Once an auditor has left, the report is the auditor's chance to continue a
conversation (albeit a static one) -- even if the organization never talks to
the auditor again. If written with care it can be a tool to encourage agency
and guide adoption. The report has many audiences who will need to use it in
different ways. For the auditor and the organization, it acts as documentation
of what an auditor accomplished. For the organization, it will be guide for
connecting vulnerabilities to actual risks, a rallying cry for change, and
proof of need for funders. For those the organization brings in to support
their digital security, it provides a roadmap towards that implementation and
a task-list for future technologists and trainers paid to get the host there -
as well as a checklist for validating that threats have been addressed.
- Target Invested Parties: During the audit identify parties who will
impact the vulnerability remediation process (e.g. funders, external
contractors, partners) and work with the organization to target components of
the report at those parties. Do the recommendation that you have fit into any
narratives that you heard from staff?
- Visualizing Charts: Create charts and visuals for the roadmap,
risk-matrix, implementation matrix, and critical processes.
- Document Translation: Compose sections that will be shared with invested
parties (funders, technical support, trainers) to support the organizations
aims for those parties.