IT AUDIT & COMPLIANCE REVIEWS
The IT compliance audit service comprises of a full systems audit review in accordance with PCI DSS, SOX, COBIT, ISO 27001 and other standards, covering all respective areas of information security management. IT audit assists businesses to identify the risks associated with the extensive use of IT systems and maintains a controlled business environment for secure operations and business processing.
We provide IT audit for a number of international standards like ISO 27001, PCI DSS, COBIT, Basel and others. The best practice standard for information security management is ISO 27001, on which, we base our standard audit scope and control checklist. If the client has other compliance requirements we design our audit scope and checklist in accordance.
Our standard audit scope for the ISO 27001 testing procedures includes the following 11 domains of information security:
- Security Policy
- Organization of information security
- Asset Management
- Human resources security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business Continuity Management
During our audit procedures we check each control objective for its design, implementation and operating effectiveness, as per the Global Audit Methodology (GAM). The meaning of each of these three stages of testing is described below:
- Design - a policy / procedure stated and approved by the company
- Implementation – how the stated policies / procedures are implemented in the systems and business environment
- Operating effectiveness – how the implemented controls are functioning over time
The main deliverables from the IT audit are an independent IT audit report stating the areas of risks on the business and any control weaknesses that have been noted over the audit period. In some cases evidence of fraud or override of controls is noted where further forensic investigation procedures may be initiated by the client.