IT Controls - What are you audited against? 879

  • I know it’s a fundemental point but I havent seen any clear guidance.
    For example company A puts together a set of IT Process documents based on ISO 17799. Company A makes judgements as to what elements of ISO 17799 they feel is most applicable and tailor their process documents accordingly.
    Controls are described within these documents in various places.
    What appears to have happened in the past is that external Auditors have come in and based all of their Audit on COBIT processes using ALL of the illustrative controls straight out of the IT Control Objectives for Sarbines Oxley publication pages 58 to 76
    This leads to sheer confusion as the process documents and Controls used by company A don’t easilly map to COBIT.
    So to put is simply should the Auditors Audit the companies adopted process. Saying whether is is followed and also making comments as to how effective the overall process is
    Basically ignore what the company has adopted and base the audit on a standard of their own choosing (probably COBIT).
    I’d really like feedback from others who have been through thou the process.

  • So to put is simply should the Auditors Audit the companies adopted process. Saying whether is is followed and also making comments as to how effective the overall process is
    Generally yes. The auditor may use something like COBIT to ensure that you’ve covered every area that you should have, but unless your process is a poor one then they should be assessing your compliance with your process.

  • I think company A should stick with their approach of using ISO 17799 since that is what works for them. I wouldn’t change the world just for external auditors.
    However, I would suggest mapping ISO 17799 to cobit for your external auditors. They obviously need a translation for it to make sense to them. I think this mapping may have already been done. I forget where I have seen info on the mapping. Perhaps you can do a search. You can list your controls in a spreadsheet and the ISO 17799 reference. Then new columns can be added to insert the cobit mapping.
    Good luck.

  • I prefer the method of:
    10 Documenting the company processes.
    20 Identifying the key controls in their process that address SOX risks - ie integrity of financial statements.
    30 Get the process owners to agree that these are the key controls.
    40 Do a sanity check that all the potential SOX risks are covered by these processes and controls.
    50 Implement any missing controls
    60 Test the controls.
    70 Go on holiday
    Unfortunately this is not the approach that all the companies seem to take, this appears to be more common:
    10 Get a generic list of key controls from a big 4 company.
    20 Look for these controls in the company.
    30 Discover that they dont have all these key controls in place
    40 Put them in place and change the process
    50 Annoy staff by changing a working process
    60 Test the control
    70 Get external auditors to review work.
    80 Externals review the work against their own list of generic key controls and find that key controls are missing
    90 Goto 30

  • Probably it’s late for this reply, however I hope it may be useful.
    There is an 17799 to cobit map; of course it’s not ‘once size fits all’, but it may help you to reduce your job.
    Take care that 17799 only will cover the security part and COBIT includes 4 processes. I had a client who worked with 17799 and ITIL, besides they were ISO9000 certified, so there was many information we could adopt to make the job easier, the message is do not throw and start from scratch…

  • Ideally
    Auditors are supposed to AUDIT your work and Your Documentation. They may recommend adoption of GUIDELINES such as COBIT or COSO. End of the day, it is what you have done and how you have documented that needs to be audited.
    COBIT is an excellent guide for IT controls. If your documentation sufficiently covers all major IT control areas, there shouldnt be any problem.
    hope this helps.

  • In an ideal world yes, that should be enough
    However, the auditors will come with a set of controls they expect to see within your company. If you’re missing any of those, they’ll give you a serious fight.
    After arguing with them for 6 months, you just give up, and adopt the controls the auditors claim you’re lacking.

Log in to reply