An IT auditor should perform a preliminary control environment (CE) assessment corresponding to the audit area being examined to enable reasonable assurance that all significant items will be adequately addressed during the IT audit process.
Audit evidence for CE elements may not be available in documentary form. In particular to smaller entities, communication between management and other personnel may be informal, yet effective. For example, management’s commitment to ethical values and competence are often implemented through the behavior and attitude they demonstrate in managing the entity’s business instead of in a written code of conduct. Consequently, management’s attitudes, awareness and actions are of particular importance in the design of a smaller entity’s CE. In addition, the role of those charged with governance is often undertaken by the owner/manager — especially where there are no other equivalent personnel within the entity.
“View Part I of the Auditing Business Continuity and Disaster Recovery series here“