Summary of questions and important things to be mention from the IS Audit Webinar 26th of February 2012
Difference between Responsibility and Accountability:
Responsibility-someone takes care for,
Accountability – someone’s head is under the guillotine, if something goes wrong.
Audit a continuous process?
An (external) Audit is a project, as it has start date and end date.
Nevertheless there can be a Continuous Audit Initiative, raised by the internal audit department (Anm. interne Revision/Innenrevision)
Continuous Auditing Does Not Equal Continuous Monitoring
This difference has been identified and emphasized by the ISACA Standards Board.6 CA and CM may be defined as:
• CA—A methodology used by auditors, typically assisted by technology, to perform audit procedures and issue assurance on a continuous basis (e.g., weekly, monthly)
• CM—A process put in place by management, usually automated, to determine on a recurring and repetitive basis (e.g., weekly, monthly) if activities are in compliance with policies and procedures implemented by management
Why COBIT is not an Audit Methodology itself, but where it might be helpful – and for all ISACA Exams a brief overview of COBIT is necessary upfront Courses/Classes and for sure the EXAM itself.
Same for PMBOK – but brief overview is good enough – no deep knowledge is necessary and CMM(I) is thought throughout the courses/classes – at a level necessary for the exam, of course.
COBIT might be real helpful for assessment programme (eg. CSA/RCSA)
The COBIT Assessment Programme is a COBIT-based approach that enables the evaluation of selected IT processes. The assessment results provide a determination of process capability and can be used for process improvement, delivering value to the business, measuring the achievement of current or projected business goals, benchmarking, consistent reporting and organizational compliance.
The process capability is expressed in terms of attributes grouped into capability levels and the achievement of specific process attributes as defined in ISO/IEC 15504-2. Processes can be assessed individually or alternatively in logical groups. As such, scoping areas have been defined based on previously developed mappings, published by ISACA, which will allow for focused assessments. These scoping areas include:
• Capability of IT processes to support cloud services
• Capability of IT processes to support achievement of IT and business goals
• Capability of IT processes to support SOX compliance
• Capability of IT processes to support the enterprise governance of IT **
Assessment reports will include the level of capability achieved, the processes needing improvement and recommendations for improvement.
COBIT Practitioner Classes can be taken eg. at ISACA Germany Chapter e.V.
** if you are interested in Enterprise Governance of IT go for CGEIT Exam.
SO what’s the difference between an ongoing audit process and “controlling”?
An Audit can be about auditing Controls – either the right in place, if they are working etc.
An example you find on ISACA Website about Audit Application Security Controls
Prerequisites for Auditing Application Security
Application Security Layers
1. Operational layer—This is the core of application security and is generally controlled through the security module of the application.
2. Tactical layer—This is the next management layer above the operational layer. This includes supporting functions such as security administration, IT risk management and patch management.
3. Strategic layer—This layer includes the overall information security governance, security awareness, supporting information security policies and standards, and the overarching IT risk management framework.
Operational Layer includes eg.
User accounts and access rights
Real important! Segregation of duties (SoD)
Segregation of duties is defined as:
A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals responsibility for initiating and recording transactions and custody of assets to separate individuals.1
Risks Associated With Failure/Weak Application Security Controls
Standards and Guidance
Some of the standards and guidance that are available on application security are:
• Control objectives for application security are more specifically defined in COBIT® 4.1, including DS5.3 Identity management, DS5.4 User account management and DS5.5 Security testing, surveillance and monitoring.3
• ITAF™: A Professional Practices Framework for IT Assurance4 provides more guidance (including value drivers and risk drivers) on how to use COBIT to support the IT assurance/audit activities relevant to managing security.
• ISACA® has published IT Audit and Assurance Guideline G38, Access Controls,5 which is as a valuable reference for auditing application security.
• The Payment Card Industry (PCI) Data Security Standard (DSS)6 has prescribed two security compliance requirements that are specifically relevant to application security: Security Principle 6, ‘Develop and maintain secure systems and applications’ and Security Principle 8, ‘Assign a unique ID to each person with computer access’.
• The ISO/IEC NP 27034 ‘Guidelines for application security’ was under development at the time of this writing.
Objectives and benefits of audits?
Objectives, Scope and Authority of IT Audit and Assurance Standards
Can be downloaded here (2.5 Meg) http://www.isaca.org/Knowledge-Center/Standards/Documents/ALL-IT-Standards-Guidelines-and-Tools.pdf
A practical example is about objectives of Exchange 2010 Audit:
Table of Contents
I. Introduction 4
II. Using This Document 5
III. Assurance and Control Framework 8
IV. Executive Summary of Audit/Assurance Focus 9
V. Audit/Assurance Program 14
1. Planning and Scoping the Audit 14
2. Preparatory Steps 16
3. Governance 18
4. Server Configuration 25
5. Network 34
6. Contingency Planning 34
VI. Maturity Assessment 38
VII. Maturity Assessment vs. Target Assessment 43
Appendix I. Exchange Server 2010—Server Roles 44
Appendix II. Exchange Server 2010 Transport Pipeline—Schematic 45
Appendix III. Specimen Exchange Server Management Role Hierarchy 46
More about and the possibility to download (members) or purchasing the book you can find here
a example about audit benefit is not directly the audit itself but like described here a assurance programme about using Social Media
Objective—The objective of the social media audit/assurance review is to provide management with an independent assessment relating to the effectiveness of controls over the enterprise’s social media policies and processes.
Scope—The review will focus on governance, policies, procedures, training and awareness functions related to social media. Specifically, it will address:
• Strategy and governance—policies and frameworks
• People—training and awareness
Table of Contents
I. Introduction 5
II. Using This Document 6
III. Controls Maturity Analysis 9
IV. Assurance and Control Framework 10
V. Executive Summary of Audit/Assurance Focus 11
VI. Audit/Assurance Program 14
1. Planning and Scoping the Audit 14
2. Strategy and Governance 15
3. People 19
4. Processes 22
5. Technology 24
VII. Maturity Assessment 26
VIII. Assessment Maturity vs. Target Maturity 30
it can be downloaded here (Member) http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Audit-Programs/Documents/WAPSM-Social-Media-Research-1Feb2011.doc
or purchased at ISACA
Any more questions? email:firstname.lastname@example.org
Or leave a comment here – http://pm-webinare.com/?p=145 any valuable input is appreciated.
We will come back to you as soon as possible!