Information Technology Reference
In-Depth Information
levels understand the IT risks the enterprise is facing and specific roles of members of staff
in the risk management process. It is particularly important that this test is done at board,
senior management, and operational levels.
The awareness program content should be consistent with enterprise risk policies and pro-
cedures. The IS auditor, as part of the evidence-gathering exercise, should request for the
IT risk training program content which can later be analysed in order to assess if it is con-
sistent with enterprise risk policies and procedures.
If the enterprise does not have any awareness programs for staff, then this is material for
the auditor to report on. Risks affect all staff in an enterprise in one way or the other, and
they need to be aware of the risks and how to respond to incidents which might occur. Risks
are more appropriately managed if all staff are actively involved in risk management.
i) When was the last risk assessment conducted?
Enterprises do conduct risk assessments at regular intervals or when there are major
changes to the enterprise IT or supporting systems. Enterprises also do perform risk as-
sessments to less significant changes as part of change management depending on internal
policies. Sometimes changes to less important system changes can cause major disruption
to business operations. This is why it is important in some cases to ensure that risk assess-
ments are performed even when less significant changes are made. Of course, we are not
asking enterprises to perform risk assessments to every little change being made.
Management might give the IS auditor a standard answer to this question, such as providing
only the date when the assessment was conducted. It is recommended that the IS auditor
requests for a recent risk assessment report as part of the evidence and may go further by
asking what actions management took in response to report findings and recommendations.
You should have observed from this paragraph that the IS auditor can field two further
follow-up questions which will enable him to collect a recent risk assessment report and a
report on management responses and actions.
Information Security
Information security is one of the important and regularly audited areas in order to ensure
secure and robust protection of the IT infrastructure. The IT general controls audit includes
information security as one of the areas which are up for review. Generally the review will
reflect what is contained in the information security policy and associated security pro-
cedures. IS auditors are required to investigate how security is being implemented and its
effectiveness.
Search WWH ::
Custom Search