# The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.
# The IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence.
# A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments.
# Primarily consideration should be documentation of identified risk. In order to manage and control a risk, it first must be recognized as a risk. Only after documentation, other factors to be considered.
# Audit charter should be independent from IS department and IT steering committee.
# Action plan in case of disruption of services is included in BCP policy.
# Audit compendium includes summary of critical of audit observations for higher management.
# The result of risk management process is used for making security policy decisions.
# Attribute sampling method (either control is present or absent) will be useful when testing for compliance.
# Compliance testing involves verification of process
- substantive testing involves verification of transactions or data.
# The IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence.
# A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments.
# Primarily consideration should be documentation of identified risk. In order to manage and control a risk, it first must be recognized as a risk. Only after documentation, other factors to be considered.
# Audit charter should be independent from IS department and IT steering committee.
# Action plan in case of disruption of services is included in BCP policy.
# Audit compendium includes summary of critical of audit observations for higher management.
# The result of risk management process is used for making security policy decisions.
# Attribute sampling method (either control is present or absent) will be useful when testing for compliance.
# Compliance testing involves verification of process
- substantive testing involves verification of transactions or data.
No comments :
Post a Comment