Professional Documents
Culture Documents
Martin Goldberg
Today’s Topics
Financial Audit
IRS
Physical Audit
Inventory
Defining IT Security Audit (cont.)
IT Audit
Independent review and examination of records
and activities to assess the adequacy of system
controls, to ensure compliance with established
policies and operational procedures, and to
recommend changes in controls, policies, or
procedures - DL 1.1.9
Good Amount of Vagueness
Ultimately defined by where you work
Who is an IT Auditor
Accountant Raised to a CS Major
CPA, CISA, CISM, Networking, Hardware, Software,
Information Assurance, Cryptography
Some one who knows everything an accountant does
plus everything a BS/MS does about CS and
Computer Security - Not likely to exist
IT Audits Are Done in Teams
Accountant + Computer Geek = IT Audit Team
Scope to large
Needed expertise varies
CISA? CISM?
1. Planning Phase
2. Testing Phase
3. Reporting Phase
Data Collection
Based on scope/objectives
Types of Data
Physical security
Interview staff
Vulnerability assessments
Access Control assessments
Reporting Phase