Page 14 - Internal Auditor M.E. (English)

Page 14 - Internal Auditor M.E. (English) - June 2018

P. 14

TO cOMMenT on the article,
information Security eMail the author at melhim@hotmail.com

The audit report should address the needs of multiple
stakeholders such as the ISSC, technical areas, and users.
Reporting to the ISSC can generally be a high-level summary
to assist with decision-making. Reports should specify areas
where improvement is required. Technical reporting aspects
should focus on practical matters related to the design and
configuration of technology services that need improvement.
Finally, action plans should provide a clear summary of action
required, who is responsible, and an agreed timeframe for
implementation.

Conducting the ISR audit
Conducting the ISR audit might be crippled with busy
schedules and confirming finding, on the other hand, might
be crippled with defensiveness or misunderstanding; however,
asking the right question portraits diligent understanding
the interviewee favor. This will make the best of the time and
reduces misunderstanding to smoothen the interview. The sample below can further be reduced to three fields such
as control, requirements, and action. The objective is for the
To achieve this, the auditor has to think of standardization. user to implement cost-effective controls that work.
In other words, what is common among all departments and
what are the specifics. The aim is to gather common fields,
spread those fields across all departments, and add to each
department its specific fields of the questionnaire. This will
make consolidation of answers and feedbacks faster than
collating individually designed questionnaires.
Most DGE departments are busy, with their schedules subject
to change. Audit work should be well-planned so there is
minimal disruption to audit clients. Proactively asking audit
clients to provide their time availability allows for practical
planning to make the best of the time available from DGE
employees. The table below illustrates an example of how
to capture audit client availability when planning the audit
schedule.
Audit 8:00 9:00 10:00 11:00 12:00 1:00 2:00 3:00 4:00
client to to to to to to to to to
9:00 10:00 11:00 12:00 1:00 2:00 3:00 4:00 5:00
A x x x
B x x x x x x
C x
D x x x
Cloud computing introduces a new set of risk and control
E x x x implications.
F x
Potential A, D, B, E A NONE B, D B B, C A, B B, D, E
Daily
Schedule E, F
Conclusion
Reporting ISR audit results
ISR version 2 sheds light on what is needed to have effective
The most important part of an ISR audit is concluding the information security. It is an opportunity for organisations to
audit and communicating the results to stakeholders. A learn from the discipline brought by ISR and to build strong
workable approach to avoid resistance and defensiveness is to information security capability.
work with the audit client to validate the audit outcomes and
to develop effective action plans to remediate risks identified
by the audit.
Melhem Khoury Nicolas, MBa

12 INTERNAL AUDITOR - MIDDLE EAST JUNE 2018

9 10 11 12 13 14 15 16 17 18 19