Information Technology Reference
In-Depth Information
management would want to make a quick decision and might find the summary suitable for
such purposes.
A detailed review of the report structure has been included in chapter 2. It is advisable to
review this chapter so that you can have a clear understanding of the audit reporting struc-
ture.
Follow-Up
Many IS audit writers have combined this stage with the reporting stage, the one we con-
sidered just before this stage. As earlier indicated, we will consider this stage as a separate
stage, as it is useful in practice to handle this stage separately.
The 1402.1 information systems audit standard requires that auditors make follow-ups on
whether management has taken action regarding reported audit findings and recommenda-
tions.
Management might not implement the recommendations immediately after the report is
produced and opt to implement on agreed dates. In this case, the IS audit team might de-
velop a planned follow-up action schedule which the team can use to make follow-ups. It
is always important to recommend to management response criteria. High-risk areas would
require immediate action whilst low-risk areas may require action at an agreed date.
The IS audit team should agree with the client on the findings and recommendations in the
report and develop an action plan on how to implement the recommendations. This should
be done immediately after the report is released or at the first audit report review meeting
with the client.
In case of audits conducted by external auditors, it is good practice to make use of internal
IS auditors to make follow-ups which they can include in their work schedule. The external
auditors can follow up at a later date with the internal auditors or during their next audit.
Where there are disagreements on particular findings and recommendations, management
and the IS audit team can opt to escalate the issue to senior management or the board for
resolution.
The follow-up activity is important as it enables the IS auditors to find out if their recom-
mendations are being implemented and that there is improvement in the operations and
performance of the enterprise. It should be a source of concern to the IS auditor if recom-
mendations are not being implemented.
Search WWH ::




Custom Search