Summary

In this chapter we learned that

• Internal controls, stated in the simplest terms, are mechanisms that ensure the proper functioning of processes within a company. Controls can be preventive, detective, or reactive and have administrative, technical, and physical implementations.

• It is important that your audit plan focus your auditors on the areas that have the most risk and on areas where you can add the most value. A comprehensive audit universe and effective ranking model are important elements to achieving this goal.

• There are six key stages to an audit: planning, fieldwork and documentation, issue discovery and validation, solution development, report drafting and issuance, and issue tracking.

• Some basic sources that should be referenced as part of each audit's planning process include handoff from the audit manager, preliminary survey, customer requests, standard checklists, and research.

• During fieldwork and documentation, wherever possible, the auditors should look for ways to independently validate the information given to them and the effectiveness of the control environment.

• If you work with your customers throughout the audit to validate issues and come to agreement on the risks those issues represent, then the conclusion of the audit will go much more smoothly and quickly.

• Three common approaches are used for developing and assigning action items for addressing audit issues: the recommendation approach, the management-response approach, and the solution approach.

• The essential elements of an audit report are the statement of the audit scope, list of issues along with action plans for resolving them, and the executive summary.

• The audit is not truly complete until the issues raised in the audit are resolved.

In these first two chapters we have formed the foundation that will allow us to move on to Part II, which will provide details on how to audit specific processes and technologies.