hdr_logo_top.gif
hdr_logo_bottom.gif

The support site for the Unified Compliance Framework


The Main Thing about Audit Questions

The Main Thing you need to know about audit questions is that they aren't as unique as many of the auditors would like to have us believe.

When are two audit questions the same? When both result in the same answer using the same resources and variables. Here are two audit guidelines that are written in a close, but not exact, format:

    • The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.

    • Security Zones: Do Not Allow Users to Add/Delete Sites - Local Computer

The first is written as something that the auditor should examine. The second is written as a test for a computer application. Both utilize the same asset and configurable item and are looking for the same answer.

Another example is two audit guidelines written as "examine" methodologies:

    • State the organization's objectives for the Identity Theft Prevention Program.

    • Ensure the organization has established and maintains a policy to protect its clients and their accounts from identity theft and to comply with the Federal Trade Commission's (FTC) Red Flags Rule. The organization will do this by developing and implementing a written Identity Theft Prevention Program (Program), which is appropriate to the firm's size and complexity, and the nature and scope of its activities.

Both forms of the audit question are dealing with the same ID theft prevention program and privacy safeguards policy. Both forms of the audit question are dealing with the same control - to develop and maintain measures to limit information leakage. Both audit questions are dealing with the same record category of customer information management. One question implies that records are being affected by the program and the other takes this further by stating that the program must be implemented.

At their heart, both questions' intent is to ensure that there is a correlation between the control of stopping information leakage and the policy and procedures that tell the organization how to do that with regards to the record category of customer information management.

Which means that both questions' intent can be boiled down to a question method of:

    • Examine the Control in the Policy as compared to Records in the Record Category. Do the two correlate? (i.e., is the intent carried out?)

This method can then be linked directly to a database of controls, policies, records, and records categories so that the organization's specific record examples and policies can be included in a tailored audit question such as the one below that leverages controls in the UCF:

    • Examine the control entitled Develop organizational measures to limit information leakage [UCF CE ID 00356] in the Privacy Safeguards policy as compared to records in the Customer Information Management record category. Do the two correlate?

So what is the Main Thing? It's this: Audit questions can be distilled down to their method and dependent resources. Audit question methods can be, and should be, harmonized in a unified compliance environment. Once harmonized, audit questions can be, and should be, linked to specific controls, records (and their record categories), assets (and their configurable items), and even metrics and roles when necessary.

Posted on March 1, 2010 10:43 AM |

Post a comment
 
 
 
Recent Site Updates
The UCF Acronym XML specification
The UCF Glossary XML specification
The UCF Common Metric Enumerator XML specification
Testing for uniqueness
Migrating an XML file into a database
Privacy Policy