1.3.2 Scope of the Audit
As with any Audit, a risk assessment should be one of the first steps to be completed when examining a new
process. The risk assessment will help determine whether the process warrants expending a significant amount of
audit resources on the project. The scope of the audit depends on the risk. But even for the high-risk systems, the
scope should be limited to testing the critical internal controls upon which the security of the process depends.
The scope of the audit depends upon:
a. Site business plan
b. Type of data assets to be protected
c. Value of importance of the data and relative priority
d. Previous security incidents
e. Time available
f. Auditors experience and expertise
1.3.4 What makes a good security audit?
The development and dissemination of the IS Auditing Standards by Information Systems Audit and Control
Association (ISACA) is already in circulation for further information. A good security audit is part of a regular and
comprehensive framework of information security.
A good security audit may likely include the following:
Clearly defined objectives
Coverage of security is comprehensive and cross-cutting audit across the entire organisation. Partial audits
may be done for specific purposes.
Audit team is experienced, independent and objective. Every audit team should consist of at least two auditors
to guarantee the independence and objectivity of the audit (”two-person rule”). There is unrestricted right to
obtain and view information.
Important IS audit meetings such as the opening and the closing meetings as well as the interviews should be
conducted as a team. This procedure ensures objectivity, thoroughness, and impartiality. No member of the
audit team, should have participated directly in supporting or managing the areas to be audited, e.g. they
must not have been involved in the development of concepts or the configuration of the IT systems.
It should be ensured that actual operations in the organisation are not significantly disrupted by the audit
when initiating the audit. The auditors never actively intervene in systems, and therefore should not provide
any instructions for making changes to the objects being audited. It is management responsibility for
supporting the conduct of fair and comprehensive audit.
Appropriate communication and appointment of central point of contact and other support for the auditors.
The execution is planned and carried out in a phase wise manner