As an IS auditor, it is important for you to be cognizant of whom you should be interviewing, and how long those interviews should take. Every auditor will frequently face a time crunch due to the customer's schedule or other issues. You will need to pay particular attention to the value of the others’ time. Consider the work outage created when you take someone out of their job role to spend time with you. Will it be necessary to backfill their position by providing a substitute during this time away?
Think for a moment of what it would cost the organization for a key executive to spend 15 minutes with you. This executive's time may be measured in personal compensation or by the revenue they generate for the organization. Top executives, such as the CEO, will have compensation packages that include both money and substantial shares of stock. Based on total compensation, the CEO may be receiving several thousand dollars per hour or more.
| Note | Former Walt Disney CEO Michael Eisner received total compensation equal to $27,000 per hour, which was equivalent to approximately 0.18 percent of the revenue generated under his leadership during the same time period. |
The moral is that to justify 15 minutes of somebody's time, you better have something to discuss that is of greater value than that person's prorated value to the organization (greater than prorated revenue + compensation). Consider the cost for a meeting of high-level executives. You need to ensure that the time spent is relevant and remains focused on the audit objectives. The savvy auditor respects the value of a person's time.
Every system will have an inherent need for controls. The auditor needs to ensure that discussions occur with the correct individuals concerning appropriate controls. Three basic IT-related roles exist for every system: owner, user, and custodian. Table 1 shows examples of individuals with their associated roles and responsibilities.
Role | Example | Basic Responsibilities |
|---|---|---|
Data owner | Vice president | Determine classification Specify controls Appoint custodian |
Data user | Internal business user Business partner Business client (web) | Follow acceptable usage requirements Maintain security Report violations |
Data custodian | Database administrator Production programmer System administrator | Protect information Ensure availability Implement and maintain controls Provide provisions for independent audit Support data users |
These individuals don't have to work in the IT department. On the contrary, these roles exist regardless of the individual department boundaries. If someone performs the function, the responsibility of the role applies to that person. No exceptions. If a person performs two roles, two sets of responsibilities apply. If someone performs all three roles, either it's a one-person operation or you need to have a talk about separation of duties and the value of their data.
Thank you so much for your information. Keep updating Consulting Firms in Dubai | Financial Consultants in Dubai
ReplyDeleteThanks for sharing such a great information, Hope you will publish more.
ReplyDeleteI really appreciate the blog,
Please publish more blogs like this
To know more about CIA do visit the below mentioned Link-
CIA CERTIFICATION
Again thanks for providing great quality blogs...