1
IT / IS AUDIT PROCESS MODELS (MINDMAPS)
For personal use only – not for distribution
Begin Audit
End Audit
Familiarise Gather Information Create WorkingPapers
Create ProcessMaps
AnnotateRisk
AnnotateControls
EvaluateControls
Risk AppetiteControl
Efficiencyand Costs
ProcessHotspots
ProcessEfficiency Testing
Reporting
Entry meetings
Choose AuditSet Scope and
ObjectivesNotify Management andauditees as necessary
Entry Meetings
Fieldwork
ReportingFollow up
Familiarisation – get to know process flow
Identify Determine Document
a cb
WhatWho
WhenHow
WhereWhy
Possibility ofsignificant
OperationalCompliance
ReportingStrategicRisks?
WhatWho
WhenHow
WhereWhy
WhatWho
WhenHow
WhereWhy
Possibility ofsignificant
OperationalCompliance
ReportingStrategicRisks?
Possibility ofsignificant
OperationalCompliance
ReportingStrategicRisks?
Fieldwork
Choose AuditSet Scope and
ObjectivesNotify Management andauditees as necessary
Entry Meetings
Fieldwork
ReportingFollow up
1. Interviews2. Existing documentation3. Questionnaires4. Observations5. Tests
Determine expected controls
ControlFeedback
a cb
I/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Stored Data is:SecurePrivate
Recoverable
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
End to end reconcilability
Segregation of roles
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
Stored Data is:SecurePrivate
Recoverable
Stored Data is:SecurePrivate
Recoverable
Segregation of roles
O/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Locate actual controls
ControlFeedback
a cb
I/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Stored Data is:SecurePrivate
Recoverable
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
End to end reconcilability
Segregation of roles
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
Stored Data is:SecurePrivate
Recoverable
Stored Data is:SecurePrivate
Recoverable
Segregation of roles
O/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Gap analysisshows missingcontrols
ControlFeedback
a cb
I/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Stored Data is:SecurePrivate
Recoverable
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
End to end reconcilability
Segregation of roles
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
Stored Data is:SecurePrivate
Recoverable
Stored Data is:SecurePrivate
Recoverable
Segregation of roles
O/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Present as expected.
Expected but absent.
ControlFeedback
a cb
I/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Stored Data is:SecurePrivate
Recoverable
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
End to end reconcilability
Segregation of roles
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
Stored Data is:SecurePrivate
Recoverable
Stored Data is:SecurePrivate
Recoverable
Segregation of roles
O/P is:CompleteAccurate
AuthorisedAuthenticTraceable
ControlFeedback
a cb
I/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Stored Data is:SecurePrivate
Recoverable
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
End to end reconcilability
Segregation of roles
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
Stored Data is:SecurePrivate
Recoverable
Stored Data is:SecurePrivate
Recoverable
Segregation of roles
O/P is:CompleteAccurate
AuthorisedAuthenticTraceable
Key application controls
ControlFeedback
a cb
I/P is:CompleteAccurate
AuthorisedAuthenticTraceable
End to end reconcilability
Segregation of roles Segregation of roles
O/P is:CompleteAccurate
AuthorisedAuthenticTraceable
ControlForward
Key network controls
a cb
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
End to end reconcilability
Flow maintainsIntegrity
ConfidentialityAuthenticityAvailability
Key storage controls
a cb
Stored Data is:SecurePrivate
Recoverable
Stored Data is:SecurePrivate
Recoverable
Stored Data is:SecurePrivate
Recoverable
HOST CONTROLSRouter
Packet FilterProxy
Firewall
WhoLimited Few
SkillCompetence
How Security / vulnerability of underlying OS
Rules and RationaleHow tested
How validatedPen testing
Key host controls
12
IT / IS AUDIT PROCESS MODELS (MINDMAPS)
For personal use only – not for distribution
Begin Audit
End Audit
Familiarise Gather Information Create WorkingPapers
Create ProcessMaps
AnnotateRisk
AnnotateControls
EvaluateControls
Risk AppetiteControl
Efficiencyand Costs
ProcessHotspots
ProcessEfficiency Testing
Reporting
Top Related