Posted by: Robert Davis
Certified Information Systems Auditor, Certified Information Technology Professional, Certified Internal Auditor, Certified Internal Controls Auditor, Certified Public Accountant, COBIT, External Audit, Information Security Governance, Internal Audit, ISG, IT Audit
ISG audits normally have an organizational focus. ‘Organizational-based’ ISG audits and reviews examine deployed frameworks, managerial issues, and departmental activities. However, if during organizational-based planning the IT auditor discovers a governance framework is not deployed, the audit or review planner should utilize the Control Objectives for Information and related Technology (COBIT) framework as a minimum basis for setting detail objectives.
Alternatively, ISG may be within the ambit of other IT audit areas. Under these circumstances, a ‘results-based’ audit may be appropriate. However, if the audit unit developed an entity’s performance measurement system, the audit unit would not be deemed independent in conducting a performance audit to evaluate whether the system was adequate. Quantitatively, results-based audits can address performance issues utilizing goal and performance indicators as measurement standards. Whereas, qualitatively, results-based audits can also provide audit area governance knowledge and practices assessments. Whatever results-based audit measurement standards utilized, ISG effectiveness is the primary auditable unit audit objective.
“View Part I of the Auditing Information Security Governance series here“