|
IT Auditing. Using Controls to Protect Information Assets Authors: Davis C., Schiller M., Wheeler K. Published year: 2004 Pages: 25-28/159 |
 |
Standards
As we conclude this chapter about the audit process, it is important to note that there are standards for the audit profession that should be adhered to as each company develops its audit process. On the website for the Institute for Internal Auditors (IIA) (http://www.theiia.org), you can find the International Standards for the Professional Practice of Internal Auditing. These standards should be reviewed and incorporated into your audit process. In addition, on the same website you will find the Code of Ethics for the auditing profession, which explains the requirements for integrity, objectivity, confidentiality, and competency as they apply to auditing.
Summary
In this chapter we learned that
-
Internal controls, stated in the simplest terms, are mechanisms that ensure the proper functioning of processes within a company. Controls can be preventive, detective, or reactive and have administrative, technical, and physical implementations .
-
It is important that your audit plan focus your auditors on the areas that have the most risk and on areas where you can add the most value. A comprehensive audit universe and effective ranking model are important elements to achieving this goal.
-
There are six key stages to an audit: planning, fieldwork and documentation, issue discovery and validation, solution development, report drafting and issuance, and issue tracking.
-
Some basic sources that should be referenced as part of each audit's planning process include handoff from the audit manager, preliminary survey, customer requests , standard checklists, and research.
-
During fieldwork and documentation, wherever possible, the auditors should look for ways to independently validate the information given to them and the effectiveness of the control environment.
-
If you work with your customers throughout the audit to validate issues and come to agreement on the risks those issues represent, then the conclusion of the audit will go much more smoothly and quickly.
-
Three common approaches are used for developing and assigning action items for addressing audit issues: the recommendation approach, the management-response approach, and the solution approach.
-
The essential elements of an audit report are the statement of the audit scope, list of issues along with action plans for resolving them, and the executive summary.
-
The audit is not truly complete until the issues raised in the audit are resolved.
In these first two chapters we have formed the foundation that will allow us to move on to Part II, which will provide details on how to audit specific processes and technologies.
| Note |
If you're interested in further information on the audit process, 'Managing the Audit Function: A Corporate Audit Department Procedures Guide' by Michael P. Cangemi and Tommie Singleton is an excellent resource. |
Part II: Auditing Techniques
Chapter List
- Chapter 3: Auditing Entity-Level Controls
- Chapter 4: Auditing Data Centers and Disaster Recovery
- Chapter 5: Auditing Switches, Routers, and Firewalls
- Chapter 6: Auditing Windows Operating Systems
- Chapter 7: Auditing Unix and Linux Operating Systems
- Chapter 8: Auditing Web Servers
- Chapter 9: Auditing Databases
- Chapter 10: Auditing Applications
- Chapter 11: Auditing WLAN and Mobile Devices
- Chapter 12: Auditing Company Projects
Chapter 3: Auditing Entity-Level Controls
Background
As mentioned earlier, entity-level controls are controls that are pervasive across an organization. In other words, they are the areas that you can audit once and feel confident that you have covered the topic for the whole company. This chapter covers the areas that the auditor generally should expect to see centralized. If the topics covered in this chapter are not centralized or at least centrally coordinated at your company, it should lead to questions as to their overall effectiveness. Most of these topics set the "tone at the top" for the IT organization and provide overall governance of the IT environment. If they are not centralized and/or standardized, it should cause the auditor to question the ability of the overall IT environment to be well controlled.
The problem is that there is no set definition of what is and is not an entity-level control, and it will vary by company, depending on how the IT environment is defined. An area that is an entity-level process at one company will not necessarily be an entity-level process at another company. However, there's really no mystery to it-it all comes down to what's centralized and pervasive at your company. If a critical IT process is centralized at your company, it is a good candidate for being covered in an entity-level controls review.
For example, in Chapter 4 we cover the topic of auditing data centers and disaster-recovery plans (DRPs). In that chapter we will discuss auditing areas such as physical security, environmental controls, system monitoring, etc. Many companies have multiple decentralized data centers, meaning that these controls are not centralized for those companies. However, there are also many companies that have one data center and one set of processes for executing the areas just mentioned. In those companies, areas such as physical security, environmental controls, and system monitoring would qualify as entity-level controls because they are centralized and pervasive. However, we will not cover those areas in this chapter because they are covered in Chapter 4. The point is that auditors must use judgment and knowledge of the company to determine what is and is not an entity-level control.
However, as mentioned earlier, the topics mentioned in this chapter generally should be centralized to a large degree because they provide for the core principles of IT governance. If these areas have been decentralized with no central coordination, the auditor should dig deep before signing off as to their effectiveness.
Put another way, the areas covered in this chapter should be considered the minimum for an entity-level controls review. Other areas (such as data center operations) might be added based on the environment at your company.
| Note |
Strong IT entity-level controls form a foundation for the IT control environment within a company. They demonstrate that IT management is taking internal controls, risk management, and governance seriously. A strong overall control environment and attitude coming from the top tends to trickle down throughout the organization and lead to strong controls over decentralized processes and functions. Conversely, weak entity-level controls increase the likelihood that controls will be weak throughout the organization because upper management has not demonstrated and communicated to the organization that internal controls are valued. This generally leads to inconsistency at the lower levels because the personalities and values of lower-level managers will be the sole determining factors in how seriously internal controls are taken within the organization. |
It is critical for upper management to communicate and set the tone that internal controls, risk management, and governance are valued and will be rewarded. Without this message, departments are more likely to focus on cutting costs, managing their budgets , and meeting their schedules, with no consideration given to internal controls.
|
IT Auditing. Using Controls to Protect Information Assets Authors: Davis C., Schiller M., Wheeler K. Published year: 2004 Pages: 25-28/159 |
|
Similar books
Similar materials
- Auditing Windows XP Professional Computers
- What You Should Know Beforehand
- 0615-0619
- Auditing Processes and Files
- Hack61.Measure
- Lesson 1:Planning an Audit Policy
- Creating Task and Package Logging Steps
- 13.4 IMPLEMENTING AUDIT MECHANISMS ( 164.312(B))
- The Profession of System Administration
- Responsibility to the Profession