Page 51 - DCOM509_ADVANCED

Page 51 - DCOM509_ADVANCED_AUDITING

P. 51

Advanced Auditing

Notes


Case Study Security Audit and Control Solutions

Abstract
In its quest to provide a better approach to workflow management and ensure that its
clients have adequate tools, Security Audit and Control Solutions uses COBIT 2nd Edition
as the basis for control and risk assessment activities. Security Audit and Control Solutions
has developed a well-accepted audit program based on COBIT and has used it to audit
NetWare, NT, network infrastructure, firewalls, UNIX and many other areas. COBIT is
instrumental to on-time and on-budget value-added audits.
Background

Security Audit and Control Solutions is a consulting firm that focuses on developing
specialised tools for risk management and auditing for clients including international
financial organisations based in South Africa, UK, Taiwan, Russia and the USA. In addition
to offering advanced audit software and tools, Security Audit and Control Solutions
performs IT audits, security reviews, penetration studies, firewall testing, forensic
investigation, password recovery and encryption services.
Security Audit and Control Solutions uses COBIT 2nd Edition as the foundation for
performing its audits and have developed Audit and Risk Manager, a COBIT-based software
application to support audit activities. Senior managers at client offices understand and
welcome the benefits of COBIT’s control objectives approach.
Audit and Risk Manager is deployed as a master and an agent. Using COBIT as a starting
point, Security Audit and Control Solutions auditors use the master to develop a client’s
audit program. The client (auditee) portion of the application can be anywhere on the
network and the auditee is assigned access to his/her relevant audit.
A Security Audit and Control Solutions consultant then performs the audit using the
customised audit program based on COBIT principles. High-risk items that are uncovered
are entered in Audit and Risk Manager as an audit finding worksheet (AFW) related to an
audit code. After AFWs are raised, the auditee has access to the finding and can update his/
her comments and commit to a timeframe for when compensating controls will be put
into place.
Auditors can close AFWs when all correspondence has been completed. Regular reports
can be issued to management with details on the current status of the audit and the
controls implemented.
Other Security Audit and Control Solutions products that feed information into Audit and
Risk Manager enable COBIT to become part of the living environment.
Process
Security Audit and Control Solutions uses COBIT during all audits and has met with great
success communicating its benefits to senior management at client offices. Because several
of its clients are large financial organisations, Security Audit and Control Solutions takes
care to show them how they will be empowered by implementing COBIT as a baseline.
This process leads to knowledgeable risk-taking considerations at every stage of the
systems development life cycle.

Contd....

46 LOVELY PROFESSIONAL UNIVERSITY

46 47 48 49 50 51 52 53 54 55 56