Page 72 - Courses
P. 72

IT Essentials — Physical and Environmental Controls

            Proper coverage of physical and environmental risk will require collaboration with the first- and
            second-line roles to ensure the internal audit activity identifies the information that is most
            important to the organization.

            Adhering to IIA Standard 2050

            Adherence to IIA Standard 2050 might look like:
               •  Scoping for physical security and environmental risk is an interdependent exercise that
                   requires internal audit to jointly plan activities and actions with IT, information security, and
                   building maintenance departments. The chief audit executive (CAE) should define what is
                   covered and what is not covered in the internal audit plan. The CAE should also note areas
                   where assurance is not currently provided by any area or entity of the organization.
               •  A consistent process for the basis of reliance should be established, and the CAE should
                   consider the competency, objectivity, and due professional care of the assurance and
                   consulting service providers.
               •  The CAE should also have a clear understanding of the scope, objectives, and results of the
                   work performed by other providers of assurance and consulting services. Where reliance is
                   placed on the work of others, the CAE is still ultimately accountable and responsible for
                   ensuring adequate support for conclusions and opinions reached by the internal audit
                   activity.

            Pre-Engagement Auditing Steps

            The internal audit activity should work with operational management to identify the systems and
            technologies that enable access paths to view critical information (e.g., employee data, personally
            identifiable information (PII), customer credit card numbers, and vendor purchase history) to ensure
            physical and environmental control systems are migrated to a separate and isolated network
            segment.

            Working with IT, information security, and building maintenance management will help ensure
            vulnerabilities and threats to the physical security and environmental control systems are
            monitored on an ongoing basis. Internal audit should consider physical and logical access to these
            systems as one of the most important elements of the physical and environmental security audit.

            Before starting this engagement, the internal auditor should request an inventory of all
            environmental control systems and technology used for managing and monitoring physical security.
            It is important for the auditor to understand who owns and maintains/administers each system,
            along with its physical and logical location.

            Once the inventory is provided, common next steps include:
            •  Requesting a network diagram — a good way to see how these systems are isolated from those
               containing production data.
            •  Conducting a physical walkthrough — provides the internal auditor with verification as to
               location. In a remote work environment, this can be performed by having someone in the
               building, such as a guard live streaming a walkthrough or using camera footage, if available.
            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   67   68   69   70   71   72   73   74   75   76   77