el reporte de auditoria “it audit report”
DESCRIPTION
El Reporte de Auditoria “IT Audit Report”. Making Reports Reader Friendly. En general…. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/1.jpg)
El Reporte de Auditoria
“IT Audit Report”Making Reports Reader Friendly
![Page 2: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/2.jpg)
El informe general debe contener el objetivo de la auditoria, los responsables encargados, lo que se evaluó (referencia a la norma si es muy grande el control o activo de información evaluado), el hallazgo encontrado y la evidencia sustantiva que sustente lo que se encontró de prefería anexando la evidencia física (documento, video u otro).
En general…
![Page 3: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/3.jpg)
1. Go over IIA and GAS standards on written communications
2. Explain how audit reports typically need to be converted from an auditor’s draft to a reader friendly version
3. Identify the three stages of report writing4. Perform exercises to reinforce lecture
points
Learning Objectives
![Page 4: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/4.jpg)
Accurate Objective Clear Concise
Constructive Complete Timely
IIA Standard 2420
![Page 5: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/5.jpg)
Accurate Objective Clear Concise as the
subject permits
Convincing Complete Timely
Government Auditing Standards 8.38
![Page 6: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/6.jpg)
1. Plan the report2. Draft the report3. Revise the draft
Report Writing Stages
![Page 7: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/7.jpg)
AUDITOR I want to show you
lots of data! Accuracy Linear explanations
(Inductive reasoning)
READER Just enough, and
try to make it interesting
Accurate, but brief and clear
Bottom line first, then supporting details (Deductive reasoning)
Auditor/Writer vs. Reader Mindset
![Page 8: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/8.jpg)
1. Who will be the most important readers of the report?
2. How much do they know about the subject?
3. How do they plan on using the report?4. How interested are they in the report?5. What’s their reaction going to be to the
report’s message?
Analyzing the Audience
![Page 9: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/9.jpg)
Engagement communications should include: Objectives Scope Conclusions Recommendations Action plans
IIA Standard 2410
![Page 10: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/10.jpg)
Objectives Scope Methodology Findings Conclusions Recommendations Compliance with GAS statement Views of responsible officials Privileged and confidential information
omitted
Government Auditing Standard 8.07
![Page 11: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/11.jpg)
1. Analyze your audience to decide on the best report format.
2. Develop a central message.3. “Top Down” method4. Elements of a finding5. “Bottom Up” yellow stickees
Planning Your Draft
![Page 12: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/12.jpg)
1. Think of the newspaper headline that would accurately summarize the report’s message.
2. Write a paragraph that summarizes the report’s key points.
3. Write paragraphs that explain and provide evidence for the statements made in the summary paragraph.
“Top Down” Method
![Page 13: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/13.jpg)
Writer’s block The importance of finding the drafting
method that suits you best Things you can do to make a report easier
to read (summary, headings, charge paragraphs, topic sentences in paragraphs)
Phase Two: Drafting the Report
![Page 14: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/14.jpg)
Unrealistic concept of the writing process Unreasonable goals such as immediately
producing the perfect draft Lack of preparation Frequent interruptions Missing information
Writer’s Block Factors
![Page 15: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/15.jpg)
Be REALISTIC about the writing process. Separate the creative process of writing
from the critical perspective you adopt during the editing process.
Break the writing process into manageable chunks via use of outlines.
Dealing With Writer’s Block
![Page 16: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/16.jpg)
Schedule time for writing and let others know about your schedule and request their cooperation to minimize interruptions.
Make notes of missing information, but move ahead using available information.
Dealing With Writer’s Block
![Page 17: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/17.jpg)
Summaries Headings Topic sentences Graphics Repetition of key phrases, terms
Devices for Easier Reading
![Page 18: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/18.jpg)
Benefits of having others review the draft Levels of draft reviews Tips on what to look for at each level of
review
Phase Three: Revising the Draft
![Page 19: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/19.jpg)
1. Report2. Paragraph3. Sentence
Three Levels of Review
![Page 20: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/20.jpg)
Is the report’s central message clear? Is it the appropriate length (i.e., too short or
too long)? Does it have a summary of the report
message up front? Does it have sufficient, clear headings? Does it have suitable graphics (e.g.,
pictures, tables, graphs)?
Report Level
![Page 21: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/21.jpg)
Does the paragraph contain a topic sentence that accurately conveys the paragraph’s central idea?
Does the paragraph contain enough information to support the idea expressed in the topic sentence?
Does the paragraph contain too much information so that it will overwhelm the reader?
Do the ideas presented in the sentences following the topic sentence flow logically (i.e., are they in the correct order)?
Paragraph Level
![Page 22: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/22.jpg)
“Never use a long word where a short one will do.”
“If it possible to cut a word out, always cut it out.”
“Never use the passive when you can use the active.”
George Orwell: “Politics and the English Language”
![Page 23: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/23.jpg)
Are all the words in my sentences necessary?
Are my sentences easy to understand? Do the sentences contain action verbs and
actors (active vs. passive construction)?
Sentence Level Basic Questions
![Page 24: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/24.jpg)
Avoid biased language! IIA Practice Advisory 2420-1 states,
“Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances.”
Tone
![Page 25: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/25.jpg)
Be conscious about whether you want to take a positive or negative tone.
For example, “Proper control can not be achieved unless reconciliations are performed.”
Versus “If reconciliations are performed, proper control can be achieved.”
Tone
![Page 26: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/26.jpg)
Technical terms within a specific field or overly complex terms used to describe something simple.
Avoid jargon unless a) you know the reader will understand it, or B) there are no simpler terms to describe something.
You can deal with jargon by either A) substituting simpler terms, or B) defining it first.
Jargon
![Page 27: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/27.jpg)
Las Regulaciones tocan a Todos
Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security.
![Page 28: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/28.jpg)
Las Regulaciones le dan dientes a Auditoría
Auditor
IT Regulaciones
![Page 29: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/29.jpg)
Requerimiento de Colección de Bitácoras, en distintas regulaciones.
[PCI] Track and monitor all access to network resources and cardholder data
[SOX/COBIT] The problem management system provides for adequate audit trail facilities, which allow tracing from incident to communication underlying cause.
[NIST Assessment] Audit Trails: Is activity involving access to and modification of sensitive or critical files logged, monitored, and possible security violations investigated?
[BS7799] Audit logs recording exceptions and other security-relevant events should be produced and kept for an agreed period to assist in future
investigations and access control monitoring.
[HIPAA] … record and examine activity in information systems that contain or use electronic protected health information… regularly review records of information system
[GLBA/FFIEC] Identify the system components that warrant logging… Determine the level of data logged for each component… establish policies for securely handling and analyzing log files
activity such as audit logs, access reports, and security incident tracking… monitoring log-in attempts and reporting discrepancies
![Page 30: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/30.jpg)
Payment Card Industry (PCI) Data Security Standard
Build and Maintain a Secure Network◦ Install and maintain a Firewall configuration to protect data◦ Do not use vendor supplied defaults for system passwords and other security parameters
Protect Cardholder data◦ Protect Stored Data◦ Encrypt transmission of cardholder data & sensitive information across public networks
Maintain a Vulnerability Management Program◦ Use and regularly update anti-virus software◦ Develop and maintain secure systems and applications
Implement strong access control measures◦ Restrict access to data by business need-to-know ◦ Assign a unique ID to each person with computer access◦ Restrict physical access to cardholder data
Regularly Monitor and Test Networks◦ Track and monitor all access to Network resources & cardholder data◦ Regularly test security systems and processes
Maintain an Information Security Policy◦ Maintain a policy that addresses information security
![Page 31: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/31.jpg)
ISO 17799 – Secciones de Requerimientos de Auditoría
ISO Section
Title Audit Info
9.7 Monitoring system access and use
Objective: To detect unauthorized activities.
Systems should be monitored to detect deviation from access control policy and record monitorable events to provide evidence in case of security incidents.
System monitoring allows the effectiveness of controls adopted to be checked and conformity to an access policy model (see 9.1) to be verified.
9.7.1 Event logging Audit logs recording exceptions and other security-relevant events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
Certain audit logs may be required to be archived as part of the record retention policy or because of requirements to collect evidence (see also clause 12).
9.7.2 Monitoring system use
Procedures for monitoring use of information processing facilities should be established. Such procedures are necessary to ensure that users are only performing activities that have been explicitly authorized. The level of monitoring required for individual facilities should be determined by a risk assessment.
9.7.2.3 Logging and reviewing events
A log review involves understanding the threats faced by the system and the manner in which these may arise. System logs often contain a large volume of information, much of which is extraneous to security monitoring. To help identify significant events for security monitoring purposes, the copying of appropriate message types automatically to a second log, and/or the use of suitable system utilities or audit tools to perform file interrogation should be considered.
![Page 32: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/32.jpg)
ISO 17799 – Secciones de Requerimientos de Auditoría (cont):
ISO Section
Title Audit Info
8.1.2 Operational change control
When programs are changed, an audit log containing all relevant information should be retained . . . Consider identification and recording of significant changes
8.4.3 Fault logging Review of fault logs to ensure that faults have been satisfactorily resolved
12.1.3 Safeguarding of organizational records
Records should be categorized into record types, e.g. accounting records, database records, transaction logs, audit logs and operational procedures, each with details of retention periods . . .
12.1.5 Prevention of misuse of info processing facilities
Any use of these facilities for non-business or unauthorized purposes, without management approval, should be regarded as improper use of the facilities. If such activity is identified by monitoring or other means, it should be brought to the attention of the individual manager concerned for appropriate disciplinary action
12.3 System Audit considerations
Objective: To maximize the effectiveness of and to minimize interference to/from the system audit process. There should be controls to safeguard operational systems and audit tools during system audits. Protection is also required to safeguard the integrity and prevent misuse of audit tools.
12.3.2 Protection of system audit tools
Access to system audit tools, i.e. software or data files, should be protected to prevent any possible misuse or compromise.
![Page 33: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/33.jpg)
Conclusión ¿Se requiere por ley una herramienta de
auditoría de seguridad y cumplimiento? : Requerimientos Mínimos:
◦ Colección de Bitácoras◦ Almacenamiento (Archive) de Bitácoras◦ Proveer Reportes◦ Monitoreo
Preguntas pendientes:
¿Como puedo cumplir con el requerimiento sin inhibir el negocio?
¿Como puedo cumplir con el requerimiento sin inhibir el negocio?
¿Es lo único relevante para cumplimiento?¿Es lo único relevante para cumplimiento?
![Page 34: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/34.jpg)
Ejemplos de Estructuras del
Reporte de Auditoria
![Page 35: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/35.jpg)
Executive Summary Introduction
◦ Background◦ Objectives and Scope◦ Audit Criteria◦ Approach and Methodology◦ Results from Phase 1◦ Purpose
Overview of ACI-EDI Reporting for Air Audit Findings
◦ Technical Solution Development◦ Business Transformation◦ Authority, Responsibility and Accountability◦ Project Management Framework◦ Project Risk Management◦ Security Assessment
Appendix A - Audit Criteria Appendix B - List of Acronyms
Ejemplo
![Page 36: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/36.jpg)
Audit Objectives:To assess [Name of Company] compliance with the [Name of Standard] Standard
Overall conclusion:Based on our observation we noted that the degree of compliance with [Name of Standard]. With the exception of business continuity planning, [Name of Company] is compliant with [Name of Standard].
Summary of Findings:The audit team noted a number of strengths with respect to compliance with [Name of Standard]. For example, [Name of Company] has specified the roles and responsibilities for managing IT security. It has also issued a comprehensive set of policies, procedures and standards for managing this function and instituted a security-awareness program for its employees. [Name of Company] screens staff to determine who will have access to which sensitive information, and has employed security zones.
Detailed Findings and Remediation:Recommendation:To institute better monitoring and oversight of IT security, [Name of Company]'s senior management should designate an IT Security Coordinator for [Name of Company] who has responsibility and authority for IT security throughout the organization.
Management Response:Agreed; an IT Security Coordinator for [Name of Company] with organization-wide responsibility and authority for IT security will be appointed following consultation with the Senior Executive Committee (SEC). However, such a role will need to be supported by a strong IM/IT governance structure in general and a robust information security governance framework in particular.
Timelines and Deliverables:
![Page 37: El Reporte de Auditoria “IT Audit Report”](https://reader034.vdocuments.net/reader034/viewer/2022051402/56815b28550346895dc8e913/html5/thumbnails/37.jpg)
Report Sample http://www.usda.gov/oig/webdocs/30099-1-SF-REDACTED.pdf
Internal Audit Report of IT Systems, Canada Border Services Agency. http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/ae-ve/2007/itaci-tiipec-eng.html#a01
Recursos