IT audit case: Network Security Audit
The network security audit is an independent inspection of cyber security-related control mechanisms, processes, and strategies to understand the organization’ s cyber security status, reveal cyber security risks, and provide recommendations for cyber security rectification, thereby effectively promoting the organization’ s network security system and ensure the stable development of the organization’ s business.
What is the content of network security audit?
Network security audits refers to the audit which focus on the organization’ s security management system, security management organization, security management personnel, security construction management, security communication network, security computing environment and security management center, etc.
What is the benefit of network security audit?
By examining the appropriateness and effectiveness of network security management and technical control measures, the organization reveals the hidden risks of the organization’ s network security control, so that the organization can be within a suitable period of time. Through appropriate rectification and optimization, the goals of effectively avoiding major network security risks, significantly improving the level of network security management are achieved.
Here is a case about network security audit.
A company was listed on the Hong Kong Stock Exchange in 2018. With the rapid increase and change of business scale and information system, the company carried out network security construction in order to realize the goal of business information, to meet business needs and network security needs. In order to fully understand the current status of the company’ s network security management and effectively respond to the challenges posed by network security risks, Powertime was commissioned in mid-2019 to conduct a special network security audit of the company. Through this special audit, Powertime’ s audit team analyzed the effectiveness of the company’ s cyber security work and the implementation of the cyber security management system. A total of 73 audit risks were proposed, and a cyber security compliance with internal control and approval by the competent authority was issued. The special audit report has effectively improved the company's network security management level.
The following is the workflow of Powertime’ s audit project.
Form an audit team to clarify the responsibilities of the audit team leader and members.
Conduct pre-audit investigations on the audited corporation, understand the corporation’ s structure, personnel composition and post structure involved in the network security audit. Identify the important information system of the audited corporation, understand the status of the network security management of the audited unit, and determine the audit sampling program and key audit content.
Develop a network security audit plan, and determine the timing and scope of resources required to perform this network security audit.
Implement network security audits to understand and test the company’ s network security from the two dimensions of network security management and network security technology, sample technical audits of the company’ s Oracle EBS system, outsourcing management system, domain control system, and collect relevant evidence to form an audit work paper and audit findings.
Audit communication and report, evaluate network security control measures, analyze existing problems, put forward improvement suggestions, and issue network security audit report.
Comprehensive Information Technology Risk Audit
What is comprehensive information technology risk audit?
Comprehensive information technology risk audit is to conduct a comprehensive audit of the organization’ s information technology risk management, evaluate the effectiveness of information technology risk prevention, find shortcomings in information technology risk management. Therefore, auditors can put forward constructive rectification suggestions, and issue a comprehensive audit report on information technology risks based on regulatory requirements and best practices at home and abroad.
What is the content of comprehensive information technology risk audit?
Comprehensive audit on the information technology risk management of the organization includes information technology governance, information technology risk management, information security, information technology operation, information system development test and maintenance, business continuity, outsourcing risk, internal audit management, etc.
What is the benefit of comprehensive information technology risk audit?
The benefits of audit is to meet the internal control and audit requirements of regulatory agencies, improve the organization’ s IT risk management capabilities, ensure the stability of important businesses and systems, promote the organization’ s IT technology risk management system to improve, and meet the needs of the organization’ s business strategy and business development.
Here is a case about comprehensive information technology risk audit.
A city-level commercial bank was approved for construction in 2007. The bank’ s total assets and deposit balance ranks first among the 10 municipal banks in the province, and has achieved large-scale development. In order to fully understand the current status of the bank’ s information technology work, reveal the problems and weaknesses of information technology at all levels, investigate hidden risks, promptly warn risks, improve information technology management and control capabilities and levels, the bank has raised the need for comprehensive auditing of information technology risks. From October to November 2018, in accordance with the bank’ s IT audit arrangements, Powertime conducted a two-month comprehensive audit of IT risks in the bank. The project finally found more than 100 problems in information technology governance, risk management, information security management, etc. In addition to the corresponding problem description and cause analysis, it also includes important content such as problem risk analysis and grading, and suggestions for resolution measures for the party to investigate hidden risks, which laid a solid foundation for improving the ability and level of information technology management and control.
The following is the workflow of Powertime’ s audit project.
In the preliminary investigation stage, the IT audit team of Powertime issued a management and technical investigation form to the bank for basic information technology management research.
During the project start-up phase, the IT audit team of Powertime entered the bank and held a project start-up meeting with the bank's internal control compliance, information technology and risk management departments, and confirmed the established audit plan and the bank.
At the stage of on-site audit, the IT audit team of Powertime conducted an on-site audit of the overall information technology work of the bank.
Project summary report and report preparation.