Primary drivers for ISG assurance planning is the verification of governance existence, adequacy, and risk management. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning to comply with ISACA IT audit standards and guidelines.
Theoretically, the control environment (CE) epitomizes management’s attitude, awareness, and actions. Demonstratively; integrity and ethical values, commitment to competence, management’s philosophy and operating style, organizational structure, responsibility and authority assignment, human resource policies and practices, budget formulation and execution, as well as control methods over compliance with laws and regulations are representative CE characteristics. Within this context, the adopted information security program, normally, is an entity sub-divisional control system. Therefore, the entity’s CE should be replicated within the information security CE.
“View Part I of the Auditing Information Security Governance series here“