Acknowledgment of Responsibilities and Accountabilities

Auditing is the process of examining systems to verify they are in compliance with defined policies. In short, auditing ensures that activities comply with policy. This process provides value only when it objectively reviews evidence of actions. An auditor who overlooks any evidence of noncompliance isn’t effective. Because of the potential of negative findings, it is important that all parties engaged in auditing activities understand their responsibilities to the audit process.

Do not view auditing simply as a search for problems. Auditing is an opportunity to identify noncompliance issues before they escalate and possibly cause damage. This positive attitude toward auditing must start with upper management, who should share it with all affected parties. If upper management does not fully support the efforts of auditors, it is unlikely anyone else will.

Upper management can influence the quality of the audit process by assigning responsibilities and accountabilities. Every employee bears some responsibility in the IT security audit process. Every agent of your organization must maintain the security of your information. Because the IT security auditing process verifies compliance with security policies, all employees bear responsibility for carrying out your policies.

Each task in the audit process has one or more people who are responsible or accountable for that task. Many organizations use a RACI matrix to document tasks and personnel responsible for the assignments. RACI stands for responsible, accountable, consulted, and informed. To create a RACI matrix, do the following:

  1. List tasks along one axis and personnel or roles along the other axis.

  2. Assign a level or responsibility for each role and task.

  3. Assign each person or role a level of responsibility and accountability for each task.

The entries in the matrix will contain one of the following:

  • R (Responsible)—This is the person who actually performs the work to accomplish the task. It may be multiple people.

  • A (Accountable)—This is the person who is accountable for the proper completion of the task. Only one person is accountable for each task. The Accountable is likely the Responsible’s manager.

  • C (Consulted)—This is the person who provides input that is helpful in completing a task. It may be multiple people.

  • I (Informed)—This is the person who desires to be kept up to date on a task’s progress. This may be multiple people.

Table 8-2 shows a simple RACI matrix for an IT audit.

TABLE 8-2 Simple RACI matrix for an IT audit.

A table detailing a simple R A C I matrix for an I T audit.
Description

The RACI matrix clarifies the responsibilities and accountabilities for a set of tasks. A RACI matrix provides upper management with a tool that communicates and conveys tasks. Without the acceptance of audit responsibilities and accountabilities, the auditing process might encounter resistance. Management and other employees might view the audit process as punitive.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.140.160