From the course: CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Auditing risk management
From the course: CISA Cert Prep: 2 Information Technology Governance and Management for IS Auditors
Auditing risk management
- [Narrator] Alright, let's talk about auditing the organization's risk management program. So, first thing to look for when you're auditing a risk management program is is their a process in place, is there some kind of defined process that the organization actually uses to perform their risk management duties? Have the written this down? Is there a particular diagram that they use? Is there a flow? Have they defined things such as their roles and responsibilities? Is that all laid out, and if so, does it follow a particular known, recognized framework, like ISO 27005 or NIST Special Publication 800 series - 30, or Carnegie Mellon's Octane? Is there some recognized framework in place that you can look at say, "Yes, they built their risk management process off of this know framework"? If so, then you look at it to see how closely they aligned to the actual instructions in the framework. If the framework has a certain set of steps, are they actually going through all those steps? Or…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.