The purpose of internal and external audits is to identify potential opportunities for making improvements in control objectives and control activities. The handoff point between the completion of the audit and the auditee’s assumption of control is in the portion of the audit report that contains findings and recommendations. These recommendations are the imperatives that the auditor recommends the auditee perform to improve the control environment.
Implementation of audit recommendations is the responsibility of the auditee. However, there is some sense of shared responsibility with the auditor, as the auditor seeks to understand the auditee’s business, so that the auditor can develop recommendations that can reasonably be undertaken and completed. In a productive auditor-auditee relationship, the auditor will develop recommendations using the fullest possible understanding of the auditee’s business environment, capabilities, and limitations, in essence saying, “here are my recommendations to you for reducing risk and improving controls.” And the auditee, having worked with the auditor to understand his methodology and conclusions, and who has been understood by the auditor, will accept the recommendations and take full responsibility for them, in essence saying, “I accept your recommendations and will implement them.” This is the spirit and intent of the auditor-auditee partnership.
– from CISA Certified Information Systems Auditor All-In-One Study Guide – the last words written into the draft manuscript, completed a few hours after the last of the Fourth of July fireworks have burst in the night sky