As been IS Auditor did we responsible to implementation process?

Being IS Auditor, we are not responsible for implementation of any Information System that will become part of our Audit Universe. We may however, proactively carry out a pre implementation review to identify any gaps or risks before the actual implementation and facilitate the implementing department by adding value to their product thru our expertise. However, Risks that our review failed to identify could be treated as a shared responsibility between us and the implementing department/unit. Ultimately, the implementing department/unit and the respective business owner department(s)/unit(s) are responsible for a successful implementation.

 

Regards,

Umar

IS auditor should identify gaps within processes, or incompliance within an existing process. In both cases he/she should set recommendations. The auditor recommendation does not mean implementing the process itself as the owner of the audit finding should agree on acceptable lifecycle of the process which includes minimum controls, and finally the process owner should implement it.

No we cannot implement the process because it impairs the independence.Hence IS Auditor can only recommend.

No ,It will create a conflict and might impair professional independence of IS Auditor