What criteria can internal audit use for a Shadow IT audit when no policy exists?
Use a criteria hierarchy and make it explicit in the engagement plan. Internal criteria may include the audit charter, board-approved audit plan, risk register, procurement rules, data classification policy, security strategy, and any prior risk acceptance statements. External criteria may include selected NIST, CIS, COSO, or other good-practice guidance relevant to the scoped risk.
The report should not imply that the organization adopted an entire external framework unless it did. Instead, state the selected objective. For example: "Internal audit assessed whether management had a repeatable process to identify, approve, and monitor cloud tools that store company data." That criterion can be supported by common asset inventory, software inventory, access governance, and data protection expectations.
If no policy exists, that can become part of the finding. The finding is not "you failed a policy you never adopted." It is "management has not established adequate criteria, ownership, and controls for a known risk area."
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.