Answer
The attack on the World Trade Centre in 2001 has created a worldwide alert bringing focus on business continuity planning and environmental controls. Audit of environment controls should form a critical part of every IS audit plan. The IS auditor should satisfy not only the effectiveness of various technical controls but that the overall controls assure safeguarding the business against environmental risks. Some of the critical audit considerations that an IS auditor should take into account while conducting his audit are given below:
Audit Planning and Assessment: As part of risk assessment:
♦ The risk profile should include the different kinds of environmental risks that the organization is exposed to. These should comprise both natural and man-made threats. The profile should be periodically reviewed to ensure updates with newer risk that may arise.
♦ The controls assessment must ascertain that controls safeguard the organization against all acceptable risks including probable ones and are in place.
♦ The security policy of the organization should be reviewed to access policies and procedures that safeguard the organization against environmental risks.
♦ Building plans and wiring plans need to be reviewed to determine the appropriateness of location of IPF, review of surroundings, power and cable wiring etc.
♦ The IS Auditor should interview relevant personnel to satisfy himself about employees‘ awareness of environmental threats and controls, role of the interviewee in environmental control procedures such as prohibited activities, incident handling, and evacuation procedures to determine if adequate incident reporting procedures exist.
♦ Administrative procedures such as preventive maintenance plans and their implementation, incident reporting and handling procedures, inspection and testing plan and procedures need to be reviewed.