Audit evidence for elements of an adequate CE may not be available in documentary form. In addition, responsibility for IT governance is often undertaken by the owner/manager where there are no other high-level stakeholders. As a particular for smaller entities, communication between management and other personnel may be informal, yet effective. Under these circumstances, management’s commitment to ethical values and competence are often implemented through the behavior and attitude they demonstrate in managing the entity’s business instead of in a written code of conduct. Consequently, management’s attitudes, awareness and actions are paramount in the design of a smaller entity’s CE.
“View Part I of the Auditing IT Service Delivery and Support series here“
Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.