Said Ouedraogo

Alexandra,

You are absolutely right. The management-response approach is more like a “contest” than a collaborative approach. The auditors send a report with recommendations (sometimes) and wait for the customers to respond.
Thank you for your clarification.

Both frameworks are complementary and mutually supportive, but I think it is easier to implement COBIT first because it’s the “what you need to do and why you need to do it” and then go for ITIL the “how to do it”.
I hope this makes sense.

*both parties are responsible to develop

Pr. Yao,

I think both party are responsible o develop an “action plans” to remediate audit findings. In fact, after validating the risks, the auditor can work with the customer to develop an action plan for addressing each issues. Three common approaches (recommendation, management-response and solution) are used for developing an action plan…[Read more]

Priya,

In my opinion, the auditor should go back to the “Field and Documentation” phase if a finding needs to be revisited. In that case he/she can reanalyze the data and hopefully find what is missing. And I also think he/she has always a change to revisit a domain before issuing the report. In fact, the whole point of the audit is to review…[Read more]

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The 3 types of risk mitigating controls are:
– Preventive controls: stop a bad event from happening…
– Detective controls: record a bad event after it has happened…
– Reactive controls (aka Corrective controls: fall between…[Read more]

Why do we need control framework to guide IT auditing?

By definition a control framework is “a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk”. That being said, control framework guides the auditor throughout the…[Read more]

COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises. COBIT is broader than ITIL in its scope of coverage, its includes seven qualities of information (Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance and Reliability). ITIL provides best practices describing how to…[Read more]

Explain the key IT audit phases
What are the key activities within each phase?

∗ Planning
– Determine the objectives and scope of the audit
– Develop steps to be executed in order to accomplish objectives
– Interview with the customer
– Research and scheduling

∗ Fieldwork and Documentation
– Perform interviews and analyze data to fin…[Read more]

The New Security Mindset: Embrace Analytics To Mitigate Risk

This article relates how security professionals have been working to find weaknesses in their system. According to the author Todd Thibodeaux, “fewer than half of information security professionals feel their organizations’ security is completely up to par”. In fact, businesses spent…[Read more]

Yes in fact, Walmart has power over their suppliers. They force them to meet the requirement of their standards. But, those standards are also what Walmart needs to meet in order to operate in legal regulations.

In fact, this can be a risk as the technicians can do “something bad” with the users credentials and get away with it.
During one of my internship, IT technicians were able to reset our printer passcode and were doing 1 to 1 session for people who wanted to change their passcode. The bottom line is that they were in possession of everyone…[Read more]

What you are saying can be an example of how control environment affects IT to the extent that management has not established policies and procedures to follow in order to protect information in the company.

Yes true, but sometimes buying the cheapest software is not strategically the right thing to do. Here, we are comparing Nitro Pro 9 and Adobe Acrobat. In the long run, it will be wise for a company to choose Adobe Acrobat even if the company is small and does not need Acrobat features for the moment. In fact, the company aims to grow in the future…[Read more]

In fact, while choosing the cheapest supplier Walmart must make sure that this supplier meets the standards. In this case compliance-driven controls and profitability-driven controls are not mutually exclusive to the extent that Walmart is looking to make profits but also looking for the supplier who meets the most to standards.

Yes, you can email it to him.

I think everyone at Temple University represents information security vulnerabilities to Temple University. In fact, ITACS students and regular students do more than sending emails while on Temple internet connection. Even though, the university blocks some sites it does not stop students to go to insecure sites. I have been seeing some students…[Read more]

People go to all kind of sites without worrying if it’s secure or not. And, to my knowledge no one has suggested to set filters. Now that you mentioned it, I think I will make recommendations.

In fact, technology from physical devices to IT systems can be seen in the day-to-day operation of a company. It is important that the auditor (financial, operational, IT…) understands what is going on. I will even go further and say that today auditors must have a minimum understanding of technology.

What about transferring the data onto a USB flash drive?