IT Examiner School, Providence, RI

Conducting Initial Discussions

• The purpose is to share initial IT findings, validate the accuracy of those findings, and provide management with an opportunity to respond. During this discussion, you should:  Translate your IT concerns into business risks so that management understands their significance.  Identify underlying causes for the deficiencies you identify.

 What is the “root” cause?

 Discuss the need for formal commitments, if applicable.

Themes

Assume you identify the following concerns during the examination:  Lack of management oversight of the risk assessment program.  Poor data and physical security controls.  Lack of disaster recovery planning.  Incomplete audit activities.