Auditing in SAP Environment

Internal Audit?
An internal audit is a fundamentally independent function that evaluates an organization’s

operations, internal controls, and risk management processes with the aim of improving the
organization’s effectiveness and efficiency. Internal auditors will conduct interviews, inspect
evidence, test controls, and read policies to understand the environment and validate that
controls and processes are working — and working well.
The Difference Between Internal and External Audits
The essential difference between internal audits and compliance audits, sometimes referred to as
external audits, is who performs the audit. Internal audits, as the name indicates, are performed
by internal auditors who are employed by the business. Compliance audits are performed by
independent, third-party, or external auditors, often certified in the audit that is being performed.
The Benefits of an Effective Internal Audit
Internal audits provide many benefits to an organization, giving management and leadership
another lens through which to look at the organization. While external compliance audits are
essential, they often have a specific scope and aim — PCI DSS, for example, zooms in on credit
cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to
focus on those areas that are a priority, or areas that may not be looked at in a formal compliance
audit.
Internal audits give advantages to organizations pursuing external audits as well as preparing
stakeholders and process owners for future audits. Findings from internal audits can be addressed
quickly; observations can give management greater insight into the business, people, technology,
and processes. Impetus from internal audit reports can encourage optimization, saving the
organization in costs and ultimately improving the customer’s experience.
So, how can an organization plan for a successful internal audit? Read on for our checklist!
Internal Audit Checklist

The steps to preparing for an internal audit are 1) initial audit planning, 2) involve risk and
process subject matter experts, 3) frameworks for internal audit processes, 4) initial document
request list, 5) preparing for a planning meeting with business stakeholders, 6) preparing the
audit program, and 7) audit program and planning review.
1. Initial Audit Planning
All internal audit projects should begin with the team clearly understanding why a given project
is part of the internal audit program. The following questions should be answered and approved
before fieldwork begins:
Why was the audit project approved to be on the internal audit plan?
How does the process support the organization in achieving its goals and objectives?
What enterprise risk(s) does the audit address?
What is the overall audit schedule, and how does this project fit into the plan?
Was this process audited in the past, and if so, what were the results of the previous
audit(s)?
Were audit findings or nonconformities investigated and remediated according to the action
plan?
Have there been significant changes in the process recently or since the previous audit?
What is the scope of the project, and what specific requirements need to be met for a
successful outcome?
Additionally, participants in the project should review the audit report and audit results to refresh
their understanding of the environment, scope, and project parameters. The team may also want
to review any standards, frameworks, and regulatory requirements relevant to the project or
program. Reporting on internal audit objectives should be delivered to top management
periodically — quarterly or biannually is common depending on the size and complexity of the
business.
2. Involve Risk and Process Subject Matter Experts

Performing an audit based on internal company information is helpful to assess the operating
effectiveness of the process’s controls. However, for internal audits to keep pace with the
business’s changing landscape, and to ensure key processes and controls are also designed
correctly, seeking out external expertise is increasingly becoming a best practice, even when a
formal external audit is not required.
Organizations can employ Subject Matter Experts (SMEs) from the Big 4 (Deloitte, EY, PwC, and
KPMG) and other consulting providers to supplement risk management and internal audit
programs. These consultants can provide additional guidance, insight, and clarity on specific
regulatory requirements, information security, and business processes. When contracting with
consultants, be sure to disclose any other consulting relationships you may have with that firm or
company, as there may be independence considerations that the consulting firm has to take into
account.
In terms of fostering talent, skills, and development, internal audit professionals should stay
abreast of current trends, topics, and themes in their industry. The following resources can help
audit professionals understand the present landscape and augment their knowledge:
Recent articles from WSJ.com,HBR.org, or other leading business periodicals
Newsletters and updates from the AICPA, ISACA, ISO, NIST, and other similar organizations
Relevant blog posts from Deloitte Insights, EY Insights, The Protiviti View,RSM’s Blog, or
The IIA’s blogs
Image: The Institute of Internal Audit (IIA) Competency Framework for Internal Audit
Professionals
Source: The IIA Competency Framework for Internal Audit Professionals
All of these resources can be leveraged to identify relevant risks, inform internal audit
procedures, and encourage continuous improvement in your internal audit program. Having the
right people and talent in place to perform the necessary audit activities is critical to your
program’s success, and pulling in additional resources in the midst of an audit can be tough. By
lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.
3. Frameworks for Internal Audit: The International Professional Practices Framework

(IPPF)
Collating guidance from the Institute of Internal Auditors (IIA), the International Professional
Practices Framework (IPPF) contains both mandatory and best practice recommendations. The
IPPF aims to support the overall mission, “To enhance and protect organizational value by
providing risk-based and objective assurance, advice, and insight.” The core elements of the IPPF
are the: Core Principles for the Professional Practice of Internal Auditing, Definition of Internal
Auditing, Code of Ethics, and International Standards for the Professional Practice of Internal
Auditing.
In addition to the IIA, organizations like ISACA can also provide guidance around internal audit
processes.
4. Frameworks for Internal Audit Processes: COSO ICIF
Although a risk-based approach to internal auditing can and should result in a bespoke internal
audit program for each organization, taking advantage of existing frameworks like the Committee
of Sponsoring Organizations of the Treadway Commission’s (COSO) 2013 Internal Control —
Integrated Framework to inform your program can be a win for your internal audit team and avoid
reinventing the wheel. Before applying a certain framework, the internal audit team and
leadership should evaluate the suitability of that framework as they map to the business.
While used extensively for Sarbanes-Oxley (SOX) statutory compliance purposes, internal
auditors can also leverage COSO’s 2013 Internal Control — Integrated Framework (ICIF) to create
a more comprehensive audit program. COSO’s ICIF focuses on fraud, internal controls, and
financial reporting, while covering subjects like the overall Control Environment of the
organization, Information, and Communication, and Risk Management. Since COSO’s ICIF was
designed to address SOX, which is a U.S. statute, publicly traded companies based in the US may
benefit the most from employing this framework as part of their internal audit program.
Review COSO’s 2013 Internal Control components, principles, and points of focus here.
5. Initial Document Request List
The Document Request List or Evidence Request List, often abbreviated to “Request List” or “RL”
is one of the central documents of any audit. The Request List is an evolving list of requests which
may cover everything from interview scheduling, evidence requests, policy and procedures,
reports, supporting documentation, diagrams, and more with the purpose of providing auditors
with the information and documents they need to complete the audit program for the designated
projects or processes.
Requesting and obtaining documentation on how processes workis an obvious next step in
preparing for an audit. These requests should be delivered to stakeholders as soon as possible in
the audit planning process to give stakeholders (with day jobs!) time to provide the right
evidence. As requests come in, the internal audit team should be reviewing documented
information for any follow-ups, and periodically updating the request list as items get closed out.
The following requests should be made in order to gain an understanding of processes, relevant
applications, and key reports:
All policies, procedure documents, workflow diagrams, and organization charts
Key reports used to manage the effectiveness, efficiency, and process success
Access to key applications used in the process; read-only if possible
Description and listing of master data for the processes being audited, including all data
fields and attributes
From the listings received of master data, auditors can then make detailed sampling selections to
test that processes and controls are being performed effectively, as designed, every time.
6. Preparing for a Planning Meeting With Business Stakeholders
Before meeting with business stakeholders, the internal audit committee should hold a meeting
in order to confirm a high-level understanding of the objectives of the audit plan and program(s),
key processes and departments, and the fundamental roadmap for the audit..
Then, after aligning some ducks internally, the audit team should also schedule and conduct a
planning meeting with business stakeholders for the scoped processes. This keeps everyone on
the same page, and gives business personnel the time and opportunity to coordinate audit efforts
with their business units. The following steps should be performed to prepare for a planning
meeting with business stakeholders:
Outline key process steps by narrative, flowchart, or both, highlighting information inflows,
outflows, and internal control components.
Validate draft narratives and flowcharts with subject matter experts and stakeholders (if
possible).
Develop an agenda or questionnaire for all meetings internally or with business

stakeholders.
Preparing the questionnaire after performing the initial research sets a positive tone for the audit,
and demonstrates that internal audit is informed and prepared. Planning, preparedness, and
cooperation are critical to achieving audit objectives and gleaning deeper insights from the audit.
7. Preparing the Audit Program
Once the internal audit team has completed initial planning, consulted with SMEs, and
researched the applicable frameworks, they will be prepared to create an audit program. Audit
teams can leverage past audit programs to better design present and future procedures. An audit
program should detail the following information:
Summary and Purpose of the Audit Program
Since internal audit reports are usually designed for the consumption of leadership and
management, providing an executive summary of the audit program and outcomes gives the
audience a snapshot of the audit and results.
Process Objectives and Owners
When completing the audit program, documenting the process objectives and tying each process
to owners designates accountability.
Process Risks
Along with the process objectives and owners, the risks associated with the process should also be
noted.
Controls Mitigating Process Risks
Once details about the process, including risks, are documented, the audit team should identify
and map the mitigating controls to the risks that they address. Compensating controls can also be
noted here.
Control Attributes
Control attributes are the components and characteristics of the control activity that are critical
to the effective execution of that control. Asking the following questions and documenting the
results are a good starting point — though some controls may have unique or uncommon
attributes as well.
Is the control preventive or detective? If the control is detective, are there corrective actions
required as part of completing the control?
How frequently does the control occur (e.g. many times a day, daily, weekly, monthly,
quarterly, annually, etc.)?
What type of risk does the control mitigate (fraud, operational, security, etc.)?
Is the control manually performed, performed by an application, or a combination?
How likely is the risk to be realized (e.g. Highly Likely, Likely, Unlikely)?
How impactful would the risk be if it were realized (e.g. High Impact, Medium Impact, Low
Impact)?
What evidence does the audit team need to complete audit testing procedures?
Testing Procedures and Methods for Controls to be Tested During the Audit
There are four ways to test controls as part of an audit. Many times, these methods must be
combined to fully and completely test a control. These four methods are as follows:
Inquiry, or asking how the control is performed
Observation, or viewing the control be performed, typically in real-time
Inspection, or reviewing documentation evidencing the control was performed
Re-performance, or independently performing the control to validate outcomes
A comprehensive audit program contains sensitive information about the business. Access to the
full audit program(s) should be restricted to appropriate personnel only, and only shared when
approved.
8. Audit Program and Planning Review
Audit programs, especially those for processes that have never been audited before, should have
multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The
following individuals should review and approve the initial audit program and internal audit
planning procedures before the start of fieldwork:
Internal Audit Manager or Senior Manager
Chief Audit Executive

Subject Matter Expert(s)
Management’s Main Point of Contact for the Audit (i.e. Audit Customer)
Internal auditors who take a risk-based approach, create and document audit programs from
scratch — and do not rely on template audit programs — will be more capable and equipped to
perform audits over areas not routinely audited. When internal audit teams can spend more of
their time and resources aligned to their organization’s key objectives, internal auditor job
satisfaction increases as they take on more interesting projects and have an effect on the
organization. The Audit Committee and C-suite may become more engaged with internal audit’s
work in strategic areas. Perhaps most importantly, recommendations made by internal audit will
have a more dramatic impact to enable positive change in their organizations.
[Insert classification]
AUDIT
AUDIT SCOPE
AUDITOR(S)
DATE Of AUDIT
4 Context of the Organisation
4.1 Understanding the organisation and its context
Recommended Questions Audit Findings Evidence Reviewed
1. What are the internal and

external issues that are
relevant to the ISMS?
2. How do they affect its

ability to achieve its
intended outcome?
4.2 Understanding the needs and expectations of interested parties
1. Who are the interested

parties?
2. What are their

requirements?
3. How have their

requirements been
established?
4.3 Determining the scope of the ISMS
1. What is the ISMS scope?
2. How is it defined?
3. Is it reasonable?
4. Does it consider relevant

issues and requirements?
5. Does it consider how the

organization interacts
with other
organizations?
6. Is the scope documented?
lSMS-FORM-09-4 Version 1 Page 6 of 29

5 Leadership
5.1 Leadership and Commitment
1. Who is defined as top

management within the
scope of the ISMS?
2. How does top

management demonstrate
leadership and
commitment?
3. Are information security
policies and objectives
4. established?
5. Are enough resources

allocated to the ISMS?
6. How does top
management
communicate to everyone
involved in the ISMS?
5.2 Policy
1. Can I review the

information security
policy?
2. Is it appropriate and cover
the required areas?
3. Does it include the

required commitments?
4. How has it been

communicated and
distributed and to whom?

5.3 Organizational roles, responsibilities and authorities
1. What are the roles within

the ISMS?
2. Does everyone understand

what their responsibilities
and authorities are?
3. Who has the responsibility

and authority for
conformance and
reporting?
ISMS-FORM-09-4 Version 1 Page 8 of 29

6 Planning
6.1 Actions to address risks and opportunities
1. Is there a documented risk

assessment process?
2. Does it address risk

acceptance criteria and when
assessments should be
done7
3. What is the most recent
risk assessment?
4. Does it identify a
reasonable set of risks and
specify owners?
5. Are the likelihood and

impact of risks assessed
appropriately and risk
levels determined?
6. How are the risks then

evaluated and prioritized?
7. Is there a documented risk

treatment process?
8. Review the most

recent risk treatment
plan.
9. Are reasonable risk
treatment options selected?
10. Are the controls chosen
to treat the risks stated
dearly?
11. Has a Statement of

Applicability been produced
and are inclusions and
exclusions reasonable?
12. Has the risk treatment

plan been signed off by
the
13. risk owners?

6.2 Information security objectives and planning to achieve them
1. Are there documented

2. information security
objectives?
3. Do the objectives comply

with section 6.2 (a) to (e)?
4. ls there a plan to achieve

the objectives?
5. Are all the elements in 6.2

(f) to (j) included?

7 Support
7.1 Resources
1. How are the resources

needed for the ISMS
determined?
2. Are the required resources

provided?
7.2 Competence
1. Have the
necessary
competences been
determined?
2. How has the competence of
the people involved in the
ISMS been established?
3. What actions have been

identified to acquire the
necessary competence?
4. Have they been completed

and is there evidence of
this?
7.3 Awareness
1. What approach has been

taken to providing
awareness of the
information security policy,
contribution to the ISMS
and implications of not
conforming?

2. Has everyone been

covered?

7.4 Communication
1. How has the need for

communication been
established?
2. ls the approach to
communication
documented?
3. Does the approach cover

all areas in 7.4 (a) to e)?
7.5 Documented information
1. ls all the documented

information required by the
2. standard in place?
3. Is the level of other
documentation
reasonable for the size
of ISMS?
4. Are appropriate
documentation standards
- for example,
identification, format - in
place?
5. Are the standards applied
in a uniform way?
6. Are appropriate controls in

place to meet 7.5.3 ( a) to
(f)?
7. How are documents of
external origin
handled?

8 Operation
8.1 Operational planning and control
1. What plans are available to

review?
2. Do they cover
requirements, objectives
and risk treatments?
3. What planned changes
have taken place
recently and how were
they controlled?
4. What processes are

outsourced?
5. How are they controlled?
8.2 Information security risk assessment
1. What are the planned

intervals for risk
assessments?
2. What significant changes

have happened that have
prompted a risk
assessment to be carried
out?

8.3 Information security risk treatment
1. What is the status of the

risk treatment plan(s)?
2. How is it updated?
3. How is the success of the
treatment judged?

9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
1. How is it determined what

should be monitored and
measured?
2. Review evidence of
monitoring and
measurement.
3. What procedures are in

place to cover
monitoring and
measurement in
different areas?
4. How are results reported?
9.2 Internal audit
1. How often are internal

audits carried out?
2. Who carries them out?
3. Are the auditor’s objective

and impartial?
4. Review the most

recent internal audit
report.
5. Have any
nonconformities resulting
from previous audits
been addressed?
6. Does the audit programme
cover the complete scope
of the ISMS?

9.3 Management review
1. How often are

management reviews
carried out?
2. Who attends them?
3. Are they minuted?
4. Review the results of the

most recent one.
5. Are all areas in 9 .3 a) to f)

covered at management
reviews?
6. Does the management

review represent a
reasonable assessment of
the health of the ISMS?

10 Improvement
10.1 Nonconformity and corrective action
1. How are nonconformities

identified?
2. How are they recorded?

3. Review the records of
a recent
nonconformity.
4. Was appropriate action
taken to correct it and
address the underlying
causes?
5. Was the effectiveness of

the corrective act ion
reviewed?
10.2 Continual improvement
1. How are improvements

identified?
2. Are they recorded?
3. What evidence of
continual improvement
can be demonstrated?

Annex A Reference Controls (NB: not all may be applicable)
A5 Information security policies
1. Review the set of policies.
2. Are they all approved?

3. Who have they been
communicated to?
4. When was the last time

they were reviewed?
A6 Organisation of information security
1. Where is segregation of
duties used within the
organization?
2. Which relevant authorities

and special interest groups
is contact maintained with
and how?
3. How was information

security addressed in the
most recent project?
4. Is there a mobile device

policy?
5. What security measures
are used to manage
mobile device risks?
6. Is there a teleworking
policy?
7. Review the security

measures in place at a
specific teleworking site.

A7 Human resource security
1. What background
verification checks are
carried out on employment
candidates?
2. How is information
security covered in
employment contracts?
3. How are employees and

contractors made aware of,
and trained in, information
security issues?
4. Is there a formal
disciplinary process?
5. What happens when

an employee leaves,
with respect to
information security?

A8 Asset management
1. ls there an asset
inventory?
2. Are all assets in the

inventory owned?
3. Are rules fort the

acceptable use of assets
identified, documented
and implemented?
4. What happens to assets

when an employee
leaves?
5. ls there an information
classification scheme in
place?
6. How is information
labelled with its
classification?
7. What procedures are in

place for handling high
value assets?
8. How is removable media

managed, including
disposal and transport?

A9 Access control
1. ls there an access control

policy?
2. How is it decided which
networks and network
services a user is
authorized to?
registration and de-
registration process?
4. Is there a formal user

access provisioning
process?
5. How are privileged access
rights controlled?
management process to
allocate secret
authentication
information?
7. How are access rights
reviewed and how often?
8. What happens to access

rights when someone
moves or leaves?
9. How is the access control

policy implemented within
applications e.g. logons,
passwords?
10. How is the use of utility

programs controlled?
11. Is access to program

source code
restricted?

A10 Cryptography
1. Is there a policy on the use

of cryptographic controls?
2. How has it been

implemented?
3. Is there a policy covering

cryptographic keys?
4. How has it been

implemented?

A11 Physical and environmental security
1. Have the physical security

perimeter and secure areas
been defined?
2. What physical entry

controls are in
place
3. What physical protections
are in place to guard
against natural disasters,
malicious attack or
accidents?
4. Are there procedures for
working in secure areas?
5. What controls are in place

over delivery and loading
areas?
6. How is it decided where to

site equipment?
7. What protection is in place

from failures of supporting
utilities?
8. Is important cabling
protected?
9. Review equipment
maintenance logs.
10. What is the procedure for

taking assets offsite and
how are they protected
whilst offsite?
11. How is storage media

disposed of securely?
12. Is there any unattended

equipment that requires
protection and if so, how
is that provided?

13. Are desks and screens

clear of sensitive
information and storage
media?

A12 Operations security
1. To what extent are

operating
procedures
documented?
2. How are changes
controlled?
3. How is capacity managed?
4. Are development, testing

and operational
environments separated?
5. What controls are in place
to handle malware?
6. How aware are users of

the threat from malware?
7. What is the backup policy

and process of the
organization?
8. Are event logs collected

and protected from
tampering?
9. Are system administrator

and operator activities
logged and reviewed?
10. How are the clocks of the

various infrastructure
components
synchronized?
11. How is software
installation on
operational systems
controlled, both at a
system and user level?
12. How are technical
vulnerabilities identified and
addressed?

13. How are audits carried

out without disrupting
business processes?

A13 Communications security
1. How is network security

managed and controlled?
2. Are network services

agreements in place for
all relevant services?
3. Do they cover security

mechanisms, service
levels and management
requirements?
4. Is network segregation
used and if so how?
5. What information
transfers take place?
6. Are there policies,
procedures and controls
in place to protect
them?
7. Are controls documented
in formal agreements?
8. How is electronic
messaging protected?
9. Are there non-
disclosureagreements in
place with key parties?
A14 System acquisition, development and maintenance

requirements included in
specifications for new or
changed systems?
2. How is information passing
over public networks e.g.
the Internet, protected?
3. For each type of

application service, how
are transactions
protected from known
threats?
4. How is software developed
securely within the
organization?
5. Is change control in place

in the development
lifecycle?
6. What process is
performed when operating
platforms are changed?
7. How much change is made
to commercial off -the-shelf
software?
8. What principles are used

when engineering
secure systems?
9. How are development
environments protected?
10. How do you monitor

outsourced software
developm e nt?
11. To what extent is system
security tested during
development?

12. Review records of
acceptance testing for most
recent system
implementation

A15 Supplier relationships
1. How are the organisat ion' s

security requirements
communicated and agreed
with suppliers?
2. To what extent are the

requirements documented
in supplier agreements?
3. Do agreements with
suppliers require them to
address security risks?
4. How is supplier service

delivery monitored,
reviewed and audited?
5. How are changes made by

suppliers managed and risk-
assessed?

A16 Information security incident management
1. Is there an information
security incident
procedure?
2. Are incident management
responsibilities
understood?
3. How are information
security events and
weaknesses reported?
4. How is the decision about

whether to classify an
event as an incident
made?
5. Review how some of the
most recent incidents were
responded to.
6. How is knowledge gained

from incidents re-used?
7. Are procedures in place to

ensure that potential
evidence is protected?

A17 Information security aspects of business continuity management

requirements in the event of
a disaster understood?
2. Do business continuity
procedures provide for the
required level of information
security?
3. Are the procedures tested

regularly?
4. Are availability
requirements identified
and is enough
redundancy in place to
meet them?

A18 Compliance
1. Is it clear which laws and

regulations apply to the
organization and its
activities?
2. Are contractual obligations

understood?
3. Is an approach to meet
these requirements in
place?
4. Are procedures
implemented to ensure
compliance with
intellectual property
rights?
5. Are records protected in
line with the understood
requirements?
6. Is privacy and protection

of personally identifiable
information addressed
adequately?
7. Is the organization's use of
cryptographic controls
legal and compliant with
relevant agreements?
8. How often are

independent reviews of
carried out?
9. How often do
managers check their
areas comply with
policies and
standards?
10. Review the most recent
report on compliance of
information systems with
agreed information security
policies.

Auditing in SAP Environment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing in SAP Environment

Uploaded by

Copyright:

Available Formats

Internal Audit?

An internal audit is a fundamentally independent function that evaluates an organization’s

The Difference Between Internal and External Audits

The Benefits of an Effective Internal Audit

Internal Audit Checklist

1. Initial Audit Planning

What enterprise risk(s) does the audit address?

2. Involve Risk and Process Subject Matter Experts

Recent articles from WSJ.com,HBR.org, or other leading business periodicals

3. Frameworks for Internal Audit: The International Professional Practices Framework

4. Frameworks for Internal Audit Processes: COSO ICIF

5. Initial Document Request List

All policies, procedure documents, workflow diagrams, and organization charts

Access to key applications used in the process; read-only if possible

6. Preparing for a Planning Meeting With Business Stakeholders

Develop an agenda or questionnaire for all meetings internally or with business

Summary and Purpose of the Audit Program

Process Objectives and Owners

Controls Mitigating Process Risks

Is the control manually performed, performed by an application, or a combination?

Inquiry, or asking how the control is performed

Observation, or viewing the control be performed, typically in real-time

Inspection, or reviewing documentation evidencing the control was performed

Re-performance, or independently performing the control to validate outcomes

8. Audit Program and Planning Review

Internal Audit Manager or Senior Manager

Chief Audit Executive

Internal Audit Checklist

4 Context of the Organisation

4.1 Understanding the organisation and its context

Recommended Questions Audit Findings Evidence Reviewed

1. What are the internal and

2. How do they affect its

4.2 Understanding the needs and expectations of interested parties

Recommended Questions Audit Findings Evidence Reviewed

1. Who are the interested

2. What are their

3. How have their

4.3 Determining the scope of the ISMS

Recommended Questions Audit Findings Evidence Reviewed

1. What is the ISMS scope?

4. Does it consider relevant

5. Does it consider how the

lSMS-FORM-09-4 Version 1 Page 6 of 29

5.1 Leadership and Commitment

Recommended Questions Audit Findings Evidence Reviewed

1. Who is defined as top

2. How does top

5. Are enough resources

Recommended Questions Audit Findings Evidence Reviewed

1. Can I review the

3. Does it include the

4. How has it been

lSMS-FORM-09-4 Version 1 Page 7 of 29

5.3 Organizational roles, responsibilities and authorities

Recommended Questions Audit Findings Evidence Reviewed

1. What are the roles within

2. Does everyone understand

3. Who has the responsibility

ISMS-FORM-09-4 Version 1 Page 8 of 29

6.1 Actions to address risks and opportunities

Recommended Questions Audit Findings Evidence Reviewed

1. Is there a documented risk

2. Does it address risk