During a security audit of IT processes, an IT auditor found that there were no documented security procedures.
Since one of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization.
IT auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.
Related Tags: IT audit, IT compliance, IT governance, CISA, CISM, Serbanes Oxley Act, HIPPA, ISO 27001
No comments:
Post a Comment