Posted by: Robert Davis
AICPA, American Institute of Certified Public Accountants, Assurance Service, Attestation, Audit Report, Evidence, Follow-up Procedures, IFAC, Information Systems Audit and Control Association, International Federation of Accountants, ISACA, IT Audit, Procedures, Project Management, The IIA, The IIC, The Institute for Internal Controls, The Institute of Internal Auditors
If management’s proposed actions to implement or otherwise address reported recommendations have been discussed with, or provided to, an IT auditor; designed remedial actions should be recorded as a management response in a final IT audit report. Whether an IT auditor is engaged in external or internal reporting; after formal audit results communication, follow-up is commonly the next IT audit process phase. Procedurally, after distributing the final audit report — with findings, recommendations and client responses — the IT auditor should request and evaluate relevant information to conclude whether appropriate actions have been taken by management in a timely manner for all documented findings included in the final audit report. However, IT audit follow-up activities can be an extension of an engagement or a separate engagement, and may only include agreed-upon procedures.