Audit and Assurance

Expand all | Collapse all

Determining Implementation Dates

  • 1.  Determining Implementation Dates

    Posted 08 Nov, 2019 15:41
    Hi All. I'm interested in hearing from the Community on what your process is for determining an appropriate/reasonable implementation date for observations, (e.g., audit makes the decision or it is a collaborative effort between audit and client)?

    Thanks in advance for your response, much appreciated.

    Dominic Pasqualino
    Director, ISACA Philadelphia Chapter

  • 2.  RE: Determining Implementation Dates

    Posted 09 Nov, 2019 05:32
    @Dominic Pasqualino,

    Interesting question!  To get their "buy in" I generally like management to set the implementation date, however, there may be instances, depending on the severity etc. where audit needs to insist on earlier implementation.

    Have members any other thoughts on this one?

    Best Regards,


    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist

  • 3.  RE: Determining Implementation Dates

    Posted 11 Nov, 2019 12:11
    Agreed @Ian Cooke,

    I've normally allowed the line management to be the primary decision maker in the timeline for resolution. My perspective is that they have operational responsibility for the process area and are best positioned and accountable for making that final decision.

    I do make clear which audit findings or observations are have a time dimension that needs serious consideration however. For example:
    • A deficiency in the change and release process that could potentially impact an upcoming planned key application upgrade needs timely attention, or
    • A deficiency in the patch management process that creates a significant gap between patch release and application would be referenced against best practice or recent research showing the risks around extending that patch window (and ultimately not having it addressed timely).
    Depending on the nature of the engagement, I'm also open to providing suggested time ranges (e.g. 0-3 months, 3-6, etc).

    Depending on the process for the auditee to provide their response and for the auditor to track the resolution status, you can potentially be more insistent with your recommendations that certain initiatives are prioritized. If you include the risk perspective that helps.


    Demetri Gittens
    IT Governance & Risk Assessment Officer

  • 4.  RE: Determining Implementation Dates

    Posted 14 Nov, 2019 10:19
    Ian and Demetri, thanks for responding.  Does anyone else have anything to add/thoughts?

    Thanks in advance for taking the time to respond, it's appreciated.

    Dominic Pasqualino
    Director, ISACA Philadelphia Chapter

  • 5.  RE: Determining Implementation Dates

    Posted 09 Dec, 2019 11:15
    Similar to the responses already provided, it is mostly a collaborative effort - management typically provides the implementation dates that we review for reasonableness.  However, if the observation is rated high risk and remediation should be prioritized, I would add to my recommendation an expectation that the remediation should be performed "immediately."  (I've only had to do this around user access controls, or lack thereof.)  If management responds with "we need to purchase/implement something and that will take time" and that seems reasonable, then we discuss interim/compensating controls, so then we have implementation dates for the interim solution and the long-term solution.)

    My point is that collaboration is a good approach, but there are scenarios where I think the auditor needs to "set" the timeline - based on risk of course.  And this needs be communicated at the outset and applied consistently.

    Vernice Stefano
    Assistant Director, IT Audit