Audit and Assurance

Expand all | Collapse all

Determining Implementation Dates

  • 1.  Determining Implementation Dates

    Posted 8 days ago
    Hi All. I'm interested in hearing from the Community on what your process is for determining an appropriate/reasonable implementation date for observations, (e.g., audit makes the decision or it is a collaborative effort between audit and client)?

    Thanks in advance for your response, much appreciated.

    ------------------------------
    Dominic Pasqualino
    Director, ISACA Philadelphia Chapter
    ------------------------------


  • 2.  RE: Determining Implementation Dates

    Online Forum Topic Leader
    Posted 8 days ago
    @Dominic Pasqualino,

    Interesting question!  To get their "buy in" I generally like management to set the implementation date, however, there may be instances, depending on the severity etc. where audit needs to insist on earlier implementation.

    Have members any other thoughts on this one?

    Best Regards,

    Ian​

    ------------------------------
    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist
    ------------------------------



  • 3.  RE: Determining Implementation Dates

    Posted 6 days ago
    Agreed @Ian Cooke,

    I've normally allowed the line management to be the primary decision maker in the timeline for resolution. My perspective is that they have operational responsibility for the process area and are best positioned and accountable for making that final decision.

    I do make clear which audit findings or observations are have a time dimension that needs serious consideration however. For example:
    • A deficiency in the change and release process that could potentially impact an upcoming planned key application upgrade needs timely attention, or
    • A deficiency in the patch management process that creates a significant gap between patch release and application would be referenced against best practice or recent research showing the risks around extending that patch window (and ultimately not having it addressed timely).
    Depending on the nature of the engagement, I'm also open to providing suggested time ranges (e.g. 0-3 months, 3-6, etc).

    Depending on the process for the auditee to provide their response and for the auditor to track the resolution status, you can potentially be more insistent with your recommendations that certain initiatives are prioritized. If you include the risk perspective that helps.

    Regards,

    ------------------------------
    Demetri Gittens
    IT Governance & Risk Assessment Officer
    ------------------------------



  • 4.  RE: Determining Implementation Dates

    Posted 3 days ago
    Ian and Demetri, thanks for responding.  Does anyone else have anything to add/thoughts?

    Thanks in advance for taking the time to respond, it's appreciated.

    ------------------------------
    Dominic Pasqualino
    Director, ISACA Philadelphia Chapter
    ------------------------------