IT Governance, Risk, and Compliance


December 16, 2011  9:54 PM

Auditing Systems and Infrastructure Life Cycle Management – Part I

Robert Davis Robert Davis Profile: Robert Davis

There is general agreement that IT auditor involvement in systems and infrastructure development life cycle (SIDLC) projects would aid in ensuring IT architecture items work properly and include adequate controls. However, there is less agreement as to role IT auditors should play in the SIDLC. Should IT auditors merely review system and/or infrastructure development processes and resulting controls, or should they actively involve themselves in the design processes?

Within the potential systems and infrastructure life cycle management (SILCM) IT assurance ambits, when focusing on deployment processes, a SIDLC methodology will be of little use if projects are not adequately managed. Consequently, the value of project management techniques in project planning and control cannot be overestimated. In contrast, project planning is the process of ensuring that the project’s objectives are translated into a work program. Whereas; project control is the process of ensuring execution of the processes, activities, and tasks identified in the project plan.

December 13, 2011  9:15 PM

Auditing Business Continuity and Disaster Recovery – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

An IT auditor should perform a preliminary control environment (CE) assessment corresponding to the audit area being examined to enable reasonable assurance that all significant items will be adequately addressed during the IT audit process.

Audit evidence for CE elements may not be available in documentary form. In particular to smaller entities, communication between management and other personnel may be informal, yet effective. For example, management’s commitment to ethical values and competence are often implemented through the behavior and attitude they demonstrate in managing the entity’s business instead of in a written code of conduct. Consequently, management’s attitudes, awareness and actions are of particular importance in the design of a smaller entity’s CE. In addition, the role of those charged with governance is often undertaken by the owner/manager — especially where there are no other equivalent personnel within the entity.

View Part I of the Auditing Business Continuity and Disaster Recovery series here


December 9, 2011  10:39 PM

Auditing Business Continuity and Disaster Recovery – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Primary drivers for organizational continuity assurance service planning are: verifying continuity plan existence and assessing continuity plan adequacy. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning — to comply with ISACA’s assurance standards and guidelines as well as other applicable attestation, audit, accounting, and IT standards. Neglecting adherence to standardized professional practices can result in unsupportable audit opinions.

View Part I of the Auditing Business Continuity and Disaster Recovery series here


December 6, 2011  8:32 PM

Auditing Business Continuity and Disaster Recovery – Part VI

Robert Davis Robert Davis Profile: Robert Davis

BCP audits normally have an organizational focus. ‘Organizational-based’ BCP audits examine deployed frameworks, managerial issues, and departmental activities. However, if during ‘organizational-based’ planning the IT auditor discovers a BCP framework is not deployed, the audit planner should consider utilizing the COBIT Deliver and Support-Ensure Continuous Service, Manage Service Desk and Incidents, as well as Manage Problems framework domain processes as baselines for setting detail objectives. Partly reflective of the COBIT “Ensure Continuous Service,” “Manage Service Desk and Incidents” and “Manage Problems” processes; BCP availability, compliance, effectiveness and efficiency are the primary information criteria; while confidentiality, integrity, and reliability should be considered secondary information criteria, even when other audit measurement standards are included within the audit ambit.

View Part I of the Auditing Business Continuity and Disaster Recovery series here


December 2, 2011  8:53 PM

Auditing Business Continuity and Disaster Recovery – Part V

Robert Davis Robert Davis Profile: Robert Davis

The IT auditor’s primary purpose, when performing an audit of business continuity and/or disaster recovery, should be to identify, document, test, evaluate, and report the controls as well as the associated risks related to BCP and/or DRP processes from an IT perspective, as implemented by the entity, for achieving relevant control objectives — both primary and secondary.

The BCP assurance process can be an individual audit area examination or an auditable unit examination for every IT function audit undertaken. During the IT audit planning process, all or segments of an entity’s deployed BCP related frameworks may be selected as auditable units. Furthermore, BCP audits may cross divisional, functional, or departmental demarcations.

View Part I of the Auditing Business Continuity and Disaster Recovery series here


November 29, 2011  8:44 PM

Auditing Business Continuity and Disaster Recovery – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Although often referred to as disaster recovery plans, controls to ensure service continuity should address the entire range of potential disruptions. These may include relatively minor interruptions, such as temporary power failures, as well as major disasters, such as fires or natural disasters that would require reestablishing operations at a remote location, and may also include errors, such as writing over a critical file. If controls are inadequate, even relatively minor interruptions can result in data lost or incorrectly processed data — which could cause financial losses, expensive recovery efforts, and inaccurate or incomplete information. For some operations, such as those involving health care or safety, system interruptions could also result in injuries or loss of life.

View Part I of the Auditing Business Continuity and Disaster Recovery series here


November 25, 2011  8:41 PM

Auditing Business Continuity and Disaster Recovery – Part III

Robert Davis Robert Davis Profile: Robert Davis

As with a business continuity plan (BCP); a disaster recovery plan (DRP) contains the consistent actions to be undertaken prior to, during and after a disaster. A sound DRP is built from a comprehensive planning system, involving all of the entity’s business processes. Disaster recovery strategies include, but are not limited to:
 disaster insurance
 reciprocal agreements
 redundant data centers
 the use of alternate sites
 telecommunication links
 business impact analyses
 legal liabilities assessments

View Part I of the Auditing Business Continuity and Disaster Recovery series here


November 22, 2011  9:07 PM

Auditing Business Continuity and Disaster Recovery – Part II

Robert Davis Robert Davis Profile: Robert Davis

For most professionals, business continuity planning refers to the process for developing advance arrangements and procedures enabling an entity to respond to service interruptions in such a manner that critical business functions continue at projected levels. In other words, business continuity planning is the act of proactively strategizing a method to prevent, if possible, and manage, if necessary, the consequences of a disaster; while limiting crisis consequences to the extent that an entity can absorb the impact. As a result, though it often ranks in the lower-half in importance, business continuity planning is on most top-ten governance lists of strategic entity issues.

View Part I of the Auditing Business Continuity and Disaster Recovery series here


November 18, 2011  9:00 PM

Auditing Business Continuity and Disaster Recovery – Part I

Robert Davis Robert Davis Profile: Robert Davis

After a catastrophic incident or event; losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an entity’s ability to accomplish its mission. For this reason, an entity should have: (1) controls in place to protect information assets as well as minimize the risk of unplanned interruptions, and (2) a plan to recover critical operations should interruptions occur. Consequently, these plans should consider the activities performed at general support facilities, such as data processing centers and telecommunications facilities, as well as the activities performed by users of specific resources.


November 15, 2011  9:40 PM

Auditing Information Assets Protection – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

Control environment scanning to produce a viable IT audit plan should be considered fundamental to planning an IT audit. Primary consideration regarding the control environment’s operating style is IT auditability. As with most audit situations, verifiability is heavily dependent on auditability. IT auditability considerations should precede IT integrated process deployment. In other words, auditability should be included in the design of IT and the information being provided to audit areas. Consequentially, auditability can assist or hinder an IT assurance effort; if it does not postpone a planned audit.

View Part I of the Auditing Information Assets Protection series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: