Control environment scanning to produce a viable IT audit plan should be considered fundamental to planning an IT audit. Primary consideration regarding the control environment’s operating style is IT auditability. As with most audit situations, verifiability is heavily dependent on auditability. IT auditability considerations should precede IT integrated process deployment. In other words, auditability should be included in the design of IT and the information being provided to audit areas. Consequentially, auditability can assist or hinder an IT assurance effort; if it does not postpone a planned audit.
“View Part I of the Auditing Information Assets Protection series here“