O'Reilly logo
  • Ahmed Karkar thinks this is interesting:

It is impossible to overstate the importance of the baseline to an effective audit. In both external and internal audits, an auditor’s obligation is to fully understand the baseline and use that knowledge to accurately and objectively compare the subject of the audit to the criteria specified in the baseline. The use of formally specified audit criteria also means that an organization anticipating or undergoing an audit should not be surprised by the nature of the audit, what it covers, or what requirements the organization is expected to meet. External audits—especially those driven by regulatory mandates or certification standards—follow procedures and apply criteria that should be available...

From

Cover of The Basics of IT Audit

Note

IT Objectives for Business