Since I have completed the ITGC audit working paper, what is left is the management letter, it is a document that summarize all the founding from the working paper and to point out what are deficiency that client should take note of it.
The management letter begin with a short introduction of what is it, it mentioned that audit for the company is a limited scope review, the comments we gave cannot be expected to include all possible control improvements in the selected systems that a more wide-ranging engagement might identify. After that it comes with a description of the company’s IT environment background, it is same as what we put under the audit working paper. Then section 2 it list down again what are the controls that have audited under the 4 main areas (access to program and data, program changes, program development and computer operations). The section 3 is a table that describe the classification of observation, the assessment can be classified into three levels which are high, medium and low. The table below generally describe the extend of each level.
Section 4 summarize the observation and its respective recommendations, for the audit of Leader Steel, there are only two observation we need to mention to client, the first is regarding the lack of review and approval of IT policies, as what we observed, the policies are preared but we cannot found there is any proper approval and review done by top management, hence we recommend the management to start review all the updated IT policies. Another thing to mention to client is on the improvement to the password policy management, we noticed that the password policy is not comply with best practice, thus we suggest client to change their password policy to be more stronger. After drafting the management letter, then I double check it again to ensure the contents inside are tally with the points that I wrote on the audit working paper.
The second thing I did tody is to join my colleague Kar Enn’s kick off meeting with a company namely Mitech, supposedly, I should be the one to present the information request list but the client himself have straight directly showed us what he have provided, so there is no need for me to present again, after the meeting there is an issue in which client refused to provide us all the evidence he showed to me just now due to the reason that CEO does not allow the document to be sent to third parties as it is confidential document, however we still insist that we need these document as without it we are not able to proceed with the audit, the client then told us that he will deal again with the CEO and reply to use when there is any reply from the CEO.
Main things that have learnt
Prepare the Management Letter
Learn how to deal with the situation when client refused to provide us the evidences
Comment/idea/opinion
The issue happened today have reaffirmed that communication is important as when there is conflict happened between us and client, it is our obligation to communicate professionally with client to solve the issue.
Comentarios