Prepared by Kamal Khan, CISA,
CISSP, CITP, MbCS
Take the quiz online:
beLLeHuMeur Ar TICLe
1. Documentation enables organizations to mitigate their risk
across several strategic areas, including loss of intellectual
capital, data and IT operations, clarity and momentum.
2. With documentation, there appear to be four distinct buckets
into which IT departments tend to fall: no documentation,
little and sporadic documentation, average documentation,
3. IT departments do not know how to document. Documentation
does not mean writing everything down. It is actually a strategic
process that consists of capturing, structuring, presenting,
communicating and storing written information. IT professionals
tend to struggle with structuring, presenting and communicating.
4. Moving the team and department to the optimized
documentation bucket is a three-step process consisting of
adopting a strategic process, having the right people, and
building a culture of accountability and best practices around
gOLDberg Ar TICLe
5. The Institute of Internal Auditors (IIA) standards regarding
risk assessment state:
2020.A3: The internal audit activity’s plan of engagements
must be based on a documented risk assessment, undertaken
at least annually. The input of senior management and the
board must be considered in this process.
2040.A5: The auditor must identify and consider the
expectations of senior management, the board and other
stakeholders for internal audit opinions and other conclusions.
6. Internal audit can assist management and the board/audit
committee in the ERM process by monitoring, examining,
recommending improvements, evaluating and reporting.
7. Without performing a risk assessment, IA is at risk of losing its
relevance. IA has a role in helping the organization understand
and prepare for the associated risk implications of entering
new markets, leveraging new technologies (e.g., social
media, cloud) or expanding its business portfolio organically
8. Many internal auditors perform the annual risk assessment
and carry out work based on the actual risk to the organization
rather than reproduce the work from the prior year or budget
hours based on man-hours available.
9. Many organizations, through audit activities, identify and
evaluate companywide risk levels by examining trends and
comparisons within a single process or system throughout
rAVAL Ar TICLe
10. Governance ensures that stakeholder needs, conditions and
options are evaluated to determine balanced, agreed-on
enterprise objectives to be achieved; setting direction
through prioritisation and decision making; and monitoring
performance and compliance against agreed-on direction
11. The accountability for the creation of business value (BV)
is easier to identify than the accountability for IT resources
12. Roughly, COBIT leans toward the resources and processes
focus and Val IT leans toward the BV focus.
HAMIDOVICH Ar TICLe
13. In most jurisdictions and organizations, digital evidence
is governed by three fundamental principles: relevance,
reliability and confidentiality, and all three are important for
the digital evidence to be admissible in a court of law, as stated
in ISO/IEC 13403789.
14. Code of Practice for the Implementation of BS 10008 is
structured according to a set of five principles of good
practice, including understanding the legal issues and
executing duty-of-care responsibilities.
eSPIn Ar TICLe
15. A hash is the result of processing a block of data, such as a
password, through a procedure or algorithm that returns a
fixed number of characters.
16. To address the risk of inappropriate access to the SAP
systems, consideration should be given to identifying and
securing sensitive data and performing a comprehensive
SAP security assessment.