IT Governance, Risk, and Compliance


November 11, 2011  9:08 PM

Auditing Information Assets Protection – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Primary drivers for IAP audit planning are verifying safeguarding existence, adequacy, and risk management. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning to comply with ISACA’s assurance standards and guidelines as well as other applicable attestation, audit, accounting, and IT standards. Neglecting adherence to standardized professional practices can result in unsupportable audit opinions.

View Part I of the Auditing Information Assets Protection series here

November 8, 2011  8:45 PM

Auditing Information Assets Protection – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Alternatively, IAP may be within the ambit of other IT audit areas. Under these circumstances, a ‘functional-based’, ‘application based’, or ‘compliance-based’ examination may be appropriate. ‘Functional-based’ audits address identified processes as auditable units that can include goals and objectives, ownership, repeatability, as well as roles and responsibilities. ‘Application-based’ audits address identified areas where IT is superposed to complete a task that can accommodate completeness, accuracy, validity, authorization, and segregation-of-duties. Lastly, ‘compliance-based’ audits redress adherence to externally and internally imposed entity requirements that can encompass national laws, and regulations, as well as standards.

View Part I of the Auditing Information Assets Protection series here


November 4, 2011  8:23 PM

Auditing Information Assets Protection – Part V

Robert Davis Robert Davis Profile: Robert Davis

Reflective of the COBIT “Ensure Systems Security” domain-process, IAP confidentiality and integrity are the primary information criteria, while availability, compliance, and reliability are considered secondary information criteria; even when other audit measurement standards are included within the audit ambit. For instance, information privacy may be within the IAP audit ambit and considered a material or significant auditable unit. However, as primary information criteria for privacy, compliance and effectiveness should still remain secondary for the IAP audit, if other distinct auditable units are identified.

Similar to IT Governance assurance services, IAP can be an individual audit area examination or an auditable unit examination for every IT function audit undertaken. During the IT audit planning process, all or segments of an entity’s deployed IAP related frameworks may be selected as auditable units. Furthermore, IAP audits may cross geographical, divisional, functional, or departmental demarcations.

View Part I of the Auditing Information Assets Protection series here


November 1, 2011  7:33 PM

Auditing Information Assets Protection – Part IV

Robert Davis Robert Davis Profile: Robert Davis

IAP audits normally have an operational focus addressing general controls. ‘Operational-based’ IAP audits examine audit area departmental personnel adherence to policies and procedures while simultaneously evaluating the economy, effectiveness and efficiency of assigned tasks; relative to the fore stated control group. Whereas, general IT controls can be classified to include organizational structures, hardware configurations, operating systems, physical facilities, development methodologies, change management, and operational continuity. However, if during ‘operational-based’ planning the IT auditor discovers an IAP framework is not deployed, the audit planner should consider utilizing the COBIT Deliver and Support-Ensure Systems Security framework domain process as a baseline for setting detail objectives.

View Part I of the Auditing Information Assets Protection series here


October 28, 2011  8:30 PM

Auditing Information Assets Protection – Part III

Robert Davis Robert Davis Profile: Robert Davis

Usually, auditors with an ‘administrative control’ abstraction level agree that such controls might be examined for the purpose of recommending managerial improvements. However, they do not consider IT security auditable unit examinations beyond access controls necessary for the purpose of formulating an opinion on financial statements. Contrary to this ‘administrative control’ belief, when an IT security examination encompassing all aspects of IAP is performed as part of the financial statement audit, an IT security related assessment is a comprehensive effort to evaluate the controls over, as well as reliability and integrity of, reported financial data.

View Part I of the Auditing Information Assets Protection series here


October 25, 2011  7:58 PM

Auditing Information Assets Protection – Part II

Robert Davis Robert Davis Profile: Robert Davis

Retrospectively, information security audits are a routine matter for internal auditors, but sometimes a controversial issue among external auditors. The controversy centers on the extent that IT security controls are accounting controls rather than administrative controls. Though most external auditors accept access controls as accounting controls, there is opinion division when considering other IT security controls. For instance, regarding other IT security controls, off-premise file storage, environmental protection mechanisms, and data processing insurance are treated as administrative controls by the external auditors promoting their position for these auditable units.

View Part I of the Auditing Information Assets Protection series here


October 21, 2011  8:29 PM

Auditing Information Assets Protection – Part I

Robert Davis Robert Davis Profile: Robert Davis

Failure of an entity to take proper safeguarding precautions can lead to major operational problems and substantial asset loss. Incidents recorded throughout the world continuously reiterate that entities should not ignore information assets protection (IAP) risks and the need for processes to ensure IAP requirements and risks are adequately redressed. Information security governance (ISG) is a key element in assisting entities in providing a superior IAP program. Therefore, due to IAP controls usually inscribed within ISG — including identity management, vulnerability management, threat management, and encryption management — this deployable management tool resists dismissal as an inconsequential framework, methodology, or technique.


October 18, 2011  8:16 PM

Auditing Information Security Governance – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

Evaluating IT solutions with the adequate level of IT security controls over IT resources requires a detailed principles and practices understanding. Regarding audit staffing, potential ISG engagement members should have the appropriate seniority and proficiency. Generally, when ISG audit objectives involve a wide range of information system functions, assigned audit personnel should have extensive organizational knowledge and related processes understanding. These audit personnel criteria can be satisfied through a combination of formal education, relevant certification and/or professional experience.

If after evaluating potential in-house audit engagement candidates, audit management determines the IT audit function does not have the required skill set, professional service outsourcing may be considered to enable an ISG audit or review. For example, IT audit staff members may not have the appropriate business, technical, and/or framework knowledge to adequately perform a scheduled ISG audit in a timely manner. Hence, audit management may consider ISG audit outsourcing to complete the scheduled engagement.

View Part I of the Auditing Information Security Governance series here


October 14, 2011  8:48 PM

Auditing Information Security Governance – Part VII

Robert Davis Robert Davis Profile: Robert Davis

An IT auditor should include in the audit ambit relevant processes for planning, organizing, and monitoring information security activities. Furthermore, the audit ambit should include control systems for the use and protection of the full range of COBIT framework IT resources. Specifically, people, information, applications, and infrastructure are the IT resources that should be addressed within the ISG audit ambit’s control systems.

Critical for a viable ISG audit plan is the IT audit function’s organizational status. Thus, internal IT audit organizational status may become a factor in determining whether to proceed with an ISG audit or review. For instance, management may consider it inappropriate to grant internal IT auditors access to high-level business documents. Accordingly, organizational status may require hiring an independent third party to manage and perform the ISG audit or review.

View Part I of the Auditing Information Security Governance series here


October 11, 2011  7:51 PM

Auditing Information Security Governance – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Primary drivers for ISG assurance planning is the verification of governance existence, adequacy, and risk management. However, as with standard IT audits, a general control environment, information systems, and control procedures understanding should be obtained during engagement planning to comply with ISACA IT audit standards and guidelines.

Theoretically, the control environment (CE) epitomizes management’s attitude, awareness, and actions. Demonstratively; integrity and ethical values, commitment to competence, management’s philosophy and operating style, organizational structure, responsibility and authority assignment, human resource policies and practices, budget formulation and execution, as well as control methods over compliance with laws and regulations are representative CE characteristics. Within this context, the adopted information security program, normally, is an entity sub-divisional control system. Therefore, the entity’s CE should be replicated within the information security CE.

View Part I of the Auditing Information Security Governance series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: