1 / 37

El Reporte de Auditoria “IT Audit Report”

El Reporte de Auditoria “IT Audit Report”. Making Reports Reader Friendly. En general….

sissy
Download Presentation

El Reporte de Auditoria “IT Audit Report”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. El Reporte de Auditoria“IT Audit Report” Making Reports Reader Friendly

  2. En general… • El informe general debe contener el objetivo de la auditoria, los responsables encargados, lo que se evaluó (referencia a la norma si es muy grande el control o activo de información evaluado), el hallazgo encontrado y la evidencia sustantiva que sustente lo que se encontró de prefería anexando la evidencia física (documento, video u otro).

  3. Learning Objectives • Go over IIA and GAS standards on written communications • Explain how audit reports typically need to be converted from an auditor’s draft to a reader friendly version • Identify the three stages of report writing • Perform exercises to reinforce lecture points

  4. IIA Standard 2420 • Constructive • Complete • Timely • Accurate • Objective • Clear • Concise

  5. Government Auditing Standards 8.38 • Convincing • Complete • Timely • Accurate • Objective • Clear • Concise as the subject permits

  6. Report Writing Stages • Plan the report • Draft the report • Revise the draft

  7. Auditor/Writer vs. Reader Mindset READER • Just enough, and try to make it interesting • Accurate, but brief and clear • Bottom line first, then supporting details (Deductive reasoning) AUDITOR • I want to show you lots of data! • Accuracy • Linear explanations (Inductive reasoning)

  8. Analyzing the Audience 1. Who will be the most important readers of the report? 2. How much do they know about the subject? 3. How do they plan on using the report? 4. How interested are they in the report? 5. What’s their reaction going to be to the report’s message?

  9. IIA Standard 2410 Engagement communications should include: • Objectives • Scope • Conclusions • Recommendations • Action plans

  10. Government Auditing Standard 8.07 • Objectives • Scope • Methodology • Findings • Conclusions • Recommendations • Compliance with GAS statement • Views of responsible officials • Privileged and confidential information omitted

  11. Planning Your Draft • Analyze your audience to decide on the best report format. • Develop a central message. • “Top Down” method • Elements of a finding • “Bottom Up” yellow stickees

  12. “Top Down” Method • Think of the newspaper headline that would accurately summarize the report’s message. • Write a paragraph that summarizes the report’s key points. • Write paragraphs that explain and provide evidence for the statements made in the summary paragraph.

  13. Phase Two: Drafting the Report • Writer’s block • The importance of finding the drafting method that suits you best • Things you can do to make a report easier to read (summary, headings, charge paragraphs, topic sentences in paragraphs)

  14. Writer’s Block Factors • Unrealistic concept of the writing process • Unreasonable goals such as immediately producing the perfect draft • Lack of preparation • Frequent interruptions • Missing information

  15. Dealing With Writer’s Block • Be REALISTIC about the writing process. • Separate the creative process of writing from the critical perspective you adopt during the editing process. • Break the writing process into manageable chunks via use of outlines.

  16. Dealing With Writer’s Block • Schedule time for writing and let others know about your schedule and request their cooperation to minimize interruptions. • Make notes of missing information, but move ahead using available information.

  17. Devices for Easier Reading • Summaries • Headings • Topic sentences • Graphics • Repetition of key phrases, terms

  18. Phase Three: Revising the Draft • Benefits of having others review the draft • Levels of draft reviews • Tips on what to look for at each level of review

  19. Three Levels of Review • Report • Paragraph • Sentence

  20. Report Level • Is the report’s central message clear? • Is it the appropriate length (i.e., too short or too long)? • Does it have a summary of the report message up front? • Does it have sufficient, clear headings? • Does it have suitable graphics (e.g., pictures, tables, graphs)?

  21. Paragraph Level • Does the paragraph contain a topic sentence that accurately conveys the paragraph’s central idea? • Does the paragraph contain enough information to support the idea expressed in the topic sentence? • Does the paragraph contain too much information so that it will overwhelm the reader? • Do the ideas presented in the sentences following the topic sentence flow logically (i.e., are they in the correct order)?

  22. George Orwell: “Politics and the English Language” • “Never use a long word where a short one will do.” • “If it possible to cut a word out, always cut it out.” • “Never use the passive when you can use the active.”

  23. Sentence Level Basic Questions • Are all the words in my sentences necessary? • Are my sentences easy to understand? • Do the sentences contain action verbs and actors (active vs. passive construction)?

  24. Tone • Avoid biased language! • IIA Practice Advisory 2420-1 states, “Objective communications are fair, impartial, and unbiased and are the result of a fair-minded and balanced assessment of all relevant facts and circumstances.”

  25. Tone • Be conscious about whether you want to take a positive or negative tone. • For example, “Proper control can not be achieved unless reconciliations are performed.” • Versus “If reconciliations are performed, proper control can be achieved.”

  26. Jargon • Technical terms within a specific field or overly complex terms used to describe something simple. • Avoid jargon unless a) you know the reader will understand it, or B) there are no simpler terms to describe something. • You can deal with jargon by either A) substituting simpler terms, or B) defining it first.

  27. Las Regulaciones tocan a Todos Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security.

  28. Regulaciones IT Auditor Las Regulaciones le dan dientes a Auditoría

  29. Requerimiento de Colección de Bitácoras, en distintas regulaciones. [SOX/COBIT] The problem management system provides for adequate audit trail facilities, which allow tracing from incident to communication underlying cause. [PCI] Track and monitor all access to network resources and cardholder data [NIST Assessment]Audit Trails: Is activity involving access to and modification of sensitive or critical files logged, monitored, and possible security violations investigated? [BS7799] Audit logs recording exceptions and other security-relevant events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. [HIPAA] … record and examine activity in information systems that contain or use electronic protected health information… regularly review records of information system activity such as audit logs, access reports, and security incident tracking… monitoring log-in attempts and reporting discrepancies [GLBA/FFIEC] Identify the system components that warrant logging… Determine the level of data logged for each component… establish policies for securely handling and analyzing log files

  30. Payment Card Industry (PCI) Data Security Standard • Build and Maintain a Secure Network • Install and maintain a Firewall configuration to protect data • Do not use vendor supplied defaults for system passwords and other security parameters • Protect Cardholder data • Protect Stored Data • Encrypt transmission of cardholder data & sensitive information across public networks • Maintain a Vulnerability Management Program • Use and regularly update anti-virus software • Develop and maintain secure systems and applications • Implement strong access control measures • Restrict access to data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data • Regularly Monitor and Test Networks • Track and monitor all access to Network resources & cardholder data • Regularly test security systems and processes • Maintain an Information Security Policy • Maintain a policy that addresses information security

  31. ISO 17799 – Secciones de Requerimientos de Auditoría

  32. ISO 17799 – Secciones de Requerimientos de Auditoría (cont):

  33. Conclusión • ¿Se requiere por ley una herramienta de auditoría de seguridad y cumplimiento? : • Requerimientos Mínimos: • Colección de Bitácoras • Almacenamiento (Archive) de Bitácoras • Proveer Reportes • Monitoreo • Preguntas pendientes: ¿Como puedo cumplir con el requerimiento sin inhibir el negocio? ¿Es lo único relevante para cumplimiento?

  34. Ejemplos de Estructuras del Reporte de Auditoria

  35. Ejemplo • Executive Summary • Introduction • Background • Objectives and Scope • Audit Criteria • Approach and Methodology • Results from Phase 1 • Purpose • Overview of ACI-EDI Reporting for Air • Audit Findings • Technical Solution Development • Business Transformation • Authority, Responsibility and Accountability • Project Management Framework • Project Risk Management • Security Assessment • Appendix A - Audit Criteria • Appendix B - List of Acronyms

  36. Audit Objectives:To assess [Name of Company] compliance with the [Name of Standard] Standard • Overall conclusion:Based on our observation we noted that the degree of compliance with [Name of Standard]. With the exception of business continuity planning, [Name of Company] is compliant with [Name of Standard]. • Summary of Findings:The audit team noted a number of strengths with respect to compliance with [Name of Standard]. For example, [Name of Company] has specified the roles and responsibilities for managing IT security. It has also issued a comprehensive set of policies, procedures and standards for managing this function and instituted a security-awareness program for its employees. [Name of Company] screens staff to determine who will have access to which sensitive information, and has employed security zones. • Detailed Findings and Remediation:Recommendation:To institute better monitoring and oversight of IT security, [Name of Company]'s senior management should designate an IT Security Coordinator for [Name of Company] who has responsibility and authority for IT security throughout the organization. • Management Response:Agreed; an IT Security Coordinator for [Name of Company] with organization-wide responsibility and authority for IT security will be appointed following consultation with the Senior Executive Committee (SEC). However, such a role will need to be supported by a strong IM/IT governance structure in general and a robust information security governance framework in particular. • Timelines and Deliverables:

  37. Recursos • Report Sample http://www.usda.gov/oig/webdocs/30099-1-SF-REDACTED.pdf • Internal Audit Report of IT Systems, CanadaBorderServicesAgency. http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/ae-ve/2007/itaci-tiipec-eng.html#a01

More Related