214 7.11 Auditing and Assessment Strategies
7.10 Audit Oversight Committee
It is always a good idea to have executive oversight of the audit function.
This accomplishes several things. First of all, such high-level oversight dem-
onstrates management commitment to the audit process. Second, it allows
the audit team to operate with a fairly high degree of independence, pre-
venting undue influence to affect the outcome of any audit. Finally, the
oversight committee can ensure the audit function serves the business
needs, focusing on the areas of risk most relevant to the business.
When the oversight group selects the information systems security audit
team leader, one of his or her first tasks will be to determine the format of
the audit strategy. Options for this strategy include the production of a sin-
gle strategy document, scrutinized under a regular review process, or the
production of a strategy in the form of a corporate audit manual or a series
of corporate audit policy documents (which can be separately reviewed and
amended as necessary). Whatever format is chosen for the strategy, it should
be disseminated to all members of the audit group under audit committee
oversight.
The composition of the audit oversight committee is a significant factor
of organizational success in the use of audits as a tool for ensuring adher-
ence to policies and standards. Representation should come from every
major group in an organization, such as Finance, Human Resources, Ser-
vice and Support, Sales, Administration, etc. Cross-representation ensures
adequate coverage of IT issues related to each of these organizations, and is
healthy for the organization overall. Reciprocally, for audits of organizations
other than IT, the same principles as stated above should apply.
7.11 Auditing and Assessment Strategies
An audit strategy defines the strategic approach that guides an information
systems security audit team leader (ISSATL). The ISSATL should try to
manage the audit team in a way that facilitates periodic reporting to the
security manager covering the organization’s risk management posture and
policy adherence. This is accomplished through periodic audit plans. The
ISSATL is responsible for providing management with specific recommen-
dations resulting from any audit work. Other ISSATL responsibilities
include the identification of audit resources required to deliver an audit ser-
vice that meets the needs of the organization; establishment of effective
cooperation with external auditors and other review bodies functioning in
the organization; and the provision of assurance and consultancy services by