In the case of a verbal agreement between IT and HR departments regarding IT services, what should the IS auditor do first?

The best course of action for the IS auditor in this scenario is to confirm the content of the verbal agreement with both the IT and HR departments. By doing so, the auditor ensures that there is a clear and mutual understanding of the terms and expectations surrounding the IT services being provided. This step is critical because it establishes clarity on what each department anticipates from the arrangement, which can help identify any potential misalignments or misunderstandings that could affect service delivery or operational efficiency.

Confirming the content of the agreement also serves as a foundation for subsequently documenting the agreement formally, which is crucial for accountability and future reference. Once the auditor has clarified the specifics of the verbal agreement, they can then proceed to recommend the formulation of a written service level agreement, thus reinforcing the importance of documented agreements in governance and compliance frameworks.

This proactive confirmation step also serves to build trust and enhance communication between departments, ensuring that all parties involved are on the same page before any formal audit process or further documentation occurs. It is a strategic move that lays the groundwork for more robust and effective IT governance.