3.2. INFORMATION SYSTEMS AUDIT PROGRAM
Exhibit 3.1 shows the information systems (IS) audit program that is the foundation of Part Two of this book. The audit program is designed to address the primary risks of virtually all computing systems. Therefore, the objective statement and steps in the program are general by design. Obviously, computing systems can have many different applications running on them, each with its own unique set of controls. However, the controls surrounding all computing systems are very similar. The IS controls in the audit program have been grouped into four general categories:
Information Systems Audit Program
Objective: To assess the adequacy of environmental, physical security, logical security, and operational controls designed to protect IS hardware, software, and data against unauthorized access and accidental or intentional destruction or alteration, and to ensure that information systems are functioning in an efficient and effective manner to help the organization achieve its strategic objectives.
Assess the adequacy and effectiveness of the organization's IS security policy. In addition, assess whether the control requirements specified in the organization's IS security standards adequately protect the information assets of the organization. At a minimum, the standards should specify the following controls and require them to be applicable to all information systems: