04.Information Security Control Testing and Evaluation (311)

Question 1

Control Monitoring

Controls neeed to be designed so that monitoring can take place

311

Question 2

Control Auditing

Reviews and audits form part of an essential function for security managers to determine whether security safe guards are in place and working properly.

311

Question 3

Security Review and Security Audit

A security review is a less formal and less rigorous examination of one or more controls, processes, or systems

A security audit is a more formal, methodical, and rigerous examination of one or more controls, processes, or systems

Security Review vs Audit

311

Question 4

Security Review and Security Audit

A security review is typically carried out internally, by the control owner.
A security audit is typically carried out by a separate party

312

Question 5

Security Audit

Systematic and repeatable process
Competent and independent professional evaluation
2 parties - auditor and auditee
2 types - internal and external

312

Question 6

Audit Techniques

Audits are a planned event that require formal planning to successfully achieve the objectives

313

Answer 6

Types of planning required;

1. Purpose
2. Scope
3. Risk Analysis
4. Audit Procedures
5. Resources
6. Schedule

Question 7

Audit Purpose

The auditor and auditee must establish the purpose as to the audit. For example, validating regulatory compliance

313

Question 8

Audit Scope

The auditor and auditee must establish the scope. This could include specific systems or specific time frames (start to finish)

313

Question 9

Audit - Risk Anaysis

An auditor needs to know the levels of risk associated with the domain being audited to determine where greatest amount of attention and resources are required

313

Question 10

Audit - Audit Procedures

The purpose and scope of an audit will help define the relevant procedures used. Specific rules on sample sizes and techniques may be stipulated if the audit for example is a compliance audit

313

Question 11

Audit - Resources

Determine what resources are needed and available for an audit.
The auditee may have a limited budget for an external audit
Specialist tools may be required to run sufficient analysis
Auditor needs to determine number of person-hours that will be required and skillset

314

Question 12

Audit - Schedule

Schedule needs to include enough time for interviews, data collection, analysis, report generation.

314

Question 13

Audit Objectives

Audit Objectives are the specific goals for an audit - typically to determine whether controls exist and if they are effective

314

Question 14

Types of Audit

The scope, purpose, and objectives of an audit will help to determine the type of audit to be performed.
Auditors must understand the type of audit required so they know what techniques and procedures to deploy

314

Question 15

Audit Type - Operational Audit

Examination of controls (IT, Security, Business), to determine control existence and effectiveness

315

Question 16

Audit Type - Financial Audit

Examination of accounting system, including accounting department processes and procedures

315

Question 17

Audit Type - Integrated Audit

Combined operational and financial audit. Offers auditor complete understanding of entire environments integrity

315

Question 18

Audit Type - IS Audit

Detailed examination of most/all information systems department operations.
Determines whether IT governance is aligned with organisation objectives and goals

315

Question 19

Audit Type - Administrative Audit

Examination of operational efficiency within a segment of the organisation

315

Question 20

Audit Type - Compliance Audit

Determines the level and degree of compliance to law, regulation, standard, internal control, or legal contract.
Particular law or standard requirements require approved and licenced external auditors

315

Question 21

Audit Type - Forensic Audit

Performed by a forensic specialist to support anticipated or active legal proceeding, or security incident investigation.
Strict procedures must be followed to preserve evidence and avoid evidence being inadmissible due to tampering

315

Question 22

Audit Type - Service Provider Audit

Third party service organisations undergo external audits to increase customer confidence in the integrity and security of their services

316

Question 23

Audit Type - Pre-Audit

An examination of business processes in anticipation of an upcoming audit from which the results can be used to implement improvements prior to the audit.

316

Question 24

Audit Methodology

An audit metholodolgy is the set of audit procedures used to accomplish a set of audit objectives
Typical audit methodology phases;

Audit Subject
Determine which process, info system, domain being audited
Audit Objective
Identify purpose of audit
Type of Audit
Determine the type of audit i.e. operational, financial, integrated etc…
Audit Scope
Identify the business process, department, or application that is subject to the audit
Pre-Audit Planning
Auditor needs certain information from the audit so will plan how this is obtained, techniques, physical locations to visit etc..

316

Question 25

# Audit - Observing Personnel **Insufficient** for auditor to just obtain and **understand process documentation**. **Auditor must collect evidence** through **observation** and assess consistency and application of processes Observing personnel will include; **Real Tasks** Auditor sees actual tasks being carried out **Skills and Experience** Interview individuals about background to determine experience and maturity level **Security Awareness** Observe personnel to determine if security policies and procedures are followed **Segregation of Duties** Observe processes and functions to determine if adeuate segregation of duties in place ## Footnote 319

Question 26

# Audit - Sampling **Sampling** techniques are used when it is **not feasible** to test an entire population of transactions Method examples include; **Statistical Sampling** random selection to statistically reflect entire population **Judgemental Sampling** Auditor judgementally and subjectively selects samples **Attribute Sampling** Used to study characteristics of a given population. i.e. Selection of disabled AD accounts, review how many were disabled within 24 hours **Variable Sampling** Determine the characterstic of a population based on a selected sample used to determine the total value in the entire population **Stop-or-go Sapling** Permit sampling to stop at the earliest possible time **Discovery Sampling** Auditor tries to identify exceptions in the population which if discovered, may include a more intenseive investigation to determine if other exceptions exist based on the sample discovered **Stratified Sampling** Population divided into classes and samples selected from each class to determine any statistical difference in the results ## Footnote 320

Question 27

# Audit Report and results An **audit report** describes the **entire project**, including objectives, scope, controls evaluated, opinions on effectiveness and integrity, and recommendations ## Footnote 320

Answer 27

* Cover letter * Introduction * Summary * Description of the audit * Listing of systems and processes examined * Listing of interviewees * Listing of evidence obtained * Explanation of sampling techniques * Description of findings and recommendations

Question 28

# Audit Report and results It is **not the auditors role** to determine how audit findings should be **remeidated** **Remediation** method **responsibilities** is the role of the **auditee management** ## Footnote 321

Question 29

# Evaluating Control Effectiveness **Auditor** should **communicate effectivenss** of **controls** to auditee Often, findings can be **scored** based on **criticality**, or in a matrix **Criticality** scoring helps auditor **illustrate findings** and allow auditee to **focus** remediation activities if accepted ## Footnote 321

Question 30

# Internal Audits **Internal Audits** focus on organisations **controls, processes, or systems**. **Carried out** by **personnel** who are part fo the **organisation** ## Footnote 322

Question 31

# External Audits Performed by auditors **not employees of the organisation** **3 principle reasons** for organisation to undergo external audit 1. Legal or regulatory requirement 2. Lack of internal resources 3. Objectivity ## Footnote 323

Question 32

# External Audits Personnel working with external auditors need to be coached to... 1. Answer only questions that auditors ask 2. Not express their opinions about a subject matter 3. Not volunteer additional information ## Footnote 325

Question 33

# Control Self Assessment (CSA) **Control Self Assessment** is a methodology used by an organisation to **review** key business **objectives**, **risks** related to **achieving** those **objectives**, and key **controls** designed to **manage the risks** ## Footnote 325

Question 34

# Control Self Assessment (CSA) Advantages of CSA; 1. Risk detected earlier 2. Internal controls can be improved in timely manner 3. Greater ownership of controls 4. Improved emplouyee awareness of controls 5. Improved relationships between departments and auditors ## Footnote 326

Answer 34

Disadvantages of CSA: 1. Mistaken by employees or management as a substitute for internal audit 2. Be seen as extra work and dismissed as unneccessary 3. Employees attempt to cover up poor work 4. CSA seen as an attempt for auditors to shake off their own responsibilities 5. Lack of employee involvement would mean no process improvement opportunities

Question 35

# Control Self Assessment Life Cycle The phases in a Control Self Assessment Life Cycle; 1. Identify and assess risks 2. Identify and assess controls 3. Develop questionnaire or conduct workshops 4. ANalyse completed questionnairs or assess workshops 5. Control remediation 6. Awareness training ## Footnote [CSA LIfe Cycle](https://drive.google.com/file/d/17420sMF5DorHW-tywSfkmUfiZSMRbV0x/view?usp=drive_link) 326

Question 36

# Control Self Assessment - Self Assessment Objectives **Control owners** should play a more active role in the **audit of their controls**. A key **objective** is the long-term **reduction** in **exceptions** **Security Manager and Internal Auditor** should ensure CSA process is not hijacked by efficiency corner cutting opportunitists who do not understand their purpose or significance ## Footnote 327