IT Governance, Risk, and Compliance

Oct 7 2011   8:59PM GMT

Auditing Information Security Governance – Part V

Robert Davis Robert Davis Profile: Robert Davis

ISG audits normally have an organizational focus. ‘Organizational-based’ ISG audits and reviews examine deployed frameworks, managerial issues, and departmental activities. However, if during organizational-based planning the IT auditor discovers a governance framework is not deployed, the audit or review planner should utilize the Control Objectives for Information and related Technology (COBIT) framework as a minimum basis for setting detail objectives.

Alternatively, ISG may be within the ambit of other IT audit areas. Under these circumstances, a ‘results-based’ audit may be appropriate. However, if the audit unit developed an entity’s performance measurement system, the audit unit would not be deemed independent in conducting a performance audit to evaluate whether the system was adequate. Quantitatively, results-based audits can address performance issues utilizing goal and performance indicators as measurement standards. Whereas, qualitatively, results-based audits can also provide audit area governance knowledge and practices assessments. Whatever results-based audit measurement standards utilized, ISG effectiveness is the primary auditable unit audit objective.

View Part I of the Auditing Information Security Governance series here

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: