Security and governance audits are an analysis of a company's technical landscape including the software and hardware systems, IT processes, procedures and resources such as IT personnel.
The audit process provides assurance that any security controls have been designed effectively, and are being managed and performed as designed.
The benefits of security and governance audit and assurance are:-
♦ Identification and Reduction of Risk
♦ Process Weakness Identification and Improvement
♦ Staff Skills Gaps are highlighted
♦ Appropriateness of Governance Structure
♦ Regulatory Compliance
to email for further assistance or to arrange an appointment.
Alternatively call our office number +44 (0)1344 780000.
Our audit consultants are CISA-certified senior IT auditors, with a strong background in information security assurance and compliance. With extensive experience in security and governance internal audit and auditing IT within large and small organisations, we can provide the expertise you need to gain comfort that your IT function is performing effectively and within your risk appetite.
Armana offer several security, governance, audit & assurance services that clients can choose from, and they include:-
♦ Development of IT audit universe
♦ Development of IT audit plan
♦ Development of IT audit methodologies
♦ Performing third party security reviews
♦ Performing cyber security technical reviews
♦ Performing IT governance and compliance audits
♦ Performing IT system or process audits
♦ Audit Quality Assurance
Armana aim to be flexible and responsive in their approach to providing IT auditing and assurance services and as a result can tailor the service offering to meet your specific needs.
Armana Systems has produced an established and standard audit process developed to ensure the quality and timeliness of the audit work delivered. The headline staging points comprising that established audit process are summarised in the table below.
With Armana, the established process can be adapted to accommodate formal audit processes that the Client may already has in existence.
Scope and Plan
The first stage would be to hold an internal meeting to review the information already gained from the audit plan and to discuss the potential risks to the system or process that should be reviewed as part of the audit. An audit controls sheet will be developed at this stage based on industry recognised frameworks such as COBIT, key stake holders will be identified and invitations sent out for meetings with these key stake holders. A meeting invitation will also be sent out to key stake holders for the kick off meeting.
The kick off meeting will be held with all key stake holders to advise them on the audit process and to discuss the areas that will be reviewed as part of this piece of work.
Meetings with key stake holders will be held and requests for supporting documentation and evidence will be made as part of these meetings. The audit control sheet will be used during these meetings to ensure that all areas are covered off. It is possible that during these meetings there will be additional areas highlighted that need to be considered and additional requests to meet with other key stake holders will be sent out as appropriate.
Fieldwork close-out meeting
Once the audit fieldwork has been completed another internal meeting will be conducted as a quality check to make sure that all key areas have been considered, all queries have been answered sufficiently and enough information has been gathered to be able to produce the draft audit report.
Should it be found as part of the internal meeting that there are areas yet to be considered or additional risks have been identified that require following up, these will be conducted as part of the audit follow up.
Final close-out meeting
The close out meeting will be held with all key stake holders to discuss the work performed during the audit and to discuss the themes of the issues identified. This will not go into the same level of detail as the audit report but will be a high level identification of themes so that key stake holders are aware of what to expect in the audit report.
A draft report will then be produced, detailing the work conducted and the issues identified, then sent to appropriate stake holders once the Chief Internal Auditor is satisfied with the report. The audit findings/issues will be ranked using a red/amber/green ranking to identify those of high, medium and low importance. The report would also be ranked as a whole as red, amber or green. It would be our intention to make this designation so that the issues identified can be given the appropriate attention within the organisation.
Management comments will be received for inclusion in the report and as part of this any clarifications to the findings in the report can be made to aid in the responses. We will send reminders to the stake holders when management comments are due for submission. Should management comments not address issues identified in the audit report we would discuss this with the stake holder to gain a more suitable response.