//
you're reading...
Information Security, IT & TECHNOLOGY

Audit: A Key Success Factor


ISACA-Logo

Why is it that some companies succeed and others fail? There is a general consensus certain things are common among successful companies. We call these things key success factors. Key success factors are essential attributes that are critical to an organization reaching its business goals.

There is no agreed-upon list of success factors because they vary depending on the nature of the business, among other things. Some business experts would say good, productive employees are a key success factor. Others believe keeping loyal customers is a critical factor. Still others would submit that having clear policies and procedures is how organizations succeed.

I would not disagree with any of these. However, as a Certified Information Systems Auditor (CISA)and a former IT auditor and manager, I would suggest that having an effective audit function is critical to the success of a business. The purpose of an audit is to evaluate an entity, such as a policy, process or account, to ascertain if it meets a predetermined standard or criteria.

Cybersecurity Ripe for Audits
A successful audit should identify areas of the organization needing improvement, including those that are likely to be high risk. In today’s digital environment, cybersecurity is typically top of mind for company leaders. They often know enough to be concerned, but not enough to actually address those concerns. In other words, there is no question that cybersecurity is an area of high risk for most organizations, but how they should respond to this risk is unclear.

It is the job of the IT audit function to determine how the organization should respond to risks that are specific to their operation and then evaluate whether the response is appropriate based on auditing standards and best practices. One common response to mitigate risk is to implement countermeasures, also known as controls. In those situations it is the responsibility of the auditor to evaluate the effectiveness of the controls to determine if they will indeed work.

For example, business leaders often believe that a firewall is a sufficient response to cybersecurity concerns. Some questions IT auditors will ask these situations include, What type of firewall is it? How has it been configured? How often are the rules updated? The IT auditor will also inform senior management that a firewall is only one of many controls that should be considered when responding to the threat of a cyberattack.

While the audit team should be actively involved in the tactical procedures of auditing the company, a skilled audit team that partners with the board of directors and senior management will not only identify aspects of the company that need attention, but also develop an audit plan that supports the organization’s overall strategy and act as consultants to help move the company closer to its vision. Over time, with the ongoing involvement of the audit team on the tactical and strategic levels, the organization can certainly count audit as one of its key success factors.

Note: For more on auditing cybersecurity, view this article in @ISACA.com.

Paul Phillips, Technical Research Manager, ISACA

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 119,380 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,247 other followers

Twitter Updates

Archives

August 2016
M T W T F S S
« Jul   Sep »
1234567
891011121314
15161718192021
22232425262728
293031  
%d bloggers like this: