Join Michael Lester for an in-depth discussion in this video Dealing with risk, part of CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors.
- [Instructor] So, we've gone through our process,…we've done the planning and figured out who's going to be…on the team and which assets are involved,…what the scope is.…We spent all that time in the collection phase,…doing all the grunt work, pulling the information.…Then, we take our findings and our recommendations,…and we present it to management.…And management makes the decision of how to handle…that risk, and there's four different things they can do.…They can reduce or mitigate the risk,…by putting some kind of control or countermeasure in place,…like a firewall or some shutters for the hurricane,…or a fire suppression system,…or a smoke detector for the fires, etc. etc.…
Some kind of control you put in place to either reduce…the likelihood of something bad happening,…or the impact, or the pain that you would endure…if that bad things were to happen, or both.…That's what a control does, it reduces either the likelihood…or the impact, or both at the same time,…and you put that in and hopefully,…you can reduce or mitigate that risk…
Instructor Michael Lester starts out with a description of IT governance and the role of IT policies, processes, and standards, providing examples of many of the most common types. He reviews three key areas for auditing: risk management, business continuity, and disaster recovery planning. He also explains how an IT department and its auditing team should be organized. At each stage, he explains how the auditor would address these topics in a typical audit environment.
- IT governance
- Policies, processes, and standards
- Risk management
- IT organization
- Business continuity
- Disaster recovery