Report on the percentage of management actions in response to audit findings /recommendations that were implemented as agreed as to timeliness and completeness

Status: Live

The organization will report on the percentage of management actions in response to audit findings / recommendations that were implemented as agreed as to timeliness and completeness. [UCF ID 02071]

Metric guidance

Calculation: The calculation for this metric is # of management actions in response to audit findings and recommendations that were implemented as agreed as to timeliness and completeness / # of audit findings and recommendations.

Calculation source: No authority document source of information exists. The following formula was used: the number of audit findings that had management actions assigned to them and where completely implemented and in a timely fashion divided by the number of audit findings and recommendations that were identified during the last security audit for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Review past audit reports for constructiveness and timeliness [UCF Control ID 01162]

Review past responses to audit reports [UCF Control ID 01149]

Ensure IS Governance initiates prompt action to correct reported deficiencies [UCF Control ID 01177]

Supporting and supported controls

This control directly supports:

Establish and maintain an internal and external audits metrics program [UCF Control ID 02068]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE16.3; Guide for Developing Performance Metrics for Information Security, NIST SP 800-80, Table 7; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of management actions in response to audit findings / recommendations that were implemented as agreed as to timeliness and completeness. [ISPE16.3, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

This metric must be calculated using # of management actions in response to audit findings and recommendations that were implemented as agreed as to timeliness and completeness / # of audit findings and recommendations [Table 7, Guide for Developing Performance Metrics for Information Security, NIST SP 800-80]

General Guidance

The purpose of this measurement is to measure the percentage of management actions in response to audit findings and recommendations that were implemented as agreed upon regarding timeliness and completeness. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]