SlideShare a Scribd company logo

Information Systems Audit - week 2 lecture

Download as PPTX, PDF
Abdul-Rahman Mahmood, profile picture
Abdul-Rahman Mahmood

IS Audit week 2 lecture

Technology
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Abdul-Rahman Mahmood Assistant Professor, Computer Science, FAST-NU abdulrahman@nu.edu.pk reddit.com/user/alphapeeler alphapeeler.sf.net/pubkeys/pkey.htm www.flickr.com/alphapeeler pk.linkedin.com/in/armahmood http://alphapeeler.tumblr.com bqb-tsid-asp armahmood786@jabber.org alphapeeler alphapeeler@aim.com alphapeeler abdulmahmood-sss armahmood786 alphapeeler@icloud.com http://alphapeeler.sf.net/ pinterest.com/alphapeeler IS Audit & Control
Building an Effective Internal IT Audit Function
 Many audit departments spend their existence in adversarial relationships with the rest of the company.  Reporting issues accomplishes nothing, except to make people look bad, get them fired, and create hatred of auditors.  The real value comes when issues are addressed and problems are solved. Audit Department Issues
 The real mission of the internal audit department is to help improve the state of internal controls. This is accomplished by performing audits and reporting the results, but these acts provide no value in and of themselves.  They provide value only when the internal control issues are resolved.  Requires a shift in focus from “reporting” to “improving.” Audit Department Issues
 To provide independent assurance to the audit committee (and senior management) that internal controls are in place at the company and are functioning effectively.  To improve the state of internal controls at the company by promoting internal controls and by helping the company identify control weaknesses and develop cost-effective solutions for addressing those weaknesses. Audit Department Mission
 Webster : “not influenced or controlled by others”  Auditors work in the same building as their fellow employees forming relationships outside the audit department.  Success of company is of prime interest to the auditors.  Audit departments include people who have joined the department from other areas in the company or plan to rotate out of the audit department.  Auditor’s relationship with the board of directors: Bury issues and believe that he will be allowed to “do the right thing”. Independence: The Great Myth
Audit team reporting structure
 Unfortunately, many auditors refuse to provide guidance and input to teams that are developing new systems or processes.  Auditors can’t provide input on the controls within the system because if they do so they’ll no longer be independent. They say, “How can you audit something if you’ve already signed off on the controls?”  The auditor shouldn’t be afraid to brainstorm about the controls with the team. However, this should not include actually executing the control, writing the code for implementing it, or configuring the system.  Auditor should provide as much input as Consulting and Early Involvement (utter nonsense)
 • Early involvement  • Informal audits  • Knowledge sharing  • Self-assessments Four Methods for Consulting
 Once you’ve created a system, tested it, and implemented it, it is much more expensive to go back and change it than if you had done it right the first time.  Ask to be part of the sign-off group  There is the possibility that you will make a mistake and sign off on the project; even though the system has internal control weaknesses, but that’s a chance you have to take.  You should not indicate that internal controls are not applicable to the system and refuse to participate; instead, you can provide some high- level guidance and be done with the project for Early involvement
 You’ll likely never go to the audit committee and report that one of the top fifteen risks that you need to review for the year is a tiny data center in a remote location supporting a small handful of people performing a less-than-critical business process.  Does this mean that you should never understand the risks at that site?  The informal audit is the mechanism to use.  Remove the constraints of documenting their work in detailed work papers. Forget about taking large representative samples. Let the auditors act as consultants.  Auditors are able to accomplish in a short time Informal Audits
1.Audit department agrees on timing and scope of the informal review with the people who are to be audited. 2.Auditor creates a checklist of areas that needs review. 3.The auditor executes those steps, keeping notes as needed but not creating work papers for review. 4.At the end, auditor compiles all concerns from review. 5.Conduct a debriefing meeting with people audited to discuss issues, their seriousness, and fixing issues. Informal Audits - basic steps
 As an internal auditor, you have a unique blend of knowledge of the company and expertise in internal controls. You must be creative in finding new ways to share knowledge with the rest of the company.  Audit department should have its own website.  Posting control guidelines on your website empowers groups expecting an audit.  Posting Common Issues, Best Practices, and Innovative Solutions.  Post info about audit tools (vulnerability scanning etc.) that you use in audits, this enables groups to self assess their controls. Knowledge Sharing
 University of Pennsylvania  By failing to prepare, you are preparing to fail - BEN FRANKLIN  Office of internal audit  http://www.upenn.edu/oacp/audit/index.html  Details of internal control  https://oacp.upenn.edu/audit/audit101/internal-controls- guidance /  SBP:  Guidelines on Internal Controls (Confidential document) Examples
University of Pennsylvania
University of Pennsylvania
SBP - Guidelines on Internal Controls (Confidential document)
 Facilitating an organization in assessing itself.  Known as control self-assessment (CSA) model.  This could be as simple as walking through your control guidelines. Self-Assessments
 An effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function.  Following are some basic steps that you can take to start the journey:  Be intentional about regular updates and meetings with IT management.  Establish audit liaisons with different IT organizations.  Get yourself invited to key meetings.  Cultivate an attitude of collaboration and cooperation.  Implement job swaps with the IT organization. Relationship Building: Partnering vs. Policing
 • Application auditors  • Data extraction and analysis specialists  • IT auditors The Role of the IT Audit Team
 Data center facilities This, quite simply, is the physical building and data center housing the computer equipment on which the system in question resides.  Networks This allows other systems and users to communicate with the system in question when they do not have physical access to it. This layer  includes basic networking devices such as firewalls, switches, and routers.  System platform This provides the basic operating environment on which the higher level application runs. Examples are operating systems such as Potential auditing subject areas
 Databases This tool organizes and provides access to the data being run by the end application.  Applications This is the end application, which actually is seen and accessed by the end user. This could be an enterprise resource planning (ERP) application providing basic business functions, an e-mail application, or a system that allows conference rooms to be scheduled.
 Focus almost solely on the application layer.  Ensuring that access is properly controlled and that segregation of duties issues do not exist.  Ensuring unauthorized application changes can’t occur.  Ensuring controls are in place to ensure the integrity of data. Application Auditors
 Experts of data extraction and analysis tools, such as Audit Command Language (ACL).  Developing analytics that allow for continuous monitoring for evidence of fraud, internal control violations, policy noncompliance, and other abuses.  This tutorial teaches you how to use audit command language (ACL) to detect ghost names in payroll.  https://www.youtube.com/watch?v=FObE7i9GsDI Data Extraction & Analysis Specialists
 The third model (IT auditors) is critical for performing thorough and effective IT auditing because it ensures that all layers are being covered and that they are being covered by the people with the highest level of subject matter knowledge. IT Auditors
 Career IT Auditors  Sources for Career IT Auditors  People with Internal IT Audit Experience at Other Companies  People with External IT Audit Experience  College Hires  IT Professionals  Sources for IT Professionals as Auditors  Technical Professionals from Within Your Company  Technical Professionals from Outside Your Company  College Hires Forming and Maintaining an Effective IT Audit Team
 Ability to dig into technical details without getting lost in the details.  Analytical skills.  Communication skills (both written and oral).  Ability to learn the key concepts of new technologies quickly and identify key risk points within those technologies.  Willingness not to be touching a specific technology daily.  Build trust-based relationships with their customers. Key Traits of a Successful IT Auditor
 Exposure to a wide variety of technologies  Opportunity to work with many levels of management.  Broad view of the company and other IT groups  Opportunity to lead projects. Selling Points for Recruiting IT Professionals into IT Audit
 Co-sourcing  Sources of Learning  Formal Training  Research Time  Specialization  Knowledge Sharing After Training  Certifications  Job Swaps with the IT Organization  Combining Options and Maintaining Skills Maintaining Expertise
 May be viewed as an intrusion and an annoyance.  Must be a healthy working relationship between the internal and external auditors.  Keep the other informed of their activities.  Encourage the external auditors to review the internal auditors’ work prior to speaking with your customers (customer : organization demanding audit from an external auditor). Relationship with External Auditors

More Related Content

PPT
Auditing concept
Ganesh Sharma
 
PDF
Sdt strw verification white paper
JamesWright
 
PDF
Future audit analytics
Jim Kaplan CIA CFE
 
PDF
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
PDF
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
PPT
Data Protection Governance IT
Cristina Villavicencio
 
DOCX
Auditing.docx
JoelEdau1
 
PDF
Data analytics software selection and implementation
Jim Kaplan CIA CFE
 
Auditing concept
Ganesh Sharma
 
Sdt strw verification white paper
JamesWright
 
Future audit analytics
Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
Jim Kaplan CIA CFE
 
Data Protection Governance IT
Cristina Villavicencio
 
Auditing.docx
JoelEdau1
 
Data analytics software selection and implementation
Jim Kaplan CIA CFE
 

Similar to Information Systems Audit - week 2 lecture (20)

PDF
Retrospective data analytics slides
Jim Kaplan CIA CFE
 
PDF
Questions On Technical Design Decisions
Rikki Wright
 
PDF
system-selection-guide_synergist-v106
Jason Neale
 
PDF
3 Steps to Better Web Governance
Shane Diffily
 
PPTX
Mis analysis
Ahmëd Starx
 
DOCX
Week 7 Homework QuestionsRename your file with your first .docx
jane3dyson92312
 
PDF
Best Practices: Planning Data Analytic into Your Audits
FraudBusters
 
PPTX
Tugas control & audit sistem informasi
Nur Fatrianti
 
PPT
The Good, The Bad, and The Metrics
TeamQualityPro
 
PPT
Discard at your own risk
Vincent O'Neil
 
PPT
Lean Software Development
sushant.1409
 
PDF
6 Challenges to Implementing an ECM System & How to Avoid Them-2.pdf
Benevolence Technologies
 
PPT
Overcome barriers to good req mgmt
Info-Tech Research Group
 
PDF
How Usability Testing Elevates Software Quality.pdf
RohitBhandari66
 
PDF
Benchmarking Basic.pdf
R Borres
 
PPT
ch03-Design Project.ppt
LuckySaigon1
 
PPT
How To Save Millions At Your Company
richlanza
 
PDF
Are You a Smart CAAT or a Copy CAAT
Jim Kaplan CIA CFE
 
PDF
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
eAuditor Audits & Inspections
 
PPT
Unit4 for st.pdf
Poonkodi Jayakumar
 
Retrospective data analytics slides
Jim Kaplan CIA CFE
 
Questions On Technical Design Decisions
Rikki Wright
 
system-selection-guide_synergist-v106
Jason Neale
 
3 Steps to Better Web Governance
Shane Diffily
 
Mis analysis
Ahmëd Starx
 
Week 7 Homework QuestionsRename your file with your first .docx
jane3dyson92312
 
Best Practices: Planning Data Analytic into Your Audits
FraudBusters
 
Tugas control & audit sistem informasi
Nur Fatrianti
 
The Good, The Bad, and The Metrics
TeamQualityPro
 
Discard at your own risk
Vincent O'Neil
 
Lean Software Development
sushant.1409
 
6 Challenges to Implementing an ECM System & How to Avoid Them-2.pdf
Benevolence Technologies
 
Overcome barriers to good req mgmt
Info-Tech Research Group
 
How Usability Testing Elevates Software Quality.pdf
RohitBhandari66
 
Benchmarking Basic.pdf
R Borres
 
ch03-Design Project.ppt
LuckySaigon1
 
How To Save Millions At Your Company
richlanza
 
Are You a Smart CAAT or a Copy CAAT
Jim Kaplan CIA CFE
 
QUALITY AUDIT TRACKING: THE KEY TO EFFICIENCY, EFFECTIVENESS AND VALUE
eAuditor Audits & Inspections
 
Unit4 for st.pdf
Poonkodi Jayakumar
 
Ad

Recently uploaded (20)

PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPT
Teaching material agriculture food technology
LiaRayya
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Encapsulation theory and applications.pdf
gurumoop
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Teaching material agriculture food technology
LiaRayya
 
Ad

Information Systems Audit - week 2 lecture

  • 1. Abdul-Rahman Mahmood Assistant Professor, Computer Science, FAST-NU abdulrahman@nu.edu.pk reddit.com/user/alphapeeler alphapeeler.sf.net/pubkeys/pkey.htm www.flickr.com/alphapeeler pk.linkedin.com/in/armahmood http://alphapeeler.tumblr.com bqb-tsid-asp armahmood786@jabber.org alphapeeler alphapeeler@aim.com alphapeeler abdulmahmood-sss armahmood786 alphapeeler@icloud.com http://alphapeeler.sf.net/ pinterest.com/alphapeeler IS Audit & Control
  • 2. Building an Effective Internal IT Audit Function
  • 3.  Many audit departments spend their existence in adversarial relationships with the rest of the company.  Reporting issues accomplishes nothing, except to make people look bad, get them fired, and create hatred of auditors.  The real value comes when issues are addressed and problems are solved. Audit Department Issues
  • 4.  The real mission of the internal audit department is to help improve the state of internal controls. This is accomplished by performing audits and reporting the results, but these acts provide no value in and of themselves.  They provide value only when the internal control issues are resolved.  Requires a shift in focus from “reporting” to “improving.” Audit Department Issues
  • 5.  To provide independent assurance to the audit committee (and senior management) that internal controls are in place at the company and are functioning effectively.  To improve the state of internal controls at the company by promoting internal controls and by helping the company identify control weaknesses and develop cost-effective solutions for addressing those weaknesses. Audit Department Mission
  • 6.  Webster : “not influenced or controlled by others”  Auditors work in the same building as their fellow employees forming relationships outside the audit department.  Success of company is of prime interest to the auditors.  Audit departments include people who have joined the department from other areas in the company or plan to rotate out of the audit department.  Auditor’s relationship with the board of directors: Bury issues and believe that he will be allowed to “do the right thing”. Independence: The Great Myth
  • 8.  Unfortunately, many auditors refuse to provide guidance and input to teams that are developing new systems or processes.  Auditors can’t provide input on the controls within the system because if they do so they’ll no longer be independent. They say, “How can you audit something if you’ve already signed off on the controls?”  The auditor shouldn’t be afraid to brainstorm about the controls with the team. However, this should not include actually executing the control, writing the code for implementing it, or configuring the system.  Auditor should provide as much input as Consulting and Early Involvement (utter nonsense)
  • 9.  • Early involvement  • Informal audits  • Knowledge sharing  • Self-assessments Four Methods for Consulting
  • 10.  Once you’ve created a system, tested it, and implemented it, it is much more expensive to go back and change it than if you had done it right the first time.  Ask to be part of the sign-off group  There is the possibility that you will make a mistake and sign off on the project; even though the system has internal control weaknesses, but that’s a chance you have to take.  You should not indicate that internal controls are not applicable to the system and refuse to participate; instead, you can provide some high- level guidance and be done with the project for Early involvement
  • 11.  You’ll likely never go to the audit committee and report that one of the top fifteen risks that you need to review for the year is a tiny data center in a remote location supporting a small handful of people performing a less-than-critical business process.  Does this mean that you should never understand the risks at that site?  The informal audit is the mechanism to use.  Remove the constraints of documenting their work in detailed work papers. Forget about taking large representative samples. Let the auditors act as consultants.  Auditors are able to accomplish in a short time Informal Audits
  • 12. 1.Audit department agrees on timing and scope of the informal review with the people who are to be audited. 2.Auditor creates a checklist of areas that needs review. 3.The auditor executes those steps, keeping notes as needed but not creating work papers for review. 4.At the end, auditor compiles all concerns from review. 5.Conduct a debriefing meeting with people audited to discuss issues, their seriousness, and fixing issues. Informal Audits - basic steps
  • 13.  As an internal auditor, you have a unique blend of knowledge of the company and expertise in internal controls. You must be creative in finding new ways to share knowledge with the rest of the company.  Audit department should have its own website.  Posting control guidelines on your website empowers groups expecting an audit.  Posting Common Issues, Best Practices, and Innovative Solutions.  Post info about audit tools (vulnerability scanning etc.) that you use in audits, this enables groups to self assess their controls. Knowledge Sharing
  • 14.  University of Pennsylvania  By failing to prepare, you are preparing to fail - BEN FRANKLIN  Office of internal audit  http://www.upenn.edu/oacp/audit/index.html  Details of internal control  https://oacp.upenn.edu/audit/audit101/internal-controls- guidance /  SBP:  Guidelines on Internal Controls (Confidential document) Examples
  • 17. SBP - Guidelines on Internal Controls (Confidential document)
  • 18.  Facilitating an organization in assessing itself.  Known as control self-assessment (CSA) model.  This could be as simple as walking through your control guidelines. Self-Assessments
  • 19.  An effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function.  Following are some basic steps that you can take to start the journey:  Be intentional about regular updates and meetings with IT management.  Establish audit liaisons with different IT organizations.  Get yourself invited to key meetings.  Cultivate an attitude of collaboration and cooperation.  Implement job swaps with the IT organization. Relationship Building: Partnering vs. Policing
  • 20.  • Application auditors  • Data extraction and analysis specialists  • IT auditors The Role of the IT Audit Team
  • 21.  Data center facilities This, quite simply, is the physical building and data center housing the computer equipment on which the system in question resides.  Networks This allows other systems and users to communicate with the system in question when they do not have physical access to it. This layer  includes basic networking devices such as firewalls, switches, and routers.  System platform This provides the basic operating environment on which the higher level application runs. Examples are operating systems such as Potential auditing subject areas
  • 22.  Databases This tool organizes and provides access to the data being run by the end application.  Applications This is the end application, which actually is seen and accessed by the end user. This could be an enterprise resource planning (ERP) application providing basic business functions, an e-mail application, or a system that allows conference rooms to be scheduled.
  • 23.  Focus almost solely on the application layer.  Ensuring that access is properly controlled and that segregation of duties issues do not exist.  Ensuring unauthorized application changes can’t occur.  Ensuring controls are in place to ensure the integrity of data. Application Auditors
  • 24.  Experts of data extraction and analysis tools, such as Audit Command Language (ACL).  Developing analytics that allow for continuous monitoring for evidence of fraud, internal control violations, policy noncompliance, and other abuses.  This tutorial teaches you how to use audit command language (ACL) to detect ghost names in payroll.  https://www.youtube.com/watch?v=FObE7i9GsDI Data Extraction & Analysis Specialists
  • 25.  The third model (IT auditors) is critical for performing thorough and effective IT auditing because it ensures that all layers are being covered and that they are being covered by the people with the highest level of subject matter knowledge. IT Auditors
  • 26.  Career IT Auditors  Sources for Career IT Auditors  People with Internal IT Audit Experience at Other Companies  People with External IT Audit Experience  College Hires  IT Professionals  Sources for IT Professionals as Auditors  Technical Professionals from Within Your Company  Technical Professionals from Outside Your Company  College Hires Forming and Maintaining an Effective IT Audit Team
  • 27.  Ability to dig into technical details without getting lost in the details.  Analytical skills.  Communication skills (both written and oral).  Ability to learn the key concepts of new technologies quickly and identify key risk points within those technologies.  Willingness not to be touching a specific technology daily.  Build trust-based relationships with their customers. Key Traits of a Successful IT Auditor
  • 28.  Exposure to a wide variety of technologies  Opportunity to work with many levels of management.  Broad view of the company and other IT groups  Opportunity to lead projects. Selling Points for Recruiting IT Professionals into IT Audit
  • 29.  Co-sourcing  Sources of Learning  Formal Training  Research Time  Specialization  Knowledge Sharing After Training  Certifications  Job Swaps with the IT Organization  Combining Options and Maintaining Skills Maintaining Expertise
  • 30.  May be viewed as an intrusion and an annoyance.  Must be a healthy working relationship between the internal and external auditors.  Keep the other informed of their activities.  Encourage the external auditors to review the internal auditors’ work prior to speaking with your customers (customer : organization demanding audit from an external auditor). Relationship with External Auditors

Editor's Notes

  • #9: Internal controls: Examples include use of passwords, approval, policies and procedures.
  • #11: There’s a big difference image-wise between saying that a system doesn’t matter to you and saying that you want to provide sign-off as usual but that you don’t have many concerns: one is a negative message, and the other is positive.
  • #13: 1. The audit department should agree on the timing and scope of the informal review with the people who are to be audited. 2. The auditor who will be performing the review should create a basic checklist of areas that will be under review. (The checklists throughout this book provide a good starting point.) 3. The auditor executes those steps, keeping notes as needed but not creating work papers for review. The notes do not need to be kept after the audit is completed. Remember that speed is of the essence, and this is a consulting engagement, not a formal audit review. If you can’t get comfortable with this, you’ll get bogged down with documentation and process, losing the flexibility to perform this sort of review effectively. 4. At the end of the project, the auditor compiles all concerns from the review. 5. The auditor has a debriefing meeting with the people who were audited to discuss the issues and consult about how serious the issues are and potential means for addressing them. 6. The auditor documents the final list of concerns, along with relevant thoughts on resolving them, in a memo. This memo does not need to include due dates and can include the caveats mentioned earlier (for example, this is not a formal audit, we will not be tracking issues, and so on). The memo also should indicate the auditor’s willingness to continue consulting with the team as it addresses these items. 7. The auditor issues the memo and archives it electronically for future reference.
  • #15: Guidelines on Internal Controls www.sbp.org.pk/bsd/2004/Anex-C7.pdf
  • #28: Willingness not to be touching a specific technology daily. although performing audit analyses requires a lot of hands-on work, they won’t be acting as the administrator of a production Unix box, managing routers, and so on. Relationship building skills. Auditors must be able to build solid trust-based relationships with their customers.
  • #30: Co-sourcing is a business strategy that involves combining internal and external resources to achieve a common goal.