February 2, 2022 - 12:57pm
#1
Each year we complete a QAIP and present it to our Audit Committee of the Board and we then provide it to our Executive Team.
We have the IT audits conducted by our Information Security Department. That department is comprised of two individuals and they are not a part of Internal Audit and do not report to Internal Audit. Should the work they do be included in the QAIP that I present or should that department prepare their own QAIP?
My thoughts are they do not need to prepare one since they are not an audit shop and are not required to follow the Standards of the IIA. I also feel that I should not include their work in my QAIP since they do not report to Internal Audit.
I would appreciate anyone's thoughts on this.
Thank you
