During an exit interview, in cases where there is disagreement regarding the impact of a finding,
an IS auditor should:
ask the auditee to sign a release form accepting full legal responsibility.
elaborate on the significance of the finding and the risks of not correcting it.
report the disagreement to the audit committee for resolution.
accept the auditee’s position since they are the process owners.
If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate
and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the
exposure. The goal should be to enlighten the auditee or uncover new information of which an IS
auditor may not have been aware. Anything that appears to threaten the auditee will lessen
effective communications and set up an adversarial relationship. By the same token, an IS auditor
should not automatically agree just because the auditee expresses an alternate point of view.