214 7.11 Auditing and Assessment Strategies
7.10 Audit Oversight Committee
It is always a good idea to have executive oversight of the audit function.
This accomplishes several things. First of all, such high-level oversight dem-
onstrates management commitment to the audit process. Second, it allows
the audit team to operate with a fairly high degree of independence, pre-
venting undue influence to affect the outcome of any audit. Finally, the
oversight committee can ensure the audit function serves the business
needs, focusing on the areas of risk most relevant to the business.
When the oversight group selects the information systems security audit
team leader, one of his or her first tasks will be to determine the format of
the audit strategy. Options for this strategy include the production of a sin-
gle strategy document, scrutinized under a regular review process, or the
production of a strategy in the form of a corporate audit manual or a series
of corporate audit policy documents (which can be separately reviewed and
amended as necessary). Whatever format is chosen for the strategy, it should
be disseminated to all members of the audit group under audit committee
oversight.
The composition of the audit oversight committee is a significant factor
of organizational success in the use of audits as a tool for ensuring adher-
ence to policies and standards. Representation should come from every
major group in an organization, such as Finance, Human Resources, Ser-
vice and Support, Sales, Administration, etc. Cross-representation ensures
adequate coverage of IT issues related to each of these organizations, and is
healthy for the organization overall. Reciprocally, for audits of organizations
other than IT, the same principles as stated above should apply.
7.11 Auditing and Assessment Strategies
An audit strategy defines the strategic approach that guides an information
systems security audit team leader (ISSATL). The ISSATL should try to
manage the audit team in a way that facilitates periodic reporting to the
security manager covering the organization’s risk management posture and
policy adherence. This is accomplished through periodic audit plans. The
ISSATL is responsible for providing management with specific recommen-
dations resulting from any audit work. Other ISSATL responsibilities
include the identification of audit resources required to deliver an audit ser-
vice that meets the needs of the organization; establishment of effective
cooperation with external auditors and other review bodies functioning in
the organization; and the provision of assurance and consultancy services by
7.11 Auditing and Assessment Strategies 215
Chapter 7
internal audit to the organization. Regardless of the format chosen for the
strategy document, the documented audit strategy should, at a minimum,
define the items shown in Figure 7.4.
7.11.1 Prerequisites for Developing an Audit Strategy
There are a number of knowledge-based prerequisites for developing the
audit strategy. All members of the audit team require a thorough under-
standing of the organization’s objectives and performance targets, risk analy-
sis procedures (including the risk priorities of the organization), and persons
with key ownership of these risks. The audit team needs to fully understand
the processes used by the security manager to establish his or her assurance
Figure 7.4
Minimum essential
considerations for a
documented audit
strategy.
How does an internal audit relate to management’s risk analysis?
What elements of the risk analysis are essential for annual review?
What methods provide reasonable assurance of adherence to the
audit compliance standard?
What is needed to provide risk mitigation assurances to the security
manager/audit committee?
What areas of change in the organization are being subjected to a
systems security audit?
How/to what extent will the internal audit rely on other assurance
work to develop an opinion?
What range of approaches does internal audit plan to employ in
conducting the audit?
How will the internal audit communicate the results of its work?
What resources are required for the audit, including identification
of any specialist skills required?
How will internal audit and specialist resources be recruited and
utilized?
What methods of recruiting/training/continuing professional
development will be used for internal audit staff?
How will internal audit measure its performance?
How will internal audit implement quality assurance and seek con-
tinuous improvement?
What are the risks for the audit unit in delivering a strategy and
what are the plans for controlling these risks?
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
