Abstract
Whether an IT auditor is engaged in internal or external IT audit reporting, after formal audit results communication, IT audit follow-up is an engagement requirement. The IT auditor assigned responsibility for tracking and assessing audit area responses must have skills to confirm appropriate corrective actions deployment. The IT audit reporting process prepares an IT auditor for providing appropriate follow-up concerning resolved and unresolved audit issues. If the deployment of a corrective action does not occur, the assigned IT auditor should seek support from higher levels of audit area management for achieving recommendation implementation within a reasonable timeframe. Chapter 9 presents management's proposed actions, IT audit follow-up materiality, and IT audit follow-up criticality. Chapter 9 also addresses the management response assessment of corrective actions.
TopIntroduction
In some circumstances, the IT audit engagement is not complete upon report issuance (Davis, 2005, 2011) because the IT audit team members have a responsibility to determine the taking of appropriate actions concerning findings and recommendations (Cascarino, 2012; Davis, 2011). If the audit function has responsibility for performing follow-up activities, the assigned IT auditors must apply audit follow-up procedures addressing the audit area risks (Davis, 2011). Contextually, appropriate follow-up is necessary to assure the effectiveness of the corrective actions and to establish or re-establish confidence in the items or services found inadequate during the engagement (Davis, 2011). Therefore, the audit follow-up process includes carrying out sufficient, timely follow-up procedures to verify that managerial actions addressed weaknesses promptly (Davis, 2011; ISACA, 2014a).
Findings are IT auditor fact acquisitions that directly support and evidence conclusions as well as recommendations (Davis, 2011). Findings are also the product of all previous audit work related to the audit area under examination (Davis, 2011). Usually, an audit finding represents the difference between expected and actual audit area conditions during the current engagement period (Davis, 2011). Findings are the primary source from which opinions flow to the IT audit report (Davis, 2011).
IT audit team members draw IT audit area recommendations from finding scenario extrapolation (Davis, 2011). Notably, IT audit recommendations represent a solution regarding an existing condition as corrective action or operational improvement (Davis, 2011). In a consulting capacity, recommendations can guide audit area management in achieving objectives (Davis, 2011).
After reporting findings and recommendations, the assigned IT auditor must request and assess relevant information to conclude whether appropriate actions were taken by management as expected (Cascarino, 2012; Davis, 2011). The resolution of audit comments resides with audit area management (Davis, 2011). If the proposed auditee corrective actions for implementing or otherwise addressing recommendations were discussed with or provided to the assigned IT auditor, designed corrective actions inscription occurs in the final IT audit report and the engagement tracking system as management responses (Davis, 2011).
Within the engagement tracking system, information concerning IT audit follow-up items necessitates capturing in an audit findings database. The audit findings database is a collection of IT audit area issues. Sustaining the audit findings database assists in ensuring that the audit area issue treatment occurs as inscribed in the IT audit report response. The audit findings database needs to capture the:
- •
audit report number,
- •
comment description,
- •
auditee response,
- •
corrective action implementer,
- •
criticality ranking,
- •
completion status, and
- •
completion date (Davis, 2011).
Key Terms in this Chapter
Engagement Tracking System: Is the technology adopted by an organization to help facilitate and orchestrate the audit journey through stated expectations across the various audit activities.
Risk Assessment: Enables an evaluation performed to classify and appraise risks as well as determine potential materiality or significance of a selected area under examination.
Risk Analysis: Institutes a method for considering threats, opportunities, and vulnerabilities while permitting the means for assessing conceivable adversities.
Organizational Culture: Represents a way of thinking, behaving, or working that exists in an enterprise.
Operational Improvement: Refers to a reduction, avoidance, or elimination of the potential for errors, mistakes, omissions, irregularities, or illegal acts.
Corrective Action: Infers a corrective action solution intent to minimize or eliminate an identified issue.