In Standard (Snake) Oil, I complained about companies that don’t audit according to standards because some treat control owner statements as pure gold, don’t insist evidence be tied back to actual systems, and don’t ask all the appropriate questions.
Here’s a few more questionable practices that I’ve challenged all too recently.
I’m getting discouraged. I’m starting to wonder how many audit departments follow auditing standards, say, from IIA or ISACA. After some of the IT audits and IT SOX audits I’ve seen in the past year, who knows.
Some companies take their control owner words as gold and don’t verify them.
“They wouldn’t give you the information if it wasn’t true! Audit the evidence you’re given and quit questioning everything!” said one audit director. Excuse me, but doesn’t ISACA requires auditors to maintain their professional skepticism. Perhaps ISACA means be skeptical of audit directors?