General discussion

Locked

IT & IS Audit

By golteanu ·
What's the best way to organize the IT & IS Audit department in a bank ? What's the objectives, work area, responsibilities of the department ?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

IT & IS Audit

by erikdr In reply to IT & IS Audit

Just like a normal Internal Audit Department. So a few briefs:
- Reporting to a level as high as possible in the organisation
- Not having rights to decide on security, but to write audits (...) as an
advice to the owners of the information systems. It's up to those owners to make the cost/benefit tradeoff; but of course very -- ratings threatening to give the whole company a - rating are usually serious enough for this owner to invest in improvements.
- Make the distinction between the things the IT Operational department is responsible for and the things the business owner is (together with development).
- Maybe also having functional segegration between IT Audit and the department which makes the corporate security standards. This way, Audit doesn't get tempted to modify the standards a bit to reflect reality.

At your service,

<Erik> - The Netherlands

Collapse -

IT & IS Audit

by golteanu In reply to IT & IS Audit

The question was auto-closed by TechRepublic

Collapse -

IT & IS Audit

by ustutz In reply to IT & IS Audit

Agree with beginning of previous answer - just like any other audit department.

Pick experienced and competent (technically and managerically) personnel to staff the department. Technical skills geared to the IT systems in use in your company.
Auditors need to have copies of / be proficient in all external regulatory documentation, as well as internal (company) policies and procedures.

Auditors need to know that they are the CEO's tool rather than an end in themselves or makers of policy. The audit answers "Do we follow procedure?" and "Does procedure work?", not "Do I agree with procedure?"

Team size and composition is a function of size and composition of IT/IS department(s). Should have subject matter expert (SME) for each major auditable function and technology. (not neccessarily separate SMEs, but designated responsibilities).

Sample responsibilites / work areas:

Security, Asset Accountability, Business/Customer Support, Consulting/Outsourcing Accountability, Project Managment.

Collapse -

IT & IS Audit

by golteanu In reply to IT & IS Audit

The question was auto-closed by TechRepublic

Collapse -

IT & IS Audit

by golteanu In reply to IT & IS Audit

This question was auto closed due to inactivity

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums