Professional Documents
Culture Documents
INTERNAL AUDIT
Working Together
COPYRIGHT
Information
Global Risk
Internal Audit and Technology
Management
Services (ITS)
Information
Security
Office (ISO)
THE PROBLEM
Internal or external?
Gaps in expertise or specialties needed?
Workload and cost considerations
RFP’s for external assistance
Non-disclosure
In place between Internal Audit and ISO
Include co-ops, student employees, external auditors
Handling work papers and sensitive documents
Audit is the authoritative source for work papers
PLANNING THE AUDIT (CON’T)
Audit format
Define the audit steps
Use frameworks such as COBIT, ISO 27001, ITIL
Use best practices such as NIST, DISA STIGs, PCI, others
Time estimates for all steps
Define procedures that will be done by each office
Interviews – Internal Audit and ISO
Vulnerability scans, pen testing – ISO
Code reviews – external auditor
Tools needed
FIELDWORK
Interviewing
Audit and ISO both take notes and compare
Gather screenshots for supporting data
Standards checklists (internal standards)
Configuration review
Gather configuration files
Show me “xyz” settings
Testing
Vulnerability scanning
Penetration testing
Configuration scanning and reporting
ANALYSIS
Technical interpretation
Consensus between ISO and Internal Audit
PRESENTATION
???