Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

El Reporte de Auditoria“IT Audit Report”

advertisement 
Making Reports Reader Friendly

El informe general debe contener el objetivo
de la auditoria, los responsables encargados,
lo que se evaluó (referencia a la norma si es
muy grande el control o activo de
información evaluado), el hallazgo
encontrado y la evidencia sustantiva que
sustente lo que se encontró de prefería
anexando la evidencia física (documento,
video u otro).
1.
2.
3.
4.
Go over IIA and GAS standards on written
communications
Explain how audit reports typically need to
be converted from an auditor’s draft to a
reader friendly version
Identify the three stages of report writing
Perform exercises to reinforce lecture points




Accurate
Objective
Clear
Concise



Constructive
Complete
Timely




Accurate
Objective
Clear
Concise as the
subject permits



Convincing
Complete
Timely
1.
2.
3.
Plan the report
Draft the report
Revise the draft
AUDITOR
 I want to show you
lots of data!
 Accuracy
 Linear explanations
(Inductive
reasoning)
READER
 Just enough, and
try to make it
interesting
 Accurate, but brief
and clear
 Bottom line first,
then supporting
details (Deductive
reasoning)
1. Who will be the most important readers of
the report?
2. How much do they know about the subject?
3. How do they plan on using the report?
4. How interested are they in the report?
5. What’s their reaction going to be to the
report’s message?
Engagement communications should include:
 Objectives
 Scope
 Conclusions
 Recommendations
 Action plans









Objectives
Scope
Methodology
Findings
Conclusions
Recommendations
Compliance with GAS statement
Views of responsible officials
Privileged and confidential information
omitted
1.
2.
3.
4.
5.
Analyze your audience to decide on the best
report format.
Develop a central message.
“Top Down” method
Elements of a finding
“Bottom Up” yellow stickees
1.
2.
3.
Think of the newspaper headline that would
accurately summarize the report’s message.
Write a paragraph that summarizes the
report’s key points.
Write paragraphs that explain and provide
evidence for the statements made in the
summary paragraph.



Writer’s block
The importance of finding the drafting
method that suits you best
Things you can do to make a report easier to
read (summary, headings, charge paragraphs,
topic sentences in paragraphs)





Unrealistic concept of the writing process
Unreasonable goals such as immediately
producing the perfect draft
Lack of preparation
Frequent interruptions
Missing information



Be REALISTIC about the writing process.
Separate the creative process of writing from
the critical perspective you adopt during the
editing process.
Break the writing process into manageable
chunks via use of outlines.


Schedule time for writing and let others know
about your schedule and request their
cooperation to minimize interruptions.
Make notes of missing information, but move
ahead using available information.





Summaries
Headings
Topic sentences
Graphics
Repetition of key phrases, terms



Benefits of having others review the draft
Levels of draft reviews
Tips on what to look for at each level of
review
1.
2.
3.
Report
Paragraph
Sentence





Is the report’s central message clear?
Is it the appropriate length (i.e., too short or
too long)?
Does it have a summary of the report
message up front?
Does it have sufficient, clear headings?
Does it have suitable graphics (e.g., pictures,
tables, graphs)?




Does the paragraph contain a topic
sentence that accurately conveys the
paragraph’s central idea?
Does the paragraph contain enough
information to support the idea expressed
in the topic sentence?
Does the paragraph contain too much
information so that it will overwhelm the
reader?
Do the ideas presented in the sentences
following the topic sentence flow logically
(i.e., are they in the correct order)?



“Never use a long word where a short one will
do.”
“If it possible to cut a word out, always cut it
out.”
“Never use the passive when you can use the
active.”



Are all the words in my sentences necessary?
Are my sentences easy to understand?
Do the sentences contain action verbs and
actors (active vs. passive construction)?


Avoid biased language!
IIA Practice Advisory 2420-1 states,
“Objective communications are fair, impartial,
and unbiased and are the result of a fairminded and balanced assessment of all
relevant facts and circumstances.”



Be conscious about whether you want to take
a positive or negative tone.
For example, “Proper control can not be
achieved unless reconciliations are
performed.”
Versus “If reconciliations are performed,
proper control can be achieved.”



Technical terms within a specific field or
overly complex terms used to describe
something simple.
Avoid jargon unless a) you know the reader
will understand it, or B) there are no simpler
terms to describe something.
You can deal with jargon by either A)
substituting simpler terms, or B) defining it
first.
Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security.
IT
Auditor
Regulaciones
[SOX/COBIT] The problem management system provides for adequate audit
trail facilities, which allow tracing from incident to communication
underlying cause.
[PCI] Track and monitor all access to network resources and
cardholder data
[NIST Assessment] Audit Trails: Is activity involving access to and
modification of sensitive or critical files logged, monitored, and
possible security violations investigated?
[BS7799] Audit logs recording exceptions and other security-relevant events
should be produced and kept for an agreed period to assist in future
investigations and access control monitoring.
[HIPAA] … record and examine activity in information
systems that contain or use electronic protected health
information… regularly review records of information
activity such as audit logs, access reports,
and security incident tracking… monitoring log-in
system
attempts and reporting discrepancies
[GLBA/FFIEC] Identify the system components that warrant logging…
Determine the level of data logged for each component… establish
policies for securely handling and analyzing log files

Build and Maintain a Secure Network
◦
◦

Protect Cardholder data
◦
◦

Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
◦
◦

Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Implement strong access control measures
◦
◦
◦

Protect Stored Data
Encrypt transmission of cardholder data & sensitive information across public networks
Maintain a Vulnerability Management Program
◦
◦

Install and maintain a Firewall configuration to protect data
Do not use vendor supplied defaults for system passwords and other security parameters
Track and monitor all access to Network resources & cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy
◦
Maintain a policy that addresses information security
ISO
Section
Title
Audit Info
9.7
Monitoring system
access and use
Objective: To detect unauthorized activities.
Systems should be monitored to detect deviation from access control policy and record monitorable
events to provide evidence in case of security incidents.
System monitoring allows the effectiveness of controls adopted to be checked and conformity to an
access policy model (see 9.1) to be verified.
9.7.1
Event logging
Audit logs recording exceptions and other security-relevant events should be produced and kept for
an agreed period to assist in future investigations and access control monitoring.
Certain audit logs may be required to be archived as part of the record retention policy or because of
requirements to collect evidence (see also clause 12).
9.7.2
Monitoring system
use
Procedures for monitoring use of information processing facilities should be established. Such
procedures are necessary to ensure that users are only performing activities that have been explicitly
authorized. The level of monitoring required for individual facilities should be determined by a risk
assessment.
9.7.2.3
Logging and
reviewing events
A log review involves understanding the threats faced by the system and the manner in which these
may arise. System logs often contain a large volume of information, much of which is extraneous to
security monitoring. To help identify significant events for security monitoring purposes, the copying of
appropriate message types automatically to a second log, and/or the use of suitable system utilities or
audit tools to perform file interrogation should be considered.
ISO
Section
Title
Audit Info
8.1.2
Operational change
control
When programs are changed, an audit log containing all relevant information should be retained . . .
Consider identification and recording of significant changes
8.4.3
Fault logging
Review of fault logs to ensure that faults have been satisfactorily resolved
12.1.3
Safeguarding of
organizational
records
Records should be categorized into record types, e.g. accounting records, database records,
transaction logs, audit logs and operational procedures, each with details of retention periods . . .
12.1.5
Prevention of
misuse of info
processing facilities
Any use of these facilities for non-business or unauthorized purposes, without management
approval, should be regarded as improper use of the facilities. If such activity is identified by
monitoring or other means, it should be brought to the attention of the individual manager concerned
for appropriate disciplinary action
12.3
System Audit
considerations
Objective: To maximize the effectiveness of and to minimize interference to/from the system audit
process. There should be controls to safeguard operational systems and audit tools during system
audits. Protection is also required to safeguard the integrity and prevent misuse of audit tools.
12.3.2
Protection of
system audit tools
Access to system audit tools, i.e. software or data files, should be protected to prevent any possible
misuse or compromise.


¿Se requiere por ley una herramienta de
auditoría de seguridad y cumplimiento? :
Requerimientos Mínimos:
◦
◦
◦
◦

Colección de Bitácoras
Almacenamiento (Archive) de Bitácoras
Proveer Reportes
Monitoreo
Preguntas pendientes:
¿Como puedo cumplir con el requerimiento
sin inhibir el negocio?
¿Es lo único relevante para cumplimiento?






Executive Summary
Introduction
◦
◦
◦
◦
◦
◦
Background
Objectives and Scope
Audit Criteria
Approach and Methodology
Results from Phase 1
Purpose
◦
◦
◦
◦
◦
◦
Technical Solution Development
Business Transformation
Authority, Responsibility and Accountability
Project Management Framework
Project Risk Management
Security Assessment
Overview of ACI-EDI Reporting for Air
Audit Findings
Appendix A - Audit Criteria
Appendix B - List of Acronyms






Audit Objectives:
To assess [Name of Company] compliance with the [Name of Standard] Standard
Overall conclusion:
Based on our observation we noted that the degree of compliance with [Name of Standard].
With the exception of business continuity planning, [Name of Company] is compliant with
[Name of Standard].
Summary of Findings:
The audit team noted a number of strengths with respect to compliance with [Name of
Standard]. For example, [Name of Company] has specified the roles and responsibilities for
managing IT security. It has also issued a comprehensive set of policies, procedures and
standards for managing this function and instituted a security-awareness program for its
employees. [Name of Company] screens staff to determine who will have access to which
sensitive information, and has employed security zones.
Detailed Findings and Remediation:
Recommendation:
To institute better monitoring and oversight of IT security, [Name of Company]'s senior
management should designate an IT Security Coordinator for [Name of Company] who has
responsibility and authority for IT security throughout the organization.
Management Response:
Agreed; an IT Security Coordinator for [Name of Company] with organization-wide
responsibility and authority for IT security will be appointed following consultation with the
Senior Executive Committee (SEC). However, such a role will need to be supported by a
strong IM/IT governance structure in general and a robust information security governance
framework in particular.
Timelines and Deliverables:


Report Sample
http://www.usda.gov/oig/webdocs/300991-SF-REDACTED.pdf
Internal Audit Report of IT Systems, Canada
Border Services Agency. http://www.cbsaasfc.gc.ca/agency-agence/reportsrapports/ae-ve/2007/itaci-tiipeceng.html#a01
Related documents
Marketing Plan Rubric
Marketing Plan Rubric
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
system audit - Study Channel
system audit - Study Channel
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Download
advertisement