One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 409098 |
| Date de publication | 2017-08-21 11:38:34 (vue: 2017-08-21 11:38:34) |
| Titre | NBlog August 21 - Internal Control Questionnaires |
| Texte |  Further to yesterday's piece about a free ISMS audit guideline, I normally prepare Internal Controls Questionnaires to structure and record my audit fieldwork. As the illustrative extract above shows, these work nicely as landscape tables in MS Word with the following 4 columns:Check: these are the audit tests, written before the audit fieldwork starts. As well as the classic audit 'show me' and 'tell me about ...', I much prefer open-ended questions and general prompts such as 'check', 'review' and 'evaluate'. ICQs are intended to be used by reasonably competent and experienced auditors, not spouted verbatim by novices. [The ISMS audit guideline includes an extensive but generic set of audit checks ready to cut-n-paste into this column, then trim and modify according to your specific audit requirements and situation.]SWOT: these record the auditor's first impressions - an initial evaluation of the findings. Is this area a Strength (the findings are good, risks well under control), a Weakness (there are some issues but nothing too desperate), an Opportunity (generally meaning an 'opportunity for improvement' i.e. a change that will benefit the business) or a Threat (a significant risk or concern that ought to be addressed in order to avoid a serious incident)?Notes: briefly state the audit findings. Factual evidence is crucially important to the audit process, and needs to be recorded carefully. For example, I sometimes quote the precise words spoken by auditees in audit interviews, and incorporate or cite relevant extracts from policies, procedures, logs, reports etc. The auditor's comments and interpretation are a valuable output too (e.g. explaining the context and possible consequences), but strong facts speak for t |
| Envoyé | Oui |
| Condensat | as also auditors the 101 about above according addressed all also analysis anyway approach are area audit auditees auditor auditors august avoid awareness away basics before benefit bottom briefly business busy but carefully change check checks cite cited classic colleagues column columns:check: comments competent completeness concern conclusion consequences context control controls cover covering crucially currently cut decades deny derived desperate disorganized document documents down earlier end ended evaluate evaluation every evidence evolved example executive experienced explaining extensive extract extracts facilitates facts factual feed fieldwork file final finding findings first following free from further general generally generic get gleaned good guideline had handful hard hardcopy have headings held icq icqs illustrative important impressions improvement incident includes incorporate indexed information infosec initial intended internal interpretation interview interviews isms issues just landscape later logs main management many mapping may meaning modified modify module module covering month more most much nblog neatly needs nicely normally not notes notes: nothing noticebored novices often once open opportunities opportunity order other ought output over own parts paste perhaps piece planning plus policies possible precise prefer prepare presentation probably procedures process progress prompts questionnaires questionnaires to questions quote ready reasonably recommendations record recorded ref: references referencing relevant report reports etc requirements rest review revising risk risks row rows same scope security sensible serious set several show shows significant situation slogging some something sometimes sorted speak specific spoken spouted stage starts state strength strengths strong structure such suits summarize summary supported swot: systematically table tables talked tell tests themselves then there these think threat threats through time too topic trenches trim under used useful usually valuable verbatim way ways weakness weaknesses well which will word with words work working written yesterday ymmv your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.