Information owned or borrowed by an enterprise is certainly one of its most vital assets and must be protected with at least the same vigilance that is usually afforded to its more tangible resources such as equipment, facilities, and fixtures. Today the computer network and those servers and workstations connected to it comprise the lifeblood of most businesses. One of the most necessary elements of an overall information security policy is a competent audit program. Of course, governmental agencies such as the Federal Deposit Insurance Corporation (FDIC), the Office of the Controller of the Currency (OCC), the Office of Thrift Supervision (OTS), and state regulatory agencies, such as the Georgia Department of Banking and Finance (DB&F) have all established auditing standards for the institutions they regulate. These standards usually mandate that an external information systems audit be carried out each year by a trained professional. Regardless of whether such an audit is required or not, it is, nevertheless, usually the best way to ensure the security, integrity, and availability of the information assets of a bank or business.

The best audits are now risk-based. That is, instead of going down a punch list of questions and assigning equal weight to every issue, the auditor attempts to understand the specific risks which are most likely to endanger a business and to concentrate his/her efforts in those areas. Of course, there are always definite areas of inquiry which must be covered within an information systems audit, but every audit exception does not pose an equal danger to the enterprise. By using the risk-based method, the greatest effort is applied to the areas of greatest risk.

Because of the importance of an information systems audit, it is imperative that the right individual or firm be selected to perform this essential task. With over 47,000 members in 140 countries, the Information Systems Audit and Control Association (ISACA®), has become the globally-accepted standard of achievement among information systems audit, control, and security professionals. This organization awards the CISA (certified information systems auditor) certification to individuals who meet a number of stringent requirements including:

> the submission of verified evidence of a minimum of five years of professional information systems audit, control, assurance and/or security work experience

> the attainment of a passing score on the four-hour CISA exam given twice per year

> the adherence to the ISACA® Code of Professional Ethics

> the successful completion of an average of forty (40) continuing professional education hours each year

Our audits are directed toward ensuring that an enterprise’s information systems are adhering to an operational and administrative internal control structure requisite to the safety of the institution’s information resources. Controls, identified through policies, procedures, practices, and organizational structures, are examined to determine if they reduce to an acceptable level any risk to the confidentiality, integrity, and availability of the institution’s information assets. Our review is also designed to determine whether or not the information systems function of the enterprise is in compliance with corporate policies and legal mandates. When performed regularly by an unbiased, professional information systems auditor, a study and review of the internal controls of your operation can help keep your enterprise safe and free from legal and regulatory problems. Jere Underwood, president of Underwood & Associates, Inc., has earned the CISA certification and is a highly skilled and experienced information systems auditor. Why not give Underwood & Associates a call when it’s time to talk about your next information systems audit?
 

E-mail: jere@underwoodandassociates.net