Data Management Audit Engagements Across Two Countries. – Sofia Cataffo

Abstract:

The aim of this thesis is to develop a Risk And Control Matrix (RACM) for internal auditing in the field of information technology, on the topic of data management. The RACM is the key output of internal audit work, and it consists of a document explaining the risks related to the topic under investigation, how the auditee is expected to face them (through control measures), and the results of testing of those controls. The paper is based on engagements in two legal entities, one established in Croatia and the other one in Bulgaria. The engagements are conducted by a Company based in Czech Republic, with legal entities active throughout Central and Eastern Europe. The author aims at building a RACM to be used in present and future engagements in data management, suitable for entities of all nationalities and capability levels in the region of the company’s activity. This goal is reached with the proposal of a single RACM, which can be used as starting point for audit engagements in IT data management. The key difference between entities is found to be not related to the country of activity, but to the capability and maturity level of the entity’s processes. …moreless

Abstract:

The aim of this thesis is to develop a Risk And Control Matrix (RACM) for internal auditing in the field of information technology, on the topic of data management. The RACM is the key output of internal audit work, and it consists of a document explaining the risks related to the topic under investigation, how the auditee is expected to face them (through control measures), and the results of testing of those controls. The paper is based on engagements in two legal entities, one established in Croatia and the other one in Bulgaria. The engagements are conducted by a Company based in Czech Republic, with legal entities active throughout Central and Eastern Europe. The author aims at building a RACM to be used in present and future engagements in data management, suitable for entities of all nationalities and capability levels in the region of the company’s activity. This goal is reached with the proposal of a single RACM, which can be used as starting point for audit engagements in IT data management. The key difference between entities is found to be not related to the country of activity, but to the capability and maturity level of the entity’s processes. …moreless