Retrospectively, information security audits are a routine matter for internal auditors, but sometimes a controversial issue among external auditors. The controversy centers on the extent that IT security controls are accounting controls rather than administrative controls. Though most external auditors accept access controls as accounting controls, there is opinion division when considering other IT security controls. For instance, regarding other IT security controls, off-premise file storage, environmental protection mechanisms, and data processing insurance are treated as administrative controls by the external auditors promoting their position for these auditable units.
“View Part I of the Auditing Information Assets Protection series here“