Once again, here I am, writing down some of my impressions about the CISA Review Manual 2013. I’ve been quite busy during last week, so I’ve just read the Section Two (Content), Chapter 1.
It has been very interesting reading about Management of the IS Audit Function and, above all, how to organize an IS Audit.
Imagine you’ve been hired to audit a company IS: what’s your first step? A clue: audit charter.
If you have to sniff into a company Information System, you better have an audit charter signed by senior management. You need to clearly fix objectives, scope and responsibilities. In futures posts, I will talk about the difference between scope and objectives; they may sound similar, but they are not.
Authority: that’s what you clearly need. You have to interview people to understand business missions, objectives, purposes and processes, and people are normally busy. You will steal some of their time, so you better have delegated power from senior management to do your job.
But, as Uncle Ben once said and Sheldon Cooper recently reminded us, «with great power comes great responsibility«. So, as an IS auditor, you need to be technically competent and get compromised to maintain technical competence through continuing professional education.
«Ok, I’m an IS auditor competent, with a signed-by-boss audit charter: now what?»
Don’t improvise and get a plan. Are we talking about a short-term audit or a long-term audit? Both? Have you listed all the relevant processess you will work with? Are all the risks factors duly listed?
Talk to senior management to have a deep view about risks factors that can have an impact on the business and review prior work papers. Maybe, objectivity can not be reached, but in some way you need to find some objective criteria. The CISA Review Manual suggests a time frame criteria, i.e., time needed to restore damages suffered. And a time frame criteria can be only defined, once again, by senior management.
Even if you’re not a lawyer, don’t forget to include in your plan all laws and regulations that can be seen as a risk factor. Data protection (yes, LOPD is a risk factor), e-commerce, cloud computing, but also all legal requirements placed on the auditee. For example, if you’re auditing an hospital IS, you must include the complete legal framework of medical data and medical records, medical assurances, etc.
And, for the time being, that’s all, folks. Please, let me know if my English is getting better (or not).