In an assurance engagement involving smart devices, the first step is to obtain a comprehensive inventory of all devices in use. This ensures that the audit covers all relevant assets and allows the internal auditor to assess risks, controls, and policies effectively.
(A) Incorrect – Train all employees on bring-your-own-device (BYOD) policies.
While employee training is important, it is a control measure rather than the first step in an assurance engagement.
Without an inventory of devices, training effectiveness cannot be assessed.
(B) Incorrect – Understand what procedures are in place for locking lost devices.
This is a specific control measure but not the starting point for an engagement.
The first step should be to identify what devices exist before evaluating security measures.
(C) Correct – Obtain a list of all smart devices in use.
The foundation of an assurance engagement is identifying the scope, which includes listing all smart devices in use.
This allows the auditor to evaluate security risks, compliance, and control measures effectively.
(D) Incorrect – Test encryption of all smart devices.
Testing encryption is an audit procedure that should be performed after understanding the inventory and existing controls.
Without knowing which devices exist, encryption testing would not be effective.
IIA’s Global Internal Audit Standards – Technology Assurance and Cybersecurity Audits
Outlines steps for conducting technology-related assurance engagements.
IIA’s GTAG (Global Technology Audit Guide) on Auditing Smart Devices
Recommends obtaining an inventory of devices as the first step in an audit.
COBIT Framework – IT Asset Management and Control
Emphasizes identifying assets as the foundation of IT governance and risk management.
Analysis of Answer Choices:IIA References and Internal Auditing Standards:
