Audit Frequency

In one of the forums I subscribe to the question came up “How often should one carry out an internal audit?”  There were variations on this to do with external  audits as well.   Lets suppose you aren’t one of the relicrant types that take the attitude that audits aren’t necessary or that an audit – or a risk analysis for that mater – needs to be done just the once.

How often?  Yearly?  Ever Six Months?  Every Month?

Maybe. maybe not.
If you are one of a certain set of classes of organizations there are rules that mandate when you get audited. For example, if you process credit cards then the PCI:DSS rules apply to you.

If you are a bank, you should check for Basel II and FFIEC regulations.

And so forth.

Merely asserting a period without a regulation means its arbitrary; asserting a period with reference to a ISO standard means that its a decision that management has chose to abide by … or not … or some
other. Like the saying goes, there are so many standards to choose from.

Please: There is nothing wrong with management arbitrarily setting an audit period, but that doesn’t mean that it is somehow applicable in all situations. As I’ve said before, a “Good Practice” is just that, and is entirely dependent on context.

Look to your own context: look to your own risk profile.

What is your “rate of change”? How often do you install or revise applications equipment, deploy new sites, have a changeover in personnel, operating procedures an so forth?

Reblog this post [with Zemanta]

About the author

Security Evangelist

Leave a Reply