Learning Objectives and Outcomes
Identify correct and incorrect compliance recommendation statements in an auditing report.
Audit final reports may include recommendations supported by the audit findings. The recommended actions should be logically tied to a finding for which the problem has also been identified. Recommendations should be specific, sensible, cost-effective, and actionable.
- Actionable recommendations should not include statements such as “controls should be strengthened.” Tactical recommendations are important and needed. However, the report should also provide strategic recommendations that consider the broader picture of the organization’s objectives and how identified gaps or vulnerabilities affect the organization’s ability to achieve those goals.
Discuss and compose examples of at least one correct and one incorrect compliance recommendation statement for the following:
Retailer PCI DSS compliance finding: Company does not use vendor-supplied defaults for system passwords and other security parameters
Health care organization HIPAA finding: E-mails with personally identifiable information (PII) and protected health information (PHI) can be sent out of the organization without screening
Financial institution: Institution does not have a process in place for logging and auditing access control lists of users of the 401(k) database
Compose a list that includes the correct and incorrect compliance recommendation statements for each type of organization.