CISA Audit Process #16
The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.
Related Tags: Risk Assesment, ISO 27001, SOX, IT Compliance, IT Audit, IT risk assesment, Audit, Operational Audit, Process Audit
Custom Search
Tuesday, July 10, 2007
CISA Audit Process#15
CISA Audit Process #15
The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
Related Tags: CISA, CISM, CISSP, SOX, IT Compliance, ISO 27001
The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
Related Tags: CISA, CISM, CISSP, SOX, IT Compliance, ISO 27001
Monday, July 9, 2007
CISA Audit Process #14
Calculation of a Business Risk - Risky Analysis
Overall business risk for a particular threat can be expressed as:
Impact = 10 (high impact)
Probabaility = 0.9( very likely)
Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)
Related Tags: IT security, Risk, Risk Analysis, Impact Analysis, Risk Factor, Compliance, ISO 27001, SOX
Overall business risk for a particular threat can be expressed as:
a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.For example: If you lose some strictly confidential documents which consists of pricing and patent information of new products that your company is going to launch, what is the impact if it falls under the hands of competitors & further more the documents have not been encrypted.
Impact = 10 (high impact)
Probabaility = 0.9( very likely)
Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)
Related Tags: IT security, Risk, Risk Analysis, Impact Analysis, Risk Factor, Compliance, ISO 27001, SOX
Subscribe to:
Posts (Atom)
