IT Governance, Risk, and Compliance » Reporting

IT Governance, Risk, and Compliance » Reporting http://itknowledgeexchange.techtarget.com/it-governance Mon, 20 May 2013 00:56:50 +0000 en-US hourly 1 IT Audit Follow-up: Assessing Recommendation Resolution – Part IV http://itknowledgeexchange.techtarget.com/it-governance/it-audit-follow-up-assessing-recommendation-resolution-part-iv/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-follow-up-assessing-recommendation-resolution-part-iv/#comments Mon, 22 Mar 2010 18:29:47 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=425 Depending on the ambit and terms of the engagement, external IT auditors may rely on an entity’s internal IT audit function to follow-up on their agreed-upon recommendations. Hence, a follow-up process should be established by the entity’s internal IT audit function to monitor, and ensure, managerial actions have been effectively implemented or senior management has accepted the risk of not taking action. Responsibility for these follow-up activities should be defined in the audit charter and/or engagement letter to enable proper consideration by clients.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-follow-up-assessing-recommendation-resolution-part-iv/feed/ 0 IT Audit Reporting: Communicating Results – Part VIII http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-viii/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-viii/#comments Mon, 08 Mar 2010 21:40:59 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=410 IT auditors, like all auditors, are responsible for ‘communicating results to interested individuals.’ Interested individuals can include other members of the audit team, who must integrate the IT auditor’s findings with other aspects of the audit, as well as the client. Commonly, the audit purpose for reporting results is providing constructive feedback to management. However, in many cases, management personnel reviewing the audit report are not completely knowledgeable of the audit area’s IT services and associated terminology. For this reason, IT audit reports should be written to accommodate the lowest expected expertise level. Where readability risk is marginalized, IT audit reports will typically be readily received when they create managerial awareness regarding generally accepted information criteria (effectiveness, efficiency, confidentiality, integrity, availability, reliability and/or compliance) and induce corrective actions for detected control system weaknesses.

“View Part I of the IT Audit Reporting: Communicating Results series here“

]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-viii/feed/ 0 IT Audit Reporting: Communicating Results – Part VII http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-vii/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-vii/#comments Thu, 04 Mar 2010 18:48:39 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=406 Upon acknowledgement of final audit report delivery to identified recipients, the IT auditor should await responses from key audit area personnel, as stipulated in the entity’s audit charter or engagement letter. Once all client responses have been received or the stated response deadline has been reached, the IT auditor should distribute the final audit report to appropriate personnel, thus concluding the IT audit reporting phase.

“View Part I of the IT Audit Reporting: Communicating Results series here“

]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-vii/feed/ 0 IT Audit Reporting: Communicating Results – Part VI http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-vi/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-vi/#comments Mon, 01 Mar 2010 18:41:35 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=402 The final audit report should clearly identify ‘gaps’ in controls and the source of the vulnerabilities. Of the potential vulnerabilities documented in the audit report, it is importance to identify any significant, or material, risks. It must also include recommendations to address the issues identified. Lastly, the executive summary of the final audit report must elaborate on the ‘state of controls’ within the audit area. In particular, weaknesses need to be clearly communicated to enable management by exception.

“View Part I of the IT Audit Reporting: Communicating Results series here“

]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-vi/feed/ 0 IT Audit Reporting: Communicating Results – Part V http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-v/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-v/#comments Thu, 25 Feb 2010 19:56:19 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=399 Once the draft audit report is generated, it must be reviewed by key IT managers as well as key business managers. To facilitate this essential audit activity, the IT auditor can contact selected key audit area personnel for scheduling a ‘closing conference.’ This conference provides an opportunity to review the audit process, discuss concerns, and modify audit report responses. Thus, conference attendees adjourn with a collective understanding of the final audit report’s content.

“View Part I of the IT Audit Reporting: Communicating Results series here“

]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-v/feed/ 0 IT Audit Reporting: Communicating Results – Part IV http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-iv/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-iv/#comments Mon, 22 Feb 2010 18:13:14 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=396 Generally, following audit area findings assessment completion and ensuring appropriate working papers retention, an IT auditor documents the draft audit report based on auditing standards and guidelines. Subsequently, the draft audit report is typically submitted for approval by the next higher audit management level. Specific organization, intended recipients, and any circulation restrictions should be identified in this draft audit report.

“View Part I of the IT Audit Reporting: Communicating Results series here“

]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-iv/feed/ 0 IT Audit Reporting: Communicating Results – Part III http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-iii/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-iii/#comments Thu, 18 Feb 2010 19:33:59 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=385 Through an IT auditor’s efforts, audit findings are facts generated which directly support and evidence conclusions as well as recommendations. Audit findings are also the product of all previously performed audit work related to the audit area under examination. Each finding form should be reviewed by an IT auditor for accurate as well as factual: criteria, condition, cause, possible effect(s) and recommendation(s). Furthermore, inconsistencies and departures from applicable accounting principles, discovered during the IT audit, should be reviewed with a qualified financial auditor.

“View Part I of the IT Audit Reporting: Communicating Results series here“

]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-iii/feed/ 0 IT Audit Reporting: Communicating Results – Part II http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-ii/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-ii/#comments Mon, 15 Feb 2010 19:18:07 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=387 The process utilized to ascertain ‘the degree of correspondence’ between assertions, or direct subject matter, and established criteria for IT audits is similar to that employed for manual audits; yet, slightly more complex. The process is similar because with these audit types, ‘the degree of correspondence’ requires objective and/or subjective judgment by the auditor as to what constitutes material noncompliance in the control system or error in information. The process is more complex for IT audits because the control system is commonly more sophisticated, and because it is generally more difficult to ascertain whether computer programs and data files provided to the auditor are those actually used; or bogus copies not actually invoked by the entity’s technology under examination. Consequently, to ensure an appropriate IT risk scoring, preceding audit report preparation, IT audit area findings analysis is performed.

“View Part I of the IT Audit Reporting: Communicating Results series here“

]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-ii/feed/ 0 IT Audit Reporting: Communicating Results – Part I http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-i/ http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-i/#comments Thu, 11 Feb 2010 19:05:03 +0000 Robert Davis http://itknowledgeexchange.techtarget.com/it-governance/?p=375 IT audit area reporting conveys an opinion concerning control adequacy based on planning, studying, testing and evaluating material or significant auditable units. Whether an IT auditor is engaged in direct or attest reporting — after obtaining sufficient, reliable, relevant and useful evidence during the previous audit phases — formal audit results communication is an important step in the audit process. Direct reporting assignments exist when management does not document an assertion concerning control procedures effectiveness and the IT auditor provides an opinion. Conversely, attest reporting assignments exist when management documents a control procedures effectiveness assertion and the IT auditor provides an opinion about the stated assertion.
]]> http://itknowledgeexchange.techtarget.com/it-governance/it-audit-reporting-communicating-results-part-i/feed/ 0