Join Michael Lester for an in-depth discussion in this video Auditing risk management, part of CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors.
- [Narrator] Alright, let's talk about auditing…the organization's risk management program.…So, first thing to look for when you're…auditing a risk management program is…is their a process in place, is there some kind of…defined process that the organization actually uses…to perform their risk management duties?…Have the written this down?…Is there a particular diagram that they use?…Is there a flow?…Have they defined things such as their…roles and responsibilities?…Is that all laid out, and if so, does it follow…a particular known, recognized framework,…like ISO 27005 or NIST Special Publication 800 series - 30,…or Carnegie Mellon's Octane?…Is there some recognized framework in place…that you can look at say, "Yes, they built their…risk management process off of this know framework"?…If so, then you look at it to see how closely they aligned…to the actual instructions in the framework.…
If the framework has a certain set of steps,…are they actually going through all those steps?…Or have they tweaked it slightly?…
Instructor Michael Lester starts out with a description of IT governance and the role of IT policies, processes, and standards, providing examples of many of the most common types. He reviews three key areas for auditing: risk management, business continuity, and disaster recovery planning. He also explains how an IT department and its auditing team should be organized. At each stage, he explains how the auditor would address these topics in a typical audit environment.
- IT governance
- Policies, processes, and standards
- Risk management
- IT organization
- Business continuity
- Disaster recovery