登录查看更多内容

How can you conduct an unbiased information assurance audit and review?

由人工智能和领英社区提供技术支持

Information assurance (IA) is the practice of protecting the confidentiality, integrity, and availability of information systems and data from unauthorized access, use, disclosure, modification, or destruction. IA audits and reviews are essential for assessing the effectiveness of IA policies, procedures, controls, and practices in an organization. However, conducting an unbiased IA audit and review can be challenging, as there may be conflicts of interest, biases, or pressures that could compromise the objectivity and credibility of the audit and review process. In this article, you will learn how to conduct an unbiased IA audit and review by following some best practices and guidelines.

此文章中的业界达人

由社区从 3 条内容中精选。了解更多

Shreya Koley, CISA

SocGen | Ex-EY | Ex-PwC | TPRM | ISO 27001:2013 LA | AZ900 | SC900 | MBA(ITBM) | SCIT

1 Define the scope and objectives

Before you start an IA audit and review, you need to define the scope and objectives of the project. The scope should specify what information systems and data are subject to the audit and review, what standards and criteria will be used to evaluate them, and what deliverables and timelines are expected. The objectives should state what the purpose and goals of the audit and review are, and what questions or issues need to be addressed. Defining the scope and objectives clearly and transparently will help you avoid scope creep, misunderstandings, and conflicts with the stakeholders.

添加您的观点

加载更多内容

2 Select an independent and qualified team

The next step is to select an independent and qualified team to conduct the audit and review. The team should consist of individuals who have the relevant knowledge, skills, experience, and credentials to perform the audit and review tasks. The team should also be independent from the organization being audited and reviewed, and have no personal or professional relationships or interests that could influence their judgment or objectivity. The team should disclose any potential or actual conflicts of interest, and recuse themselves from the audit and review if necessary.

添加您的观点

3 Follow a structured and documented methodology

The audit and review team should adhere to a structured and documented methodology to guarantee the audit and review process is consistent, reliable, and repeatable. This methodology should include a plan that outlines the scope, objectives, criteria, methods, resources, roles, responsibilities, and schedule of the audit and review. Additionally, a risk assessment should be conducted to identify and evaluate the risks and vulnerabilities of the information systems and data being audited and reviewed. Moreover, a testing strategy should be formulated to define the types, techniques, tools, and procedures of testing the information systems and data against the criteria. Furthermore, a reporting strategy should be established to determine the format, content, and distribution of the audit and review reports. Lastly, a quality assurance process should be implemented to ensure the quality and accuracy of the audit and review activities and outputs.

添加您的观点

4 Communicate effectively and respectfully

Throughout the audit and review process, the team should communicate effectively and respectfully with the stakeholders, such as the management, staff, users, customers, and regulators of the organization being audited and reviewed. The team should inform the stakeholders about the scope, objectives, methods, progress, findings, recommendations, and limitations of the audit and review. The team should also listen to the feedback and concerns of the stakeholders, and address them appropriately. The team should avoid making assumptions, judgments, or accusations that could damage the trust and cooperation of the stakeholders.

添加您的观点

5 Review and validate the results

The final step is to review and validate the results of the audit and review. The team should analyze the data and evidence collected from the testing, and compare them with the criteria and objectives of the audit and review. The team should identify the strengths and weaknesses of the information systems and data, and the gaps and opportunities for improvement. The team should also verify the validity, reliability, and relevance of the results, and check for any errors, inconsistencies, or biases. The team should document the results in a clear, concise, and objective manner, and provide actionable and realistic recommendations for enhancing the IA of the organization.

添加您的观点

Shreya Koley, CISA

SocGen | Ex-EY | Ex-PwC | TPRM | ISO 27001:2013 LA | AZ900 | SC900 | MBA(ITBM) | SCIT
举报内容
At the time of validation of results, there are often disagreements between the auditee and the auditor. This can happen due to multiple reasons: 1. Loosely worded controls or standards that leaves leeway for the auditee in terms of implementation 2. Budget issues in terms of strengthening the security 3. Tooling gap where the auditee is dependent on the vendor. There needs to be a consensus between both the parties to address such concerns objectively. An auditor report with findings should be viewed as an opportunity to improve and should be worked upon by the auditee since the risk exposure of the organisation will ultimately decrease due to effectiveness of internal controls.

已翻译

赞

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

加载更多内容

Information Systems

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How can you conduct an unbiased information assurance audit and review?

1

2

3

4

5

6

1 Define the scope and objectives

2 Select an independent and qualified team

3 Follow a structured and documented methodology

4 Communicate effectively and respectfully

5 Review and validate the results

6 Here’s what else to consider

Information Systems

给文章评分

感谢您的反馈

更多Information Systems相关文章

更多相关阅读内容

How can you conduct an unbiased information assurance audit and review?

1

2

3

4

5

6

1 Define the scope and objectives

2 Select an independent and qualified team

3 Follow a structured and documented methodology

4 Communicate effectively and respectfully

5 Review and validate the results

6 Here’s what else to consider

Information Systems

给文章评分

感谢您的反馈

查看其他技能