1. WOI YI WAN CIA160190
2. Muhammad Fariez Adha Bin Roslan CEA150198
3. Visurrthi Sanmughanathan CEA150155
4. 4. FOLLOW UP
4.1. Review corrective action plans & results
4.2. Interview IS operations personnel
4.2.1. Document procedures in accordance with management's intent and authorizations?
4.3. Review new process & documentation
4.3.1. Adequacy
4.3.2. Accuracy & completeness
4.3.3. Problems identified and recorded for verification and resolution?
4.4. Re-audit
5. 1. Planning
5.1. 1.1 Determine audit subject
5.1.1. Identify the area to be audited
5.1.2. eg: business function, system, physical location
5.2. 1.2 Define audit objective
5.2.1. Identify the purpose of audit
5.2.2. eg: determine objectives ensure the controlled enviroment
5.3. 1.3 Set audit scope
5.3.1. Identify and review the specific system, function or unit of organization
5.3.2. Very important step
5.3.3. Understand the IT environment and its components
5.3.4. Identify the resources would be required
5.3.5. define a set of testing points
5.3.6. to evaluate different technologies and their components
5.4. 1.4 Perform preaudit planning
5.4.1. Conduct a risk assessment
5.4.2. Interview the auditee to inquire about activities of concern
5.4.3. Identify regulatory compliance requirements
5.4.4. Identify resources will be needed
5.5. 1,5 Determine procedures
5.5.1. Identify and select the audit approach
5.5.2. Start developing the audit program
5.6. 1.6 Develop Business Case
5.7. 1.7 Project Initiation Stage Assessment
6. 2.0 Fieldwork & Documentation Phase
6.1. 2.1 Acquire Data
6.1.1. 2.1.1 Conducting Interviews
6.1.1.1. To Internal Parties : Programme Staff, Department and Division Level Management, Other Departments
6.1.1.2. To External Parties : Customers, Suppliers, Governments etc
6.1.2. 2.1.2 Observations
6.1.3. Audit Items of Interest such as
6.1.3.1. fair use policies
6.1.3.2. contingency and disaster recovery plans
6.1.3.3. dumpster diving
6.1.3.4. examining system logs
6.1.3.5. scrutinizing user privilege and levels of access rights
6.2. 2.2 Test Controls
6.2.1. 2.2.1 Physical Control
6.2.1.1. Preventive Control
6.2.1.2. Reactive Control / Corrective Control
6.2.1.3. Detective Control
6.2.2. 2.2.2 For each types of controls, there are 3 implementations
6.2.2.1. Administrative such as
6.2.2.1.1. Policies
6.2.2.1.2. Processes
6.2.2.2. Technical such as
6.2.2.2.1. Tools
6.2.2.2.2. Software
6.2.2.3. Physical such as
6.2.2.3.1. Security Personnel
6.2.2.3.2. Locked Doors
6.3. 2.3 Issue Discovery and Validation
6.3.1. Report risk and vulnerabilities in 3 categories
6.3.1.1. Urgent
6.3.1.1.1. The risk item should be taken care of ASAP
6.3.1.2. Moderate
6.3.1.2.1. Attend to these risk items when time and resources allow
6.3.1.3. Those can wait
6.3.1.3.1. Those can wait – Back burner for now; but should be looked at anyway
6.4. 2.4 Documents Result
6.4.1. Documents all findings and evidences
6.4.2. Prepare report and proceed to the next phase
7. 3. Reporting
7.1. Gather report requirements
7.1.1. regulatory compliance requirements, policies, standards, guidelines
7.2. Communicate audit results
7.2.1. Draft report
7.2.2. Obtain corrective action plans