IAP audits normally have an operational focus addressing general controls. ‘Operational-based’ IAP audits examine audit area departmental personnel adherence to policies and procedures while simultaneously evaluating the economy, effectiveness and efficiency of assigned tasks; relative to the fore stated control group. Whereas, general IT controls can be classified to include organizational structures, hardware configurations, operating systems, physical facilities, development methodologies, change management, and operational continuity. However, if during ‘operational-based’ planning the IT auditor discovers an IAP framework is not deployed, the audit planner should consider utilizing the COBIT Deliver and Support-Ensure Systems Security framework domain process as a baseline for setting detail objectives.
“View Part I of the Auditing Information Assets Protection series here“