Reviewing the application implementation documents is the best way for an IS auditor to assess the design of an automated application control. An automated application control is a control that is embedded in the application software and is executed by the system without human intervention. An automated application control is designed to ensure the accuracy, completeness, validity, and authorization of transactions and data processed by the application. Examples of automated application controls are input validation, edit checks, calculations, reconciliations, and exception reports.
The application implementation documents are the documents that describe the design specifications, logic, and functionality of the application and its controls. The application implementation documents may include:
Business requirements document - a document that defines the business objectives, needs, and expectations of the application.
Functional specifications document - a document that describes the features, functions, and interfaces of the application and its controls.
Technical specifications document - a document that details the technical architecture, design, and configuration of the application and its controls.
Test plan and test cases - a document that outlines the testing strategy, methodology, and scenarios for verifying the functionality and performance of the application and its controls.
User manual and training material - a document that provides instructions and guidance on how to use the application and its controls.
By reviewing the application implementation documents, an IS auditor can:
Gain an understanding of the purpose, scope, and nature of the application and its controls.
Evaluate whether the application and its controls are designed to meet the business requirements and objectives.
Identify any gaps, inconsistencies, or errors in the design of the application and its controls.
Compare the design of the application and its controls with the best practices and standards in the industry.
Determine whether the application and its controls are adequately tested and documented.
Interviewing the application developer is not the best way for an IS auditor to assess the design of an automated application control. An interview is a verbal communication technique that involves asking questions and listening to responses. An interview can be useful for obtaining general information or clarifying specific issues related to the application and its controls. However, an interview alone cannot provide sufficient evidence or documentation to support the auditor's assessment of the design of an automated application control. An interview may also be subject to bias, misunderstanding, or misinterpretation by either party.
Obtaining management attestation and sign-off is not the best way for an IS auditor to assess the design of an automated application control. Management attestation and sign-off is a formal process that involves obtaining written confirmation from management that they have reviewed and approved the design of the application and its controls. Management attestation and sign-off can indicate management's commitment and accountability for the quality and effectiveness of the application and its controls. However, management attestation and sign-off cannot substitute for an independent and objective evaluation by an IS auditor.
Management attestation and sign-off may also be influenced by pressure, conflict of interest, or fraud.
Reviewing system configuration parameters and output is not the best way for an IS auditor to assess the design of an automated application control. System configuration parameters are settings that define how the system operates or interacts with other components. System output is data or information that is produced by the system as a result of processing transactions or performing functions. Reviewing system configuration parameters and output can help an IS auditor to verify whether the system is configured correctly and whether it produces accurate and reliable output. However, reviewing system configuration parameters and output cannot provide a comprehensive view of how the application and its controls are designed to achieve their objectives. Reviewing system configuration parameters and output may also require technical expertise or access rights that may not be available to an IS auditor.

The percent of issues resolved by the first contact, also known as the first contact resolution (FCR) rate, is a metric that measures the effectiveness and efficiency of the IT help desk services. It indicates how many customer support issues are resolved on the first interaction with the IT help desk, without requiring any follow-up calls, emails, chats, or escalations. The FCR rate is calculated by dividing the number of issues resolved on the first contact by the total number of customer support issues, and multiplying by 100%1.
The FCR rate is the best indicator of service quality among the four monthly performance metrics, because it reflects the following aspects of the IT help desk services:
* Customer satisfaction: Customers are more likely to be satisfied with the IT help desk services if their issues are resolved quickly and effectively on the first contact, without having to wait for a response or repeat their problem to multiple agents. A high FCR rate can improve customer loyalty, retention, and advocacy2.
* Cost efficiency: Resolving issues on the first contact can reduce the operational costs of the IT help desk services, such as labor costs, phone costs, or overhead costs. A high FCR rate can also increase the productivity and utilization of the IT help desk agents, as they can handle more issues in less time3.
* Service level: Resolving issues on the first contact can improve the service level of the IT help desk services, such as reducing the average handle time (AHT), increasing the service level agreement (SLA) compliance, or decreasing the backlog of unresolved issues. A high FCR rate can also enhance the reputation and credibility of the IT help desk services4.
Therefore, an IS auditor should review the FCR rate as a key performance indicator (KPI) of the IT help desk services, and compare it with the industry standards and benchmarks. According to MetricNet's benchmarking database, the FCR industry standard is 74 percent. This number varies widely, however, from a low of about 41 percent to a high of 94 percent5. An IS auditor should also recommend ways to improve the FCR rate, such as:
* Training and empowering the IT help desk agents to handle a wide range of issues and provide accurate and consistent solutions
* Implementing a knowledge base or a self-service portal that provides relevant and updated information and guidance for common or simple issues
* Improving communication and collaboration between different departments or teams that may be involved in resolving complex or escalated issues
* Using feedback and analytics tools to monitor and measure customer satisfaction and identify areas for improvement

Obtaining management's consent to the testing scope in writing is the most important step prior to finalizing the scope of testing, as it ensures that the penetration testers have the authorization and approval to perform the testing activities. It also protects them from any legal liabilities or accusations of unauthorized access or damage. The other options are not as important as obtaining management's consent, and they may vary depending on the specific situation and agreement. For example, some systems may not be excluded from the testing scope, and some tests may not be restricted to the test environment. References: CISA Review Manual (Digital Version) 1, page 381-382.