The National Association of State Auditors, Comptrollers Treasurers Search Site Map Feedback Privacy Policy Contact Us

About NASACT
Washington Connection
NASACT Roster
News Center
Technical Updates
Information Security Audit
Members Only
Online Resources
NASACT Community
Conferences & Seminars
Home

Calendar of Events
Staff Directory
Survey Central
NASACT BookStore


Operating Principles

1. The forum will address the principal areas of information security auditing, including:

General controls, including network vulnerability analysis and penetration testing - General controls are the structure, policies, and procedures that apply to an entity’s overall computer operations. General controls establish the environment in which application systems and controls operate. They include an entitywide security management program, access controls (including network vulnerability analysis and penetration testing), system software controls, application software development and change controls, segregation of duties, and service continuity controls.

Application controls - Application controls relate directly to the individual computer programs. In an effective general control environment, application controls help to ensure that transactions are valid, properly authorized, and completely and accurately processed and reported.

Computer assisted audit techniques (CAATs) - CAATs are automated techniques used by the auditor to test data processing results or the adequacy of computer controls. CAATs frequently involve software tools, such as generalized or customized audit software, system or audit utilities, and query languages and facilities. Audit tasks supported by CAATs include statistical sampling, data extraction and analysis, computations and summarizations, determining access privileges, and reperformance tests.

Computer forensics auditing - Computer forensics auditing is the discipline of gathering and preserving computer evidence, primarily in connection with a legal proceeding. It includes taking custody of computer hardware and media, maintaining a chain of custody to protect the authenticity and integrity of evidence, extracting information without causing changes to the original state of the evidence, and analyzing the extracted evidence.

2. The forum will develop materials to educate others about information security risks and auditing.

3. The forum will enable involvement by participating audit organizations at varying levels:

Use in staffing information security audits internally as well as sharing information security audit resources with audit organizations.

Flexible so that individual audit organizations can choose to participate in some areas and not others, as appropriate.

4. The forum will leverage available resources, methodologies, and related training and tools.