IT Auditing Standards Guidance
February 27, 2010Guidelines provide guidance in applying IT Auditing Standards. The IT auditor should consider them in determining how to achieve Implementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IT Auditing Standards.
Procedures provide examples of procedures an IT auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IT Auditing Standards.
COBITresources should be used as a source of best practice guidance. Each of the following is organized by IT management process, as defined in the COBIT Framework. COBIT is intended for use by business and IT management, as well as IT auditors; therefore, its usage enables the understanding of business objectives, communication of best practices and recommendations to be made around a commonly understood and well-respected standard reference. COBIT includes:
· Control Objectives—High-level and detailed generic statements of minimum good control
· Control Practices—Practical rationales and “how to implement” guidance for the control objectives
· Audit Guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and Substantiate the risk of controls not being met
· Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors
Linkage to Standards
· Standard S6 Performance of Audit Work states, “IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met.”
· Standard S6 Performance of Audit Work states, “During the course of the audit, the IT auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate documented analysis and interpretation of this evidence.”
· Procedure – Intrusion Detection Systems (IDS) Review provides guidance.
· Guideline – Review of Virtual Private Networks provides guidance.
www.bestitdocuments.com