Page 71 - Courses
P. 71

IT Essentials — Physical and Environmental Controls

            •  Individual power supply units (UPS) with surge protection in equipment cabinets, as well as
               between devices and power outlet.

             TOPIC 5: AUDITING PHYSICAL AND ENVIRONMENTAL SECURITY CONCEPTS

            Audit Planning

            The key objective of a physical and environmental security audit is to provide management with
            assurance about the design and operating effectiveness of the organization’s related internal
            controls, processes, policies, and procedures.

            Audit objectives typically include ensuring the following:

            •  Third-party risk is identified, assessed, and responded to — specific to physical and
               environmental controls.
            •  Third-party logical access is appropriate and monitored.
            •  Rooms containing technology resources and environmental systems are physically secured.
            •  Devices used for physical and environmental security are properly isolated from customer and
               organizational data.
            •  Critical infrastructure, systems, equipment, documents, and people are protected against known
               dangers.



            Associated Standards

            We usually focus on three International Standards for the Professional Practice of Internal Auditing
            (Standards) when preparing for an audit of physical and environmental controls.

            In accordance with IIA Standard 2220.A1, Engagement Scope, the scope of the engagement must
            include consideration of relevant systems, records, personnel, and physical properties, including
            those under the control of third parties.

            In accordance with IIA Standard 1210.A3: Proficiency, internal auditors must have sufficient
            knowledge of key information technology risks and controls and available technology-based audit
            techniques to perform their assigned work. However, not all internal auditors are expected to have
            the expertise of an internal auditor whose primary responsibility is information technology auditing.

            In alignment with IIA Standard 2050: Coordination and Reliance, the chief audit executive should
            share information, coordinate activities, and consider relying upon the work of other internal and
            external assurance and consulting service providers to ensure proper coverage and minimize
            duplication of efforts.






            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   66   67   68   69   70   71   72   73   74   75   76