For job security, get the house in order before an IT audit
Conclusion: IT auditors typically consult with, and report their findings to, the board’s Audit and Risk Committee. Their POW (program of work) or activities upon which they will focus may or may not be telegraphed in advance to stakeholders, including IT management.
To avoid getting a qualified audit report for IT, e. g. when internal (systems) controls are weak or IT risks are unmanaged, business and IT management must first get their house in order, by tightening controls and addressing risks before the possible arrival of the audit team. Failure to get the house in order, before an audit, could be career limiting for IT and business managers.