An IT auditor should include in the audit ambit relevant processes for planning, organizing, and monitoring information security activities. Furthermore, the audit ambit should include control systems for the use and protection of the full range of COBIT framework IT resources. Specifically, people, information, applications, and infrastructure are the IT resources that should be addressed within the ISG audit ambit’s control systems.
Critical for a viable ISG audit plan is the IT audit function’s organizational status. Thus, internal IT audit organizational status may become a factor in determining whether to proceed with an ISG audit or review. For instance, management may consider it inappropriate to grant internal IT auditors access to high-level business documents. Accordingly, organizational status may require hiring an independent third party to manage and perform the ISG audit or review.
“View Part I of the Auditing Information Security Governance series here“