1. Download the Worksheet: Creating an Audit Plan [DOCX].
  2. Review the following scenario, and in Table 1: Internal/Inherited Controls, determine if the control is internal or inherited:
    • XYZ Corporation has retained you to audit their enterprise and validate their compliance requirements.
    • XYZ Corporation has a staff of 200 employees and an IT staff of three personnel.
    • Internal to XYZ Corp, the organization has a server room that houses network storage for proprietary data, an application server to manage applications and licenses, a Web server that hosts the company’s internal and external websites, hardware firewalls, and security appliances to manage and protect inbound and outbound services.
    • The organization has contracted Python LLC to provide email, VoIP, SaaS and cloud storage services for nonproprietary data for XYZ Corp.
  3. The audit and auditor are also auditable and considered a control within the NIST framework. In Table 2: Control Numbers and Assessment Objectives, referring to the NIST SP-53 and 53A, Audit and Accountability Policy and Procedures from NIST Special Publication 800-53A [PDF]:
    • In the Control Number column, enter the control numbers for the family.
    • In the Definition column, identify and discuss the assessment objective.
    • In the Comments column, explain why you chose that control to fit the scenario.
  4. When an auditor develops an audit plan, the size or scope of the audit must be defined so redundant audits are avoided and that time can be applied to the necessary controls. In Table 3: Auditable Domains, list the seven domains that are auditable.
  • 11 days ago
  • 20

Purchase the answer to view it

  • attachment