Join Michael Lester for an in-depth discussion in this video Audting management structure, part of CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors.
- [Instructor] All right, let's talk about auditing…the actual management structure of the IT organization.…So, when it comes to auditing the org chart,…take a look at the org chart,…take a look at who reports to who,…and determine does the organization…have enough separation between IT management…and security management?…You know, security ideally should report…directly to executive management,…not go through say the IT director…or through perhaps the CIO.…There should be some kind of direct channel…to executive management and potentially, even the board,…as to the security management practices…and how well things are going with the organization.…
Same thing goes for auditors.…Is there an auditing team that reports…directly to executive management or the board?…You don't want to have auditors reporting…too low down the food chain.…They should be going straight…directly to executive management…and straight up to the governance entity,…whatever that is, typically the board of directors.…Now when it comes to auditing segregation of duties,…
Instructor Michael Lester starts out with a description of IT governance and the role of IT policies, processes, and standards, providing examples of many of the most common types. He reviews three key areas for auditing: risk management, business continuity, and disaster recovery planning. He also explains how an IT department and its auditing team should be organized. At each stage, he explains how the auditor would address these topics in a typical audit environment.
- IT governance
- Policies, processes, and standards
- Risk management
- IT organization
- Business continuity
- Disaster recovery