The Auditors Are Coming. The Auditors Are Coming.

Audit policies and procedures are needed to ensure that employees are meeting management objectives, legal and regulatory requirements, and addressing risks. Auditing is covered in the next post, so it is only going to be lightly addressed here. Management audits assure that resources are being properly utilized and monitored:

- Develop and implement policies addressing human resources management, data, and facilities.

- Ensure that projects are completed on schedule and within budget.

- Ensure that projects have been completed utilizing quality models such as the SDLC.

- Develop and maintain business priorities and long-term strategies.

- Assure that controls are in place for risk detection, prevention, and correction.

Systems Development and Programming Policies
These audits are more technical than management audits and require more knowledge and detail. Frequently, organizations do not have policies governing operations, so employees are left to their own devices, making decisions they are not qualified to make. Systems development involves activities ranging from purchasing commercial off-the-shelf software systems, to developing in-house systems, to purchasing turnkey systems. All systems development must be considered in the light of confidentiality, integrity, and availability.

Organizations must have written policies and auditing programs for:

Systems design and development through quality models

Systems selection and procurement criteria

Systems application development

Program testing

Systems implementation

Systems monitoring

Systems disposal

Systems change controls

Systems documentation

Systems quality assurance

Data Controls
Data control policies have the objectives of addressing confidentiality, integrity, and availability of data. These features are audited in the following areas:

Input controls to any operation must be addressed by policies and procedures. Because input varies considerably, so will policies.

Output controls address electronic and printed media.

Database management controls must be established by policies with compliance assured by audit activities.

Database information backup and storage policies.

Disaster Recovery and Business Continuity
Disaster recovery audit policies also address business continuity. Audit policies must require that auditors obtain evidence that these are in place and combined with regular unannounced testing. Audits of this nature address the existence of the following policies:

Establishment of a Risk Management team

Critical asset identification and prioritization

Threat: impact analysis

Existence of critical asset safeguards

Disaster recovery plan

Establishment of Disaster Recovery team

Designated employees to address public and press inquiries

Business continuity plan

Plan testing

Workstation Audit Policies
These audits address the use of workstations and all company-owned equipment and facilities, including:

Access restrictions to workstations

Inventory of software and hardware reconciled with licensing and purchase documents

Evidence of policy and individual compliance for the procurement and installation of software and hardware

Evidence of individual compliance with policy regarding official use

Evidence of individual compliance with policy regarding network and workstation security

Policy and individual compliance with regular data backup

Evidence of policy and individual compliance with workstation housekeeping