Reflective of ISACA standards and guidelines, the IT audit process should be replicated within for-profit and not-for-profit entities. Foundational assurance topics which should be considered from a management perspective are presented within the Information Technology Governance Institute’s Information Security Governance: Guidance for Boards of Directors and Executive Management monograph. However, an audit committee’s perceived mandate and mission may affect the approach variability of the Information Security Governance (ISG) audit or review. Furthermore, the ISG audit or review approach may diverge according to ambit and resources applied. Lastly, ISG audit or review evaluation criteria may also fluctuate due to audit objectives. For example, the ISG audit assessment paradigm may be based on performance and/or compliance expectations.
“View Part I of the Auditing Information Security Governance series here“