When acquiring an understanding of control environment (CE) components, IT auditors should consider whether pertinent elements have been implemented for the entity and IT. Assessing how much CE risk is associated with a particular entity may be performed using various techniques and tools, including CE Characteristics – Internal Policies, Maturity Model Assessment and/or Entity Culture/Audit Area Personnel Matrices. For each of the selected audit CE statements, a compliance value needs to be defined, which enables the IT assurance professional to calculate a ‘compliance profile’.
“View Part I of the Auditing IT Service Delivery and Support series here“
Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.