Information owned or borrowed by an enterprise is certainly one of its most vital assets and must be protected with at least the same vigilance that is usually afforded to its more tangible resources such as equipment, facilities, and fixtures. Today the computer network and those servers and workstations connected to it comprise the lifeblood of most businesses. One of the most necessary elements of an overall information security policy is a competent audit program. Of course, governmental agencies such as the Federal Deposit Insurance Corporation (FDIC), the Office of the Controller of the Currency (OCC), the Office of Thrift Supervision (OTS), and state regulatory agencies, such as the Georgia Department of Banking and Finance (DB&F) have all established auditing standards for the institutions they regulate. These standards usually mandate that an external information systems audit be carried out each year by a trained professional. Regardless of whether such an audit is required or not, it is, nevertheless, usually the best way to ensure the security, integrity, and availability of the information assets of a bank or business.

The best audits are now risk-based. That is, instead of going down a punch list of questions and assigning equal weight to every issue, the auditor attempts to understand the specific risks which are most likely to endanger a business and to concentrate his/her efforts in those areas. Of course, there are always definite areas of inquiry which must be covered within an information systems audit, but every audit exception does not pose an equal danger to the enterprise. By using the risk-based method, the greatest effort is applied to the areas of greatest risk.

Because of the importance of an information systems audit, it is imperative that the right individual or firm be selected to perform this essential task. With over 47,000 members in 140 countries, the Information Systems Audit and Control Association (ISACA®), has become the globally-accepted standard of achievement among information systems audit, control, and security professionals. This organization awards the CISA (certified information systems auditor) certification to individuals who meet a number of stringent requirements including: read more