CISM Certified Information Security Manager All-in-One Exam Guide by Peter H. Gregory

Author:Peter H. Gregory [Peter H. Gregory]
Language: eng
Format: epub
Publisher: McGraw-Hill
Published: 2018-03-18T16:00:00+00:00

NOTE It is typically not the auditor’s role to describe how an audit finding should be remediated. Deciding the methods used to apply remediation is the role of auditee management.

Evaluating Control Effectiveness When developing an audit report, the auditor needs to communicate the effectiveness of controls to the auditee. Often, this reporting is needed at several layers; for instance, the auditor may provide more detailed findings and recommendations to control owners, while the report for senior management may contain only the significant findings.

One method that auditors frequently use is the development of a matrix of all audit findings, where each audit finding is scored on a criticality scale. This helps the auditor to illustrate the audit findings that are the most important and those that are less important, in the auditor’s opinion. The auditor can also report on cases where an ineffective control is mitigated (fully or partially) by one or more compensating controls. For example, a system may not have the ability to enforce password complexity (e.g., requiring upper- and lowercase letters, plus numbers and special characters), but this can be compensated through the use of longer-than-usual passwords and perhaps even more frequent expiration.

Internal Audit Internal audit is an audit of an organization’s controls, processes, or systems, and it is carried out by personnel who are a part of the organization. Many organizations have one or more people in an internal audit function.

Organizations that are serious about their commitment to an effective security program will commit resources to the internal audit function. Recognizing that external resources are far more costly, internal auditors become more familiar with internal processes and systems and can examine them more frequently and provide better feedback to others in the organization.

Some regulations and standards require organizations to conduct internal audits as part of required compliance efforts; examples include Sarbanes–Oxley and ISO/IEC 27001.

In U.S. public companies and in many other organizations, internal audit (IA) departments report to the organization’s audit committee or board of directors (or a similar “governing entity”). The IA department often has close ties with and a “dotted line” reporting relationship to finance leadership in order to manage day-to-day activities. An internal audit department will launch projects at the request and/or approval of the governing entity and, to a degree, members of executive management.

Regulations and standards play a large role in internal audit work. For example, public companies, banks, and government organizations are all subject to a great deal of regulation, much of which requires regular information systems controls testing. Management, as part of their risk management strategy, also requires this testing. External reporting of the results of internal auditing is sometimes necessary. Similarly, organizations that are ISO/IEC 27001 certified are required to carry out regular internal audit work to ensure that controls continue to be effective.

A common internal audit cycle consists of several categories of projects:

• Risk assessments and audit planning

• Cyclical controls testing (SOX, ISO/IEC 27001, and A-123, for example)

• Review of existing control structures

• Operational and IS audits

It is common

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.