Există destul de multe firme care doresc să aibă asigurări cu privire la ce se întîmplă în IT. Un fel de “quality assurance”…Aceste firme ajung să aibă chiar poziţia “auditor IT” în organigrame. De multe ori, această poziţie se regăseşte chiar în cadrul departamentului IT. Ei bine, folosirea acestui termen (auditor) naşte destul de multe confuzii la noi.

“ Organisation
4.1.1 IS auditors should be organisationally independent of the area being audited. Independence is impaired if the IS auditors have direct control over the area being audited. The IS auditors’ independence can also be impaired if the IS auditors have direct reporting responsibility to those individuals who have direct control over the area being audited. The IS auditors’ independence also may be impaired if IS auditors are required, for tracking purposes, to report their time expended in performing the audit, including progress, audit issues, etc., to the IT group responsible for those controls tested and who report the results to senior or executive management. This could be perceived as the IT group project managing the IS auditors and, thus, an impairment of the IS
auditors’ independence. In addition, IS auditors should take into consideration if independence has been impaired in situations where the scope of work performed is based on requirements of the control process owners for business or regulatory purposes.” – G12 ORGANISATIONAL RELATIONSHIP AND INDEPENDENCE

Lăsînd acum la o parte situaţiile particulare, lucrcurile sînt cît se poate de simple şi clare. Dacă cel numit “auditor” se va ocupa de revizia  sistemului informaţional, atunci “The responsibility, authority and accountability of the information systems audit function or information audit assignments should be appropriately documented in an audit charter or engagement letter” – G5 AUDIT CHARTER.

Dacă auditorul va face orice altceva decît “revizie” poziţia sa se poate regăsi în cadrul departamentului IT.