Adaptive IT Audit System

Auditors have a general requirement to provide management and business process owners with assurance and advice regarding designed and deployed controls in an entity to

1. render reasonable assurance that relevant control objectives are being met
2. identify where there are significant weaknesses in those controls,
3. substantiate the risk that may be associated with such weaknesses; and
4. proffer corrective actions for detected control weaknesses.

Various institutions enable the design and operation of clear policies and good practices to control information and related technologies. Considering the suggested information controls, firmly basing the information technology (IT) audit system on control objectives removes subjectivity from the audit conclusion, replacing it with authoritative criteria.

Generally accepted assurance standards, guidelines, and procedures permit preparing audit plans that address the entity’s control framework and control objectives. They should be used considering the control framework and objectives and developed into specific audit programs. However, commonly, they are neither exhaustive nor definitive. Thus, all generally accepted assurance standards, guidelines, and procedures may not apply and require tailoring to the specific environment.

Individual audit objectives and practices vary considerably from entity to entity. There are many practitioner types in audit-related activities, such as external auditors, internal auditors, self-assessment evaluators, quality reviewers, and security assessors. For this reason, the audit process must be adaptive in utilization and high-level in structure. <,p>