Operating management should formally and effectively respond to IT audit or examination findings and recommendations. The audit procedures should clearly identify the methods for following up on noted audit or control exceptions or weaknesses. Operating management is responsible for correcting the root causes of the audit or control exceptions, not just treating the exceptions themselves. Response times for correcting noted deficiencies should be reasonable and may vary depending on the complexity of the corrective action and the risk of inaction. Auditors should document, report, and track recommendations and outstanding deficiencies. Additionally, auditors should conduct timely follow-up audits to verify the effectiveness of management's corrective actions for significant deficiencies.
Internal IT Audit Staff