4

Engagement Scope .............................................................................................. 5

Details of the Auditing team .................................................................................. 6

Audit Activities and Timelines ............................................................................... 7

Audit Methodology and Criteria / Standard referred for audit ................................ 8

Tools/ Software used ............................................................................................ 9

Executive Summary ............................................................................................ 10

Detailed Observations......................................................................................... 11

Appendices ......................................................................................................... 12

Page 3 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Introduction

Brief Introduction about the Audit engagement along with below details:

 The objectives and goals of the audit.

 Any exemptions, assumptions or limitations that affected the audit.
 Incase audit is conducted based on sampling, what sampling criteria
and methodology is used.

Page 4 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Engagement Scope

<Below details of assets (whichever is / are applicable based on the type of audit)
covered in the scope be included in this section along with other relevant details:>

S. Asset Criticality Internal URL Public Location Hash Value Version (in Other
No Description of Asset IP IP (in case of case of details
Address Address applications) applications) such as
make
and
model
in case
of
network
devices
or
security
devices.

Date up to which the list has been updated: dd.mm.yyyy (to be shared by Auditee organization
with the Auditing organization before commencing the audit assignment)

Page 5 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Details of the Auditing team

S. No Name Designation Email Id Professional Whether the

Qualifications/ resource has
Certifications been listed in
the Snapshot
information
published on
CERT-In’s
website(Yes/No)
1
2

Page 6 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Audit Activities and Timelines

<Details of Audit phases along with timelines to be captured in

this section>

Page 7 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Audit Methodology and Criteria /

Standard referred for audit

<Briefly describe the Standard and Methodology used for

conducting Audit>

Page 8 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Tools/ Software used

S. No Name of Tool/Software Version of the tool Open Source/Licensed

used /Software used

Page 9 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Executive Summary

<A high-level overview of the key audit findings and vulnerabilities. This
section is for senior management to understand business risks. This
section should include charts to represent the count of observations
severity wise along with list of observations in tabular format as
mentioned below >
Observation/ Vulnerability title
IP/URL/Application etc

Audit Requirement #

Repeat observation
Control Objective #
Affected Asset i.e.

Recommendation
Control Name #
CVE/CWE

Reference
Severity

New or
S. No

1
2

# Applicable in case of compliance Audits such as ISO/IEC 27001 Audit, PCI DSS audit, audit as
per regulatory requirements / directions or any other such audit which checks compliance against
standards/guidelines/directions mandated/recommended by a regulator or government agency.

Page 10 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Detailed Observations

<Must include below details of each observation/ vulnerability along with

other relevant details:>

i. Affected Asset i.e. IP/URL/Application etc.

ii. Observation/ Vulnerability title
iii. Detailed observation / Vulnerable point
iv. CVE/CWE
v. Control Objective #
vi. Control Name #
vii. Audit Requirement #
viii. Severity
ix. Recommendation
x. Reference
xi. New or Repeat observation
xii. References to evidences / Proof of Concept

# Applicable in case of compliance Audits such as ISO/IEC 27001 Audit, PCI DSS audit, audit as
per regulatory requirements / directions or any other such audit which checks compliance against
standards/guidelines/directions mandated/recommended by a regulator or government agency.

Page 11 of 12 CERT-In Audit report format: Version 1.0

 <Confidential>

Appendices

<This section should include evidences and additional information that

supports the main body of the report, such as detailed tables, figures, or
descriptions of audit tools and techniques used and glossary of terms for
clarity.>

Page 12 of 12 CERT-In Audit report format: Version 1.0