The audit program is a comprehensive, detailed document addressing the relevant audit areas, and in some cases, the methodology of the audit. It is an action-oriented document, with much more detail than the audit plan. An audit program has the following purposes:
Provides detailed communications to the intended recipients and audit team members of the audit objectives Facilitates direction, scope, and control over the audit process; directs team members having specialized skills and knowledge to specific areas Delivers a record of the audit process Directs the collection of evidence in specific areas Suggests the sampling methodology to be used in specific audit areas Documents the professional due diligence of the audit process, including planning, fieldwork, and supervision Becomes included in the auditors' work papers and is thereby maintained for future review In some cases, it documents specific audit assignments
Standard Audit Programs
There are several standard security assessment or audit programs. There are certain advantages for auditors to use one of the standard audit programs:
They usually have a history of successful engagements and results. They frequently have been adopted by industries as governing instruments. They may save a significant amount of auditor resources by suggesting business operations to be tested.
One of the most comprehensive standard information technology programs is the COBIT™ program. The Information Systems Audit and Control Association (ISACA, www.isaca.org) developed this program. It is a generally applicable and accepted standard for information and information technology control. COBIT is fully adaptable and applicable for enterprise-level and smaller organization information technology areas. It starts from a control framework, it is management oriented, and it is based on critical review of tasks and activities regarding business operations.
COBIT deals with three levels:
1. Domain. This is a natural grouping of processes, often matching an organizational domain of responsibility.
2. Processes. This is a series of jointed activities with natural breaks.
3. Activities. Actions needed to achieve a measurable result. Activities have a life cycle where tasks are discreet.
Control objectives domains are divided into four areas:
1. Planning and organization
2. Acquisition and implementation
3. Delivery and support
4. Monitoring
One of the more-popular security guidance standards is BS 7799, a British Standard Institute program publication. It was submitted to the International Standards Organization who published it as the Code of Practice for Information Security Management and was subsequently published by ISO under the number 17799 in 2000. [2]
The stated purpose of 17799:2000 is to
give recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.
ISO 17799 is a general organizational management and best practices guide intended to deliver secure system operations. It is not applicable to all organizations and does not attempt to address all required internal controls. It generally covers the following areas:
Policies Security architecture Information controls Human resources Physical security matters Access control Business continuity procedures
The United States government through the National Institute for Standards and Technology (NIST, www.nist.gov) has several high-quality guidance publications relevant to security practices in information technology systems:
Generally Accepted Principles and Practices for Security Information Technology Systems Security Issues in the Database Language SQL Computer Security Guidelines for Automatic Data Processing Physical Security and Risk Management Guide for Developing Security Plans for Information Technology Systems Engineering Principles for Information Technology Security
These U.S. government documents are general and high-level documents adaptable to most organizational structures and functions. They can provide auditors with a variety of domains that should be considered when developing audit plans and programs.