Phases of Information Security Audit and Strategies
• Pre-audit agreement stage
Agree scope and objective of the audit. Agree on the level of support that will be provided. Agree locations, duration
and other parameters of the audit. Agree financial and other considerations. Confidentiality agreements and
contracting have to be completed at this stage.
Developing/creating a formal agreement to state the audit objectives, scope, and audit protocol.
(e.g., statement of work, audit memorandum, or engagement memo)
• Initiation and Planning stage
Conducting a preliminary review of the client’s environment, mission, operations, polices, and practices. Performing
risk assessments of client environment, data and technology resources; completing research of regulations, industry
standards, practices, and issues. Reviewing current policies, controls, operations, and practices; Holding an Entrance
Meeting to review the engagement memo, to request items from the client, schedule client resources, and to answer
client questions.. This will also include laying out the time line and specific methods to be used for the various
• Data collection and fieldwork (Test phase)
This stage is to accumulate and verify sufficient, competent, relevant, and useful evidence to reach a conclusion
related to the audit objectives and to support audit findings and recommendations. During this phase, the auditor
will conduct interviews; observe procedures and practices, perform automated and manual tests, and other tasks.
Fieldwork activities may be performed at the client’s worksite(s) or at remote locations, depending on the nature of
the audit.
• Analysis
Analyses are performed after documentation of all evidence and data, to arrive at the audit findings and
recommendations. Any inconsistencies or open issues are addressed at this time. The auditor may remain on-site
during this phase to enable prompt resolution of questions and issues. At the end of this phase, the auditor will hold
an Exit Meeting with the client to discuss findings and recommendations, address client questions, discuss corrective
actions, and resolve any outstanding issues. A first draft of the findings and recommendations may be presented to
the client during the exit meeting.
• Reporting
Generally, the Information Security Audit Program will provide a draft audit report after completing fieldwork and
analysis. Based on client response if changes are required to the draft, the auditor may issue a second draft. Once
the client is satisfied that the terms of the audit are complied with the final report will be issued with the auditor’s
findings and recommendations.
• Follow-through
Depending on expectations and agreements the auditor will evaluate the effectiveness of the corrective action taken
by the client, and, if necessary, advise the client on alternatives that may be utilized to achieve desired
improvements. In larger, more complex audit situations, follow-up may be repeated several times as additional
changes are initiated. Additional audits may be performed to ensure adequate implementation of recommendations.
The level of risk and severity of the control weakness or vulnerability dictate the time allowed between the reporting
phase and the follow-up phase. The follow-up phase may require additional documentation for the audit client.