Richard,We have in prior audits identified and reported questioned costs in our audit reports. We have questioned costs in audits involving Cloud Security where we identified cloud computing services that were acquired and deployed that were not approved, authorized to operate, or covered by a systems security plan (ghost IT). We have also questioned costs on Supply Chain Risk Management audits where we identified IT assets (hardware, software, and services) that were acquired outside of the supply chain risk management assessment approval process or were otherwise not authorized for use within the network environment. We use this methodology of questioning costs on most of our IT audits where we are assessing any of the hardware, software, or services within our network environment. We also question costs when the acquisition of IT hardware, software, and services are done improperly, say when the contract to acquire the item fails to properly incorporate the necessary IT security contract clauses which could create the potential for a risk or a vulnerability if not present.
Best of luck,Joe