Abstract
One of the more pivotal aspects of an IT audit engagement is IT audit follow-up. Depending on the ambit and terms of the engagement as well as under a relevant information systems audit standard, external IT auditors may rely on an internal IT audit function to follow-up on agreed-on corrective actions. Follow-up responsibilities for ongoing internal audit activities should receive inscription in the audit charter of the internal IT audit function and for external IT audit assignments in the engagement letter. Chapter 10 details follow-up as a continuing IT audit engagement, a separate follow-up engagement, and agreed-upon follow-up procedures covering corrective actions. Chapter 10 also provides IT audit follow-up tasks for determining satisfactory and unsatisfactory corrective action deployments.
TopGeneral Follow-Up Activities
One of the more pivotal aspects of an IT audit engagement is IT audit follow-up (Davis, 2011). IT audit follow-up is the activities pursued when a reportable condition exists that presents an audit area risk (Davis, 2011) in achieving a control objective. IT audit follow-up activities are process elements for determining the adequacy, efficacy, and timeliness of deployment actions by audit area management concerning reportable engagement conditions (Davis, 2011). Upon the corrective action presentation, a procedural enactment of follow-up activities needs to occur. The follow-up activities include evaluation of management responses and, if appropriate, response verification (Davis, 2011). As shown in Figure 1, an automated engagement tracking system with a findings database can assist in the carrying out of IT audit follow-up activities (Davis, 2011; Gantz, 2013).
Figure 1. Engagement Tracking System with Relational Database View.
As a task within the follow-up activities, the IT auditor assigned responsibility for tracking and assessing audit area responses evaluates whether unimplemented findings are still relevant (Davis, 2011; Gantz, 2013). Furthermore, the discovery of inconsistencies and departures from applicable accounting principles during the IT audit follow-up procedures can drive a corrective action review with a qualified financial auditor (Davis, 2011). If, after professional consideration and necessary consultation, the chief audit executive or practice partner concludes a follow-up report response or action was unsatisfactory, the appropriate management level needs to receive an inadequate outcome notification (Davis, 2011).
Key Terms in this Chapter
Verification: Determining whether a system, process, activity, or task conforms to requirements.
Deployment: Enables the dispersion, dissemination, broadcasting, or spreading of an organizational item.
Audit Charter: Records a written commitment approved by those responsible for Enterprise Governance stating the audit function’s ambit of authority, responsibility, and accountability.
Control Perimeter: Represents the limit for enterprise-centric policies, directives, procedures, standards, and rules.
Enterprise Governance: Activates responsibilities and practices exercised by those responsible for organizational oversight to provide strategic direction, ensure that objectives are achieved, ascertaining that risks are managed appropriately and verifying that orchestrated resources are used responsibly.
Root Cause: Are factors that produce nonconformance conditions.