You are the manager of internal audit of a large multinational foodstuffs company. One day, you meet with one of your audit seniors at her request. She has primary responsibility for information systems auditing within your company, and she has eight staff members that report to her.

At the beginning of the meeting, she reports that she has encountered some problems with one of her staff. During a detailed review of an audit that he has recently conducted of the company's personnel and payroll systems, she has discovered several aspects of his work that concern her. First, it appears that he has "borrowed" program code from a colleague who works with a competitor organization to develop certain specialized software that he needed to conduct the audit. In addition, he has made an unauthorized copy of a commercial audit software package that is used to evaluate the reliability of controls in the local area network platform that your company uses.

Second, he has been careless in protecting the privacy of some sensitive information contained in the personnel files that he was examining. He had used the specialized software he had developed to undertake some sophisticated computer matching of data in different company files as a means of detecting any payroll irregularities that might exist. Unfortunately, he had copied some of these files to a diskette and left the diskette on a desk in the payroll department where he was working temporarily. Another employee had discovered the diskette when she was working late one evening, and she read the contents of the file using software on her own machine. She thought it might be interesting to see the sorts of data that the auditor was examining. The diskette contained sensitive personnel performance data and medical data. The employee had disclosed some of this data to a colleague, who in turn had disclosed it to other colleagues. As a result, a distressed employee had made a complaint to the personnel manager when he discovered that confidential information about his drug dependency problems and work performance problems were circulating among company employees. The personnel manager in turn had made a complaint to your audit senior.
Third, the audit documentation prepared by the auditor was of mixed quality. Some parts of the audit were well documented. Other parts were poorly documented, however, especially those relating to use of the "borrowed" software and the commercial software that had been copied and those relating to the computer data matching that had been undertaken. The auditor had reached some worrisome conclusions about the reliability of controls in the personnel and payroll areas and the existence of irregularities in these areas. During a meeting with the vice president responsible for these areas, however, he had been evasive about the basis for his conclusions when he was questioned aggressively by the vice president. (The vice president was clearly upset about the conclusions that had been reached.) The auditor reacted negatively to the questioning, however, and insisted that his conclusions were valid. He retorted that the vice president would be culpable if she did not attend immediately to the matters he had raised in his report. A stand-off situation now exists.
Your audit senior asks what steps you and she should now take to try to mitigate the problems that have occurred. She points out that she and all her staff are CISAs and members of the Information Systems Audit and Control Association. In light of the level of professionalism that exists within her group, she is distressed that the current situation has arisen.
Required: On the basis of the information provided to you by your senior auditor, outline the steps you now propose to undertake.