IT Governance, Risk, and Compliance

Oct 7 2011   8:59PM GMT

Auditing Information Security Governance – Part V

Robert Davis Robert Davis Profile: Robert Davis

ISG audits normally have an organizational focus. ‘Organizational-based’ ISG audits and reviews examine deployed frameworks, managerial issues, and departmental activities. However, if during organizational-based planning the IT auditor discovers a governance framework is not deployed, the audit or review planner should utilize the Control Objectives for Information and related Technology (COBIT) framework as a minimum basis for setting detail objectives.

Alternatively, ISG may be within the ambit of other IT audit areas. Under these circumstances, a ‘results-based’ audit may be appropriate. However, if the audit unit developed an entity’s performance measurement system, the audit unit would not be deemed independent in conducting a performance audit to evaluate whether the system was adequate. Quantitatively, results-based audits can address performance issues utilizing goal and performance indicators as measurement standards. Whereas, qualitatively, results-based audits can also provide audit area governance knowledge and practices assessments. Whatever results-based audit measurement standards utilized, ISG effectiveness is the primary auditable unit audit objective.

View Part I of the Auditing Information Security Governance series here

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: