AuditScripts 5 Crucial Questions
Certainly you cannot audit everything there is to audit about an information system topic by just asking five questions. But to us, five focused questions are better than five shotgun questions, and certainly better than no questions at all. We have heard from a number of auditors that often times when they audit an organization they are doing so at a high level, and not necessarily targetting a detailed view of one scope. These guides are meant to focus an auditor’s attention on the most crucial controls for a given topic and provide a baseline of due care.
The foundation of this guidance is generally taken from our experiences in the industry, which has been highly influenced by the Critical Security Controls (sponsored by the Center for Internet Security and the SANS Institute), the US National Institute for Standards in Technology (NIST) and their 800 Series guides, Global Technology Audit Guides (GTAGs, sponsored by the Institute of Internal Auditors), and Control Objectives for Information and Related Technologies (COBIT, sponsored by ISACA). As such, we will include references to these standards where relevant.
Of course this is a collaborative effort and we always are looking for feedback from the community whenever possible. So if you have a minute and feedback to give, we welcome it! If you have feedback or suggestions on any of these controls, please feel free to drop us a note here.