Database Reference
In-Depth Information
InFission IT Audit approach
The IT Audit Director (IAD) is responsible for the IT Audit plan at InFission. The
IAD develops the IT Audit plan based on the overall audit objectives established
by the Chief Audit Executive (CAE) and approved by the Audit Committee.
The goal of the IT Audit program at InFission is to provide reasonable assurance to
management that the business objectives will be achieved with effective controls over
information technology systems. IT controls are selected based on risk assessment,
compliance requirements, and IT governance standards to enforce the policies and
procedures to ensure effectiveness and efficiency of operations, reliability of financial
reporting, and regulatory compliance.
IT Audit scope management
The scope of the InFission IT Audit plan includes assessment of controls that are
classified into the following two categories:
• IT General Controls
• Application controls
The IT General controls provide overall assurance over the IT control environment,
such as the IT organization structure and functions, IT policies and procedures
for data center operations, software lifecycle management and maintenance,
physical access to the data center, and availability to competent staff. IT general
controls create the environment in which the systems and application controls
operate. The InFission IT Audit plan for general controls includes the review of IT
policies, standards, IT security and privacy guidelines, application lifecycle controls
management, system continuity planning, and IT project and management. The
auditors perform onsite testing at each data center in North America, EMEA, and
APAC to ensure that the power supply, backup generators, cooling systems, and
fire suppression systems are effective, and that the data center environment is clean
and dust free with adequate protection from floods and water seepage. The auditors
also review the physical access controls because there are certain operations and
configurations that can be performed from the server console. For example, the
physical access test ensures that all servers are physically secured within data center
with locked doors that can only be accessed by authorized personnel using access
swipe cards or biometric access devices. Auditors obtain the evidence of authorized
physical access by reviewing data center's employee identification badges and all
visitors' logs in the data center's access controls register.
Search WWH ::
Custom Search