Scribd Logo
Upload

Welcome to Scribd!

  • 26 views

    It Audit

    Uploaded by

    aleeshatenet
    The document discusses information systems security audits. An ISSA is an independent review of system records, activities, and documents to improve security, avoid improper designs, and optimize efficiency. Regular audits help identify weaknesses to ensure regulatory compliance. Audits typically follow steps like defining objectives, planning, performing work, reporting results, and taking necessary remedial actions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    It Audit

    Uploaded by

    aleeshatenet
    26 views15 pages
    The document discusses information systems security audits. An ISSA is an independent review of system records, activities, and documents to improve security, avoid improper designs, and optimize efficiency. Regular audits help identify weaknesses to ensure regulatory compliance. Audits typically follow steps like defining objectives, planning, performing work, reporting results, and taking necessary remedial actions.

    Original Description:

    Original Title

    IT AUDIT

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses information systems security audits. An ISSA is an independent review of system records, activities, and documents to improve security, avoid improper designs, and optimize efficiency. Regular audits help identify weaknesses to ensure regulatory compliance. Audits typically follow steps like defining objectives, planning, performing work, reporting results, and taking necessary remedial actions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    26 views15 pages

    It Audit

    Uploaded by

    aleeshatenet
    The document discusses information systems security audits. An ISSA is an independent review of system records, activities, and documents to improve security, avoid improper designs, and optimize efficiency. Regular audits help identify weaknesses to ensure regulatory compliance. Audits typically follow steps like defining objectives, planning, performing work, reporting results, and taking necessary remedial actions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 15

    Information systems security audit (ISSA) is an independent review and examination of system

    records, activities, and related documents.


    These audits are intended to improve the level of information security, avoid improper
    information security designs, and optimize the efficiency of the security safeguards and security
    processes.
    IT security audit is a comprehensive examination and assessment of an enterprise’s information
    security system. Conducting regular audits can help identify weak spots and vulnerabilities in
    IT infrastructure, verify security controls, ensure regulatory compliance, and more.
    A Compliance Audit is typically conducted by a certified security auditor from either the
    applicable regulatory agency or an independent third-party vendor. In some cases, though,
    personnel within the company may perform an internal audit to check the company’s regulatory
    compliance or overall security posture.
    The Steps in an IT Security Audit
    Define the objectives.
    Plan the audit.
    Perform the auditing work.
    Report the results.
    Take necessary action for the deficiencies

    Take Necessary Action:

    Examples of security-enhancement actions can include:


     Performing remediation procedures to fix a specific security flaw or weak spot/s.
     Training employees in data security compliance and security awareness.
     Adopting additional best practices for handling sensitive data and recognizing signs of malware and
    phishing attacks.
     Acquiring new technologies to strengthen existing systems and regularly monitor infrastructure for
    security risk
    Security Audit should follow the below mentioned best practice

    i.Establish Clear Objectives


    ii.Obtain Buy-in from Key Stakeholders
    iii.Define clear action items based on the audit results
    iv.Security audit solutions.
    Difference Between a Security Audit and a Risk Assessment

    I. Risk Assessment

    a.A risk asseessment is often performed at the start of an IT intiative before tools and technologies have been
    deployed.

    b.It is also performed every time the internal or external threat landscape changes.

    c.In a oraganisation with mature security processes,risk assessment is performed regularly to assess new risks
    and re-evaluate risks that were previously idenified.The goal of a risk asessment is to determine how best to
    build IT infrastructure to address known security risks.Henc,this activity is focused on outward factors and
    how they affect infrastructure.

    II.Security Audit

    a.A security audit is performed on existing IT infrastructure to test and evaluate the security of current
    systems and operations

    b.As a best practice , schedule security audits to be performed at regular intervals so that overall security
    posture is on an ongoing basis
    Security Audit
     Point in time assessment
     Verifies security commitments are being met
     Leads to potential action items where gaps are identified
     Less expensive typically that a risk assessment
     Does not validate that the security program is aligned with risk
     Does not provide a basis of design for an organizational security program

    Security Risk Assessment


     Forward looking methodology
     Verifies security commitments are being met
     Leads to a long-term security master plan and cost staging
     More expensive than a security audit
     Validate that the security program is aligned with risk
     Provides a basis of design for an organizational security program
     Enhances crisis management and resiliency
    Compliance And Security Framework

    RBI also expects the Banks to report to the Cyber Security and Information Technology Examination (CSITE) Cell of the
    Department of Banking Supervision, with the following details.

     Gap analysis against the published Cyber Security/Resilience Framework.


     Information security controls.
     Effectiveness of the implemented controls.
     Plan of action to mitigate risks.
     Role of Chief Information Security Officer (CISO).

    RBI Audit is performed by a Bank:--

     The audit is conducted as an in-depth technical assessment.

     Includes information security process audit.

     Includes applicability of cyber security controls.

     By checking evidence and logs on servers.

     Includes checking all norms of technical requirements as per RBI.


    IT Audit in Banking SeCtor

    The objectives of IS audit are to identify the risks that an organization is exposed to in the computerized
    environment. IS audit evaluates the adequacy of the security controls and informs the Management with suitable
    conclusions and recommendations. IS audit is an independent subset of the normal audit exercise in an
    organization. The overall objectives of the normal audit exercise do not change, when applied to the
    computerized environment. The major objectives of IS audit include, among others, the following:

     Safeguarding of Information System Assets/Resources.

     Maintenance of Data Integrity.

     Maintenance of System Effectiveness.


     Ensuring System Efficiency
     Safeguarding of Information System Assets/Resources

    The Information System Assets of the organization must be protected by a system of internal controls. It
    includes the protection of hardware, software, facilities, people (knowledge), data files, system
    documentation, and supplies. This is because hardware can be damaged maliciously, software and data
    files can be stolen, deleted, or altered and supplies of negotiable forms can be used for unauthorized
    purposes. Safeguarding of the Information System Assets is a very important function of each
    organization.

     Maintenance of Data Integrity

    Data Integrity includes the safeguarding of the information against unauthorized addition, deletion,
    modification, or alteration. This includes items such as accounting records, backup, documentation, etc.
    Information Systems are used to capture, store, process, retrieve and transmit the data securely and
    efficiently. The emphasis is on the accuracy of the data and its transmission in a secured manner. Data
    Integrity also implies that during the various phases of electronic processing, various features of the data
    viz.
     Accuracy  Reliability

     Confidentiality  Availability

     Completeness  Timeliness

     Up- to-date status  Effectiveness

     Maintenance of System Effectiveness


    An effective Information System significantly contributes to the achievement of the goals of an organization.
    Therefore, one of the objectives of IS audit is to verify system effectiveness. It provides input to decide when what
    and how the system should be improved so that its utility to the management is maximum.
     Improved Task Accomplishments
     Improved Quality
     Operational Effectiveness
     Technical Effectiveness
     Economic Effectiveness
     Ensuring System Efficiency

    The resources used by the Information Systems such as the machines, computer peripherals, software, etc.
    are scarce and costly. Efficient Information Systems use minimum resources to achieve the desired
    objectives. When a computer no longer has excess capacity, system efficiency becomes important. It
    becomes necessary to know whether the available capacity has been exhausted or the existing allocation
    of the computer resources is causing the bottlenecks.
    Approaches of IS Audit

    The following are the three major approaches of IS Audit.

    a. Auditing around the Computer:

    i. The emphasis is on checking the correctness of the output data/documents concerning the input of a process

    without going into the details of the processing involved.

    ii. This approach is preferred,

     Where auditors themselves do not have the desired level of technical skills to adopt the other approaches.

     When high reliance is placed on the users rather than the computer controls to safeguard the assets, maintain

    data integrity and attain effectiveness and efficiency objectives


    b.Auditing through the Computer

    i. The computer programs and the data constitute the target of IS audit
    ii. Compliance and substantive tests are performed on the computer system. its software, and the data. IS auditors
    can test the application system effectively using this approach.
    iii. This approach is time-consuming, as it needs an understanding of the internal working of an application
    system
    C. Auditing with the Computer
    i. The computer system and its programs are used as tools in the audit process.
    ii. The objective is to perform substantive tests using the computers and their programs.
    iii. This method is used where
     Application system consists of a large volume of inputs, producing a large volume of outputs
     Logic of the system is complex
     There are substantial gaps in the visible trails

    iv.The IS audit documentation should contain the description of the CAAT application.
    Information Systems Audit Methodology

    Audit activity is broadly divided into 5 major steps for the convenience and effective conduct of audit.

     Planning IS Audit
     Tests of Controls
     Tests of Transactions
     Test of Balances
     Completion of Audit

    You might also like