Excellent article, covering waaay more than I expected.
Although 'of course' I would have quite some sideline comments like the findings not being required to be in the format listed (rather, C-C-Remainder risk-Cause-Recommendation works better with those responsible (and links to resources like ISACA and others might have helped), I think this is a very worthwhile overview of what audits are about.
Thanks for probably taking away much subconscious fear... The uncertainty and doubt, well, will be brought back in by the auditors ...? ;-)
You also need to include the work that goes in the beginning, such as defining the Audit universe, the risk & frequency models, determining those areas of greatest risk or concern to the company. These things help define those areas or subjects for auditing, which can then be scoped out.
Though this article does not include a description of the auditor's planning process, that topic is covered in a book I wrote for the Information Systems Audit and Control Association: Stepping Through the IS Audit, A Guide for Information Systems Managers, 2nd Edition. Published in 2005, it is now free online to ISACA members, and also available to non-members at the ISACA online bookstore or Amazon.
Information Systems Audit: The Basics
What should you expect from an IS audit? Jennifer Bayuk spells out the audit process, step by step.
» View Article
Excellent article, covering waaay more than I expected.
Although 'of course' I would have quite some sideline comments like the findings not being required to be in the format listed (rather, C-C-Remainder risk-Cause-Recommendation works better with those responsible (and links to resources like ISACA and others might have helped), I think this is a very worthwhile overview of what audits are about.
Thanks for probably taking away much subconscious fear... The uncertainty and doubt, well, will be brought back in by the auditors ...? ;-)
You also need to include the work that goes in the beginning, such as defining the Audit universe, the risk & frequency models, determining those areas of greatest risk or concern to the company. These things help define those areas or subjects for auditing, which can then be scoped out.
Though this article does not include a description of the auditor's planning process, that topic is covered in a book I wrote for the Information Systems Audit and Control Association: Stepping Through the IS Audit, A Guide for Information Systems Managers, 2nd Edition. Published in 2005, it is now free online to ISACA members, and also available to non-members at the ISACA online bookstore or Amazon.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK