Status: Live
The organization will report on the percentage of audit findings that have been resolved. [UCF ID 01678]
Metric guidance
Calculation: The calculation for this metric is # of audit findings that have been resolved / # of audit findings.
Calculation source: No authority document source of information exists. The following formula was used: the number of findings that have been fixed or accepted as a risk divided by the number of vulnerability findings from the latest audit.
The Common Control IDs associated with this metric are as follows:
- • Review past responses to audit reports [UCF Control ID 01149]
• Ensure IS Governance initiates prompt action to correct reported deficiencies [UCF Control ID 01177]
Supporting and supported controls
This control directly supports:
- • Establish and maintain an internal and external audit metrics standard [UCF Control ID 01664]
There are no supporting controls.
Authority documents complied with:
CISWG Information Security Program Elements, January 10,2005, ISPE6.2; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.1
US Federal Security Guidance
The organization must measure and report on the percentage of audit findings that have been resolved. [ISPE6.2, CISWG Information Security Program Elements, January 10,2005]
General Guidance
The purpose of this measurement is to measure the percentage of audit findings that have not been resolved. [§ 18.1, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.