Objective:
For this assignment, you will create an Audit Charter and an Audit Program for a cybersecurity audit of a company of choice. The company i chose is Vena Solutions
Audit Charter
Your Audit Charter must be written as a formal Memorandum of Record, or letter. Include:
Mission: Why is the audit conducted.
Scope and Responsibilities - Make sure to limit the scope of your
audit. A complete cybersecurity audit is overly aggressive. What you
must do is choose a limited scope for your audit. That scope must
include at least two critical systems/areas of the company's
infrastructure. One of the critical systems must be an industry
specific system (policy management system for insurance, loan processing
system for banks, manufacturing management system, or like). As you
may or may not be able to determine the actual system(s) that the
company you have chosen uses, you may investigate and select an
appropriate system that such a company could use. Note: you should
find a system which has some public information available. The second
system or area could be a commonly used system, such as an HRIS, an
accounting system, etc., or it may be an area such as a network, WiFi,
physical security, or other infrastructure area. The second area must
not be trivial.
Authority: Under what authority would your audit be conducted.
Accountability: Where does your audit team report.
Standards: Research and determine the standards that apply to your
company including those which are appropriate to the industry to
determine the standards against which the audit will be conducted. Also
include general standards which are required. Identify those sections
of the standards which are appropriate to the selected scope.
Audit Program:
After you complete your Audit Charter, conduct such preliminary and
field studies as are necessary to thoroughly understand the systems and
areas you are going to audit in relation to the standards against which
you will perform the audit.
Having conducted those preliminary and field studies, complete a
detailed and comprehensive Audit Program. Be sure to include the
specifics about what evidence will be gathered, how it will be gathered,
tasks to be performed, and expected positive results (used to measure
deviations), as needed. Also include any check lists or other artifacts
needed to conduct the audit. The Audit Program should cover the entire
scope as detailed in the charter, and should include sufficient detail
for someone who has not prepared the Audit Program to conduct a thorough
and sufficient audit.
Submission
Your submission should include in a single Word document your
Introduction, Audit Charter, and Audit Program. Standardized checklists
and other items used as appendices to the Program may be included
separately, but need to be loaded after the main submission.