Ordinarily, an IT auditor obtains relevant CE audit evidence through a combination of inquiries and other risk assessment procedures. For example, through management and employee inquiries, an IT auditor may obtain an understanding of how management communicates its views to employees regarding acceptable practices and ethical behavior. Thereafter, an IT auditor should determine whether controls have been implemented by analyzing: whether management has established a formal code of conduct and whether it acts in a manner that supports the code of conduct or condones violations of, or authorizes exceptions to, the code of conduct.
“View Part I of the Auditing IT Service Delivery and Support series here“
Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.