Once an auditor has left, the report is the auditor's chance to continue a conversation (albeit a static one) -- even if the organization never talks to the auditor again. If written with care it can be a tool to encourage agency and guide adoption. The report has many audiences who will need to use it in different ways. For the auditor and the organization, it acts as documentation of what an auditor accomplished. For the organization, it will be guide for connecting vulnerabilities to actual risks, a rallying cry for change, and proof of need for funders. For those the organization brings in to support their digital security, it provides a roadmap towards that implementation and a task-list for future technologists and trainers paid to get the host there - as well as a checklist for validating that threats have been addressed.
- Target Invested Parties: During the audit identify parties who will impact the vulnerability remediation process (e.g. funders, external contractors, partners) and work with the organization to target components of the report at those parties. Do the recommendation that you have fit into any narratives that you heard from staff?
- Visualizing Charts: Create charts and visuals for the roadmap, risk-matrix, implementation matrix, and critical processes.
- Document Translation: Compose sections that will be shared with invested parties (funders, technical support, trainers) to support the organizations aims for those parties.