IT Governance, Risk, and Compliance » Evidence

IT Audit Follow-up: Assessing Recommendation Resolution – Part VIII

Robert Davis — Mon, 05 Apr 2010 17:57:13 +0000

Follow-up activities are essential to enabling continuous improvement in IT governance. IT audit must ensure follow-up activities are completed in a timely manner to reduce the cited risks to the entity’s operations. Nevertheless, management must take full responsibility for ensuring entity personnel pursue commitments to perform agreed corrective actions for gaps and/or weaknesses in the control system. Where corrective actions are not undertaken or completed within the expected timeframe, management should document the reason(s) for rescinding the obligation or why there was a delay in deployment.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

IT Audit Follow-up: Assessing Recommendation Resolution – Part VII

Robert Davis — Thu, 01 Apr 2010 18:56:52 +0000

A report on the status of follow-up activities, including agreed-upon recommendations not implemented, should be presented to the audit committee, if one has been established, or alternatively to the most appropriate management level of the entity. Preceding IT audit follow-up report preparation, where management provides information on actions taken to implement recommendations, and the IT auditor has doubts about the information provided, appropriate testing or other procedures should be undertaken to ascertain the true position or status — prior to concluding follow-up activities.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

IT Audit Follow-up: Assessing Recommendation Resolution – Part VI

Robert Davis — Mon, 29 Mar 2010 18:00:58 +0000

Control follow-up are activities pursued when an exception condition is identified and reported as presenting a risk to the entity. As a part of the follow-up activities, the IT auditor normally evaluates whether findings, if not implemented, are still relevant. Furthermore, inconsistencies and departures from applicable accounting principles, discovered during the IT audit follow-up procedures, are typically reviewed with a qualified financial auditor.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

IT Audit Follow-up: Assessing Recommendation Resolution – Part V

Robert Davis — Thu, 25 Mar 2010 20:25:10 +0000

IT audit area follow-up takes into account the materiality of reported findings and the impact if corrective action is not taken. As particulars, follow-up nature, timing and extent are dependent on audit materiality and control criticality. IT audit follow-up nature represents the type of procedures that will be performed considering predetermined risk associated with an auditable unit. IT audit follow-up timing confers when a procedure will be performed. Whereby, IT audit follow-up extent conveys the amount and/or range to be assessed. In relation to these defined considerations, audit materiality typically reflects monetary magnitude relative to other assets; while control activity criticality infers the assessed item impact magnitude relative to other risks.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

IT Audit Follow-up: Assessing Recommendation Resolution – Part IV

Robert Davis — Mon, 22 Mar 2010 18:29:47 +0000

Depending on the ambit and terms of the engagement, external IT auditors may rely on an entity’s internal IT audit function to follow-up on their agreed-upon recommendations. Hence, a follow-up process should be established by the entity’s internal IT audit function to monitor, and ensure, managerial actions have been effectively implemented or senior management has accepted the risk of not taking action. Responsibility for these follow-up activities should be defined in the audit charter and/or engagement letter to enable proper consideration by clients.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

IT Audit Follow-up: Assessing Recommendation Resolution – Part III

Robert Davis — Thu, 18 Mar 2010 17:33:35 +0000

IT auditor follow-up activities has been defined “as a process by which they determine the adequacy, effectiveness and timeliness of actions taken by management on reported engagement observations and recommendations, including those made by external auditors and others“. Therefore, a follow-up process is established to enable reasonable assurance that each audit conducted by an IT auditor provides optimal benefit to the entity; through requiring that approved suggestions arising from audits are implemented in accordance with management’s intentions for the undertakings or that management recognizes and acknowledges the risks inherent in delaying, or not implementing, proposed solutions.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

IT Audit Follow-up: Assessing Recommendation Resolution – Part II

Robert Davis — Mon, 15 Mar 2010 16:40:05 +0000

If management’s proposed actions to implement or otherwise address reported recommendations have been discussed with, or provided to, an IT auditor; designed remedial actions should be recorded as a management response in a final IT audit report. Whether an IT auditor is engaged in external or internal reporting; after formal audit results communication, follow-up is commonly the next IT audit process phase. Procedurally, after distributing the final audit report — with findings, recommendations and client responses — the IT auditor should request and evaluate relevant information to conclude whether appropriate actions have been taken by management in a timely manner for all documented findings included in the final audit report. However, IT audit follow-up activities can be an extension of an engagement or a separate engagement, and may only include agreed-upon procedures.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

IT Audit Follow-up: Assessing Recommendation Resolution – Part I

Robert Davis — Thu, 11 Mar 2010 19:41:17 +0000

While management is responsible for addressing assurance engagement findings and recommendations as well as tracking resolution status; audit is responsible for establishing policies, procedures, standards and rules for follow-up to determine whether previous findings and recommendations are adequately addressed as well as considered in planning future engagements. In this matter, IT auditors should comply with generally accepted audit follow-up procedures addressing the risks ordinarily associated with the audit area. Contextually, an appropriate amount of follow-up is necessary to assure the effectiveness of the corrective action process and to reestablish confidence in the item or service assessed. Therefore, the audit follow-up process normally includes carrying out sufficient, timely follow-up procedures to verify that management actions address weaknesses promptly.

IT Audit Reporting: Communicating Results – Part VIII

Robert Davis — Mon, 08 Mar 2010 21:40:59 +0000

IT auditors, like all auditors, are responsible for ‘communicating results to interested individuals.’ Interested individuals can include other members of the audit team, who must integrate the IT auditor’s findings with other aspects of the audit, as well as the client. Commonly, the audit purpose for reporting results is providing constructive feedback to management. However, in many cases, management personnel reviewing the audit report are not completely knowledgeable of the audit area’s IT services and associated terminology. For this reason, IT audit reports should be written to accommodate the lowest expected expertise level. Where readability risk is marginalized, IT audit reports will typically be readily received when they create managerial awareness regarding generally accepted information criteria (effectiveness, efficiency, confidentiality, integrity, availability, reliability and/or compliance) and induce corrective actions for detected control system weaknesses.

“View Part I of the IT Audit Reporting: Communicating Results series here“

IT Audit Reporting: Communicating Results – Part VII

Robert Davis — Thu, 04 Mar 2010 18:48:39 +0000

Upon acknowledgement of final audit report delivery to identified recipients, the IT auditor should await responses from key audit area personnel, as stipulated in the entity’s audit charter or engagement letter. Once all client responses have been received or the stated response deadline has been reached, the IT auditor should distribute the final audit report to appropriate personnel, thus concluding the IT audit reporting phase.

“View Part I of the IT Audit Reporting: Communicating Results series here“