Why Frameworks Are Important for Auditing
In general, a framework is a conceptual set of rules and ideas that provide structure to a complex set of situations. Although a framework may be rigid in its skeleton, the idea is to provide flexibility. The framework includes distinct components, such as an introduction, learning objectives, headings, and a summary. Yet the authors have flexibility as long as they are within the confines of this framework.
Information technology (IT) environments are different from one to the next. Despite many similarities, each environment is different. Each company, for example, has different objectives. They have different ways of achieving goals. They have different risk profiles. IT departments exist to help support and drive the business. As long as no two organizations are exactly alike, neither will two IT departments be exactly alike.
An auditor must deal with multiple types of organizations. As a result, each audit is different. The size of the audit varies. The resources needed for the audit vary. The steps carried out for each audit also vary. A framework, however, provides a consistent system of controls to which IT departments can adhere. This system of controls also provides an auditor with a consistent approach for conducting audits.
Controls tend to be either descriptive or prescriptive. A descriptive control framework provides for governance at a higher level. These control frameworks are important in helping to align IT with business or enterprise goals. The challenge is that they don’t provide a prescribed method for turning these objectives into action. A prescriptive control framework approach helps standardize IT operations and tasks, while still allowing for flexibility. Organizations often apply both approaches together within IT, and audits tend to make use of both.
A more governing and descriptive type of framework may dictate a control objective that each IT organization should ensure systems security. Such an approach typically provides additional controls, such as ensuring network security or ensuring identity management. A major component of ensuring network security involves using firewalls. How each organization actually applies this varies. What if there is not a local area network–to–wide area network (LAN-to-WAN) connection? In this case, there may not be a firewall at any border; there may only be firewalls between internal network segments. One company might use a software firewall. Another might use hardware. There are also different types of firewalls. An administrator might use an Application Layer firewall in one situation and a Network Layer firewall in another. For the auditor, the control objective stays the same, yet the audit procedure may vary because of the differences.