I have been around a lot of years and seen a lot of unusual things in internal auditing. Therefore nothing surprises me. I remember one organization where the IA dept. and auditors were assessed solely on how many of their recommendations were adopted totally as is! You can use your auditor imagination to see how this can affect IA and be manipulated to the detriment of the organization & IA. Yes, reasonable and valid recommendations are a key part of what IA can provides, but surely not the only thing! Plus management is responsible for assessing risks and deciding which to accept, not IA! Others with thoughts on this? And what does you IA organization use or recommend! Each can be different depending on the focus of your IA shop!
HAND!
Ron Keister, CIA, CPA
In a message dated 04/05/2002 5:22:59 PM Eastern Standard Time, [EMAIL PROTECTED] writes:
Also, maybe you need to do a better job educating the CEO on what the
*traditional* audit function is. Maybe he will change his *tune* after you
educate him.
Tony CIA,CISA,CDP,MBA
IT Security Manager
