How should auditors test compensating controls for unsupported software?
Management says an old application cannot be upgraded yet, but the risk is controlled through isolation and monitoring. What evidence should internal audit inspect?
Start by identifying which specific controls management is relying on. "Isolated" and "monitored" are conclusions, not evidence.
Useful procedures include:
- inspect the asset inventory and confirm system owner,
- obtain a dependency map showing why the software cannot be upgraded immediately,
- review firewall or segmentation rules,
- test whether access is limited to approved users and service accounts,
- inspect recent access-review evidence,
- review vulnerability or configuration assessment results,
- inspect backup and restore test evidence,
- confirm logging and alert review,
- review exception approval and expiry date, and
- inspect the migration or replacement roadmap.
The auditor should also check whether the controls are operating, not merely designed. A network diagram from two years ago is weaker than current firewall evidence and recent rule-review signoff.
If the audit team lacks technical expertise, it can use a specialist for defined procedures or narrow the scope of the conclusion. The report should not imply assurance over controls the team did not test.
Master Engagement Work with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.