Cisa Exam Cram 2
As stated earlier, reviewing the business strategy, the IT strategy, and associated policies and procedures before conducting interviews and observations should provide the auditor with a clear view of the organization's objectives and mission and any potential gaps in policy or procedures. As a part of the interview and observation process, the auditor should observe personnel in the performance of their duties and assist in identifying the following:
All procedures should incorporate controls over the business process. As a part of the planning phase, the IS auditor should identify control objectives associated with each business process and ensure that the procedure is followed and that controls meet the control objectives. IT control objectives enable the IS auditor to more clearly understand the desired result or purpose of implementing specific control procedures. The IS auditor should check to see that the procedures are understood and executed correctly, determine whether control objectives are fulfilled, and should determine whether a review process is in place for change control. When auditing this area of IT, the auditor should look for areas of concern that could indicate potential problems. This can include the following:
During the IT audit process, the auditor should ensure that a process exists for strategy, policy and procedure development, communication, and review. This review process can be part of a change-control process (CCP). The CCP is implemented in organizations as a way to provide a formal review and change-management process for systems and associated documentation. The change-control board (CCB) similar to the IT steering committee, is a formal process, that is chartered by senior management. The CCB should accept requests for changes to systems and documentation, and should review and approve or deny recommended changes. The CCB also might be charged with the periodic review of strategy, policies, and procedures as part of its charter. As an example of an ad-hoc procedure that is not aligned with a documented procedure, we can review the following example. Imagine that the IS auditor is reviewing the back-up procedures for the organization's servers. The documented procedure states that the backups are performed by the backup operator who is responsible for configuring the backups, labeling the tapes, managing off-site storage, and performing log review. The procedure further states that a backup job is scheduled to run every evening to back up the organization's servers. The backup software should be configured to connect to the server, back up the data, verify that the data was backed up, log any anomalies, and move to the next server. While monitoring the process, the auditor finds that the data is being backed up and logged, and the backup software then connects the next server. While questioning the backup operator, the IS auditor inquires about why the data backed up on the tape is not verified and then logged. The backup operator states that the procedure was created when the company had only five servers, which could be backed up and verified in about eight hours. With the addition of 10 servers, the backup procedure cannot back up and verify all the servers in the environment in the eight-hour backup window. The backup operator asked for additional equipment after the servers were installed but has not received it. The backup operator therefore changed the actual procedure to back up the servers without verifying, to ensure that all 15 servers could be backed up during the eight-hour backup window. This scenario identifies a few areas of concern:
In this case, the difference between the actual documented procedure and the ad-hoc procedure on the surface appears small, but it can have far-reaching effects. This type of scenario could be an indicator of risk in the environment. |