//
you're reading...
Information Security, IT & TECHNOLOGY

COBIT 5, Creating an Audit Program and Enabling Compliance


ISACA-Logo

Last year I wrote an article that discussed using COBIT 5 to audit cyber controls, in this instance the Australian Signals Directorate (ASD) Top 4. At the time of writing this article I had the privilege of being an expert reviewer on a draft ISACA white paper on creating an audit program. This white paper has now been released.

In the Australian government, as with all governments around the world, compliance against legislative and regulatory requirements is an important factor for the various government entities responsible for the delivery of functions for the Australian government. As a result, the internal audit programs for these government entities generally have a strong focus on compliance factors. Within the Australian government, entities are required to comply with a myriad of legislation, regulations and rules, including (but not limited to):

  • The Protective Security Policy Framework
  • The Information Security Manual
  • The Public Governance Performance and Accountability Act (and associated legislation)
  • The Commonwealth Procurement Rules
  • The Commonwealth Risk Management Policy
  • Whole-of-government ICT Policy
  • The Commonwealth Fraud Control Policy

Each government entity is also required to comply with their individual enabling legislation and regulations, as well as laws and regulations that any business and organization must comply with. In recent times, the following have been a focus of internal audit programs:

  • Workplace health and safety requirements
  • The Privacy Act

As discussed in my article about the ASD Top 4, internal audit has traditionally taken a yes/no approach to auditing compliance in government. For instance, if an audit on procurement was scheduled on the audit program, an auditor would take a sample of recent procurements, assess them against the regulatory requirements and internal policy and procedures, and produce a report that outlined instances of noncompliance.

In my opinion, this approach is useless. It does not help management understand why there was noncompliance and how they can prevent noncompliance. This white paper goes through a 5-step process to develop an audit plan:

  1. Develop an audit plan.
  2. Define audit objective.
  3. Set audit scope.
  4. Perform audit planning.
  5. Determine steps for data gathering

These five steps provide details on how to put together an effective audit plan that can ensure that you help management. It very deliberately guides you on what to consider and prepare in the planning process so you are better prepared to undertake the audit. This will help ensure that when undertaking an audit of legislative compliance in government, you move away from the traditional yes/no approach and consider the factors or, to use a COBIT 5 term, the enablers that actually help management achieve compliance.

David Berkelmans, CISA, Executive Director IT Audit, Synergy Group

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, SACS, CISM, CCSP, CCSK, GICSP, CASP, CIW-WSP, PCNSE7, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 108,881 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, SACS, CISM, CCSP, CCSK, GICSP, CASP, CIW-WSP, PCNSE7, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 1,726 other followers

Twitter Updates

Archives

July 2016
M T W T F S S
« Jun   Aug »
 123
45678910
11121314151617
18192021222324
25262728293031
%d bloggers like this: