Professional Documents
Culture Documents
Practical It Audit
Practical It Audit
How to Audit?
Problems
Policies > Not operator Processes > Not follow
Solve Problems
Compliance > Policies, Regulation, LAW
Form Tools > CASE, CAAT
Continuous Auditing
Accounting & Financial IT
IT&IS Auditor
IS Auditor
Planning IT Audit
IT & IS Auditor > Business Environment > Business Impact
Risk Assessment
Threats x Assets x IT Processes = Vulnerabilities >> Risk
Auditing Plan
Control Objective > IT Control (Administrative Control, Management Control, Operation Control) Time & Resources
Dictionary
Control Objective
ISO 27001
IT Control
Administrative Control > Function Management Control >Roles
Policies
Effect of Risk
Preventive Risk Detective Risk Corrective Risk Example > Back up > Control Objective > Administrative Control, Management Control
IT Audit
(preliminary review) (detail review) (compliance testing)
Compensating Controls
(substantive testing)
: : :
System > Components > Sub Systems Sub systems
Management Sub System Application Sub System Administrative Sub system
Hardware Software People Transmission media Processing
Preventive control
Expected = probability of unlawful events Loss
amount of loss
Board of Directors Goals of Internal Control Management Controls asset safeguarding u maintaining data integrity u achieving system effectiveness and efficiency
u
Management
Systems
Subsystems
Components
Risks Threats
A subsystem is reliable only if the components that perform the basic activities are reliable
Average Loss Expected
Use Controls to
Expected Frequency
Reduce Frequency
Average Loss Reduce Loss Minimize Amount Subject to Loss Minimize Impact of Loss
17
Authenticity controls Accuracy controls Completeness controls Redundancy controls Privacy controls Audit trail controls Existence controls Asset safeguarding controls Effectiveness controls Efficiency controls
( ) ( )
Type of Document
QM > Quality Management > Policies QP > Quality Procedures > Processes WI > Work Instruction (Processes) F > Form > Read/Write SD > Support Document > Read > example: document, manual, report
Control Document
Code Description Version control Example
QM-07-01-rev1 QM-07-01-01 QM-07-0001 > QM-07-0002 > Master list (RFC > STD, FYI, BCP)