CISA Audit Process #16
The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.
Related Tags: Risk Assesment, ISO 27001, SOX, IT Compliance, IT Audit, IT risk assesment, Audit, Operational Audit, Process Audit
Custom Search
Tuesday, July 10, 2007
CISA Audit Process#15
CISA Audit Process #15
The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
Related Tags: CISA, CISM, CISSP, SOX, IT Compliance, ISO 27001
The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items.
Related Tags: CISA, CISM, CISSP, SOX, IT Compliance, ISO 27001
Monday, July 9, 2007
CISA Audit Process #14
Calculation of a Business Risk - Risky Analysis
Overall business risk for a particular threat can be expressed as:
Impact = 10 (high impact)
Probabaility = 0.9( very likely)
Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)
Related Tags: IT security, Risk, Risk Analysis, Impact Analysis, Risk Factor, Compliance, ISO 27001, SOX
Overall business risk for a particular threat can be expressed as:
a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.For example: If you lose some strictly confidential documents which consists of pricing and patent information of new products that your company is going to launch, what is the impact if it falls under the hands of competitors & further more the documents have not been encrypted.
Impact = 10 (high impact)
Probabaility = 0.9( very likely)
Therefore the risk factor is 10 * 0.9 = 9 (very high risk factor)
Related Tags: IT security, Risk, Risk Analysis, Impact Analysis, Risk Factor, Compliance, ISO 27001, SOX
Friday, June 29, 2007
CISA Audit Process #13
Data Flow Diagrams
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.
An IT auditor will always need some data flow diagrams from his auditee to verify data confidentiality , Integrity , Ava liability compliance of an organisation the IT auditor is auditing.
Related Tags: IT audit, IT governance, Compliance, ISO 27001, SOX, HIPPA, PCI, Data Confidentiality
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order.
An IT auditor will always need some data flow diagrams from his auditee to verify data confidentiality , Integrity , Ava liability compliance of an organisation the IT auditor is auditing.
Related Tags: IT audit, IT governance, Compliance, ISO 27001, SOX, HIPPA, PCI, Data Confidentiality
Saturday, May 5, 2007
CISA Audit Process #12
IT Application Audit
The objectives of an IT applicaton audit are to evaluate:
Related Tags: IT Audit, IT governance, Application Audit, IT controls, SOX, ISO27001, Business Continuity
The objectives of an IT applicaton audit are to evaluate:
The efficiency of the application in meeting the business processes
The impact of any exposures discovered
The business processes served by the application
The appliction's optimization
However, if a IT auditor is performing a review of an application's controls
It will involves the evaluation of the application's automated controls and an assessment of any
exposures resulting from the control weakness.
Related Tags: IT Audit, IT governance, Application Audit, IT controls, SOX, ISO27001, Business Continuity
Thursday, May 3, 2007
CISA 2007 - Audit Process # 11
Auditing Inventory Applicaton
In an audit of an inventory application, the approach which would provide the BEST evidence that purchase orders are valid is testing whether inappropriate personnel can change application parameters.
Tracing purchase orders to a computer listing, comparing receiving reports to purchase order details are after-the fact approaches
Reviewing the application documentation will not give the actual scenario as it is only theory.
Related Tags: IT audit, IT compliance, IT governance, IT security, SOX, ISO 27001, Encryption
In an audit of an inventory application, the approach which would provide the BEST evidence that purchase orders are valid is testing whether inappropriate personnel can change application parameters.
Tracing purchase orders to a computer listing, comparing receiving reports to purchase order details are after-the fact approaches
Reviewing the application documentation will not give the actual scenario as it is only theory.
Related Tags: IT audit, IT compliance, IT governance, IT security, SOX, ISO 27001, Encryption
Tuesday, May 1, 2007
Audit Process #10
Computer Forensic Software
Computer Forensic Software is only utilised if there is a need to collect digital evidence from Information Processing devices such as laptops, computers , PDAs etc. to press charges against fraud, cheat and other computer related crimes.
Computer Forensic Software is most useful for preservation of the chain of custody for electronic evidence
A good Computer Forensic Software should be efficient, effective, time and cost savings.
Another characteristic of a computer forensic software is that it is able to search for violations of intellectual property rights
Related Tags: IT compliance, IT governance, IT audit, IT Forensic, ISO 27001, IT risks
Computer Forensic Software is only utilised if there is a need to collect digital evidence from Information Processing devices such as laptops, computers , PDAs etc. to press charges against fraud, cheat and other computer related crimes.
Computer Forensic Software is most useful for preservation of the chain of custody for electronic evidence
A good Computer Forensic Software should be efficient, effective, time and cost savings.
Another characteristic of a computer forensic software is that it is able to search for violations of intellectual property rights
Related Tags: IT compliance, IT governance, IT audit, IT Forensic, ISO 27001, IT risks
Subscribe to:
Posts (Atom)
