ISACA issues new BYOD audit programmes

ISACA has this month released news of more than 40 customisable IT audit/assurance programmes, which have been developed to help IT auditors who are facing increasing challenges brought about by “Bring Your Own Device” (BYOD) trends that occur as part of the so-called consumerisation of technology.

NOTE: Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the “broad range” of IT governance professionals it serves. Today ISACA is a non-profit association serving 100,000 IT professionals in 180 countries.

The new programmes from ISACA are as follows:

• BYOD Audit/Assurance Programme — designed to help auditors provide management with an assessment of bring-your-own-device (BYOD) policies and procedures, identify internal control and regulatory deficiencies, plus also identify information security control concerns that could affect the reliability, accuracy and security of the enterprise data.

• Personally Identifiable Information (PII) Audit/Assurance Programme  — which has been designed to help auditors provide management with an assessment of PII policies and procedures; this focuses on private data and storage locations, including the deployment and effectiveness of an organisation-wide data classification scheme, policies and procedures relating to action needed after a breach of PII confidentiality, and training employees in handling and processing PII and data privacy.

• Outsourced IT Environments Audit/Assurance Program — which has been designed to help auditors provide management with what ISACA has called “an independent assessment” of the IT outsourcing process, compliance with outsourcing contract, accuracy of billing, plus successful remediation of issues identified during the execution of business processes.

NOTE: This third module is also said to help auditors evaluate internal controls affecting business processes related to outsourcing. It permits the audit/assurance professional to place audit reliance on the data and operational processes performed by the supplier on behalf of the customer.

In other news, cybercrime & crisis management

Other ISACA audit programs include cybercrime, social media, crisis management, change management and cloud computing.

“ISACA’s audit programs can be used by auditors worldwide as a road map for specific assurance processes,” said Greg Grocholski, CISA, international president of ISACA and global business finance director for the Ventures and Business Development unit within The Dow Chemical Company. “They can be customised by IT auditors in any type of environment to help them conduct effective reviews that will help ensure trust and value in the enterprise’s information systems.”

The audit/assurance programmes are based on the standards and guidance in ISACA’s IT Assurance Framework (ITAF) and align with the  COBIT business framework for governance and management of IT. They have been developed by assurance professionals and are peer reviewed.

The organisation describes COBIT 5 as the latest edition of ISACA’s framework, providing an end-to-end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises.

According to ISACA “The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world.”

The programmes detailed here are downloadable in a Word document and can be customised to fit specific operating environments. ISACA insists that they can also be used by security and business professionals, to apply the control objectives and audit steps to make the respective scope areas more robust.

The audit/assurance programs are free for ISACA members and around £30 for non-members at www.isaca.org.