Audit questions

1. How can we carry out the IT Audit of a company?

Answer: If this is not an audit for certification purposes it should be conducted according these stages:
- Documentation review: at this stage the auditor checks if all policies, procedures, plans and records are in place according requirements, i.e. the reference established for the audit (e.g., for IT it could be ITIL, COBIT, ISO 20000, etc.).
- Main audit: at this stage the auditor, by means of techniques such as observation, interviews and log review, checks if processes and personnel are performing according what is documented. It is at the end of this stage that any identified non compliance is raised.

For further information, see:
- How to prepare for an ISO 20000 internal audit https://advisera.com/20000academy/blog/2018/04/11/how-to-prepare-for-an-iso-20000-internal-audit/

2. Can I use the knowledge of ISO 27001 to conduct one?

Answer: ISO 27001 establish require ments for protection of information, some of them related to IT environment, so you can use its requirements as part of your audit process, but you have to consider more references for issues not fully covered by ISO 27001 (e.g., customer relationship management, IT strategy, etc.).

3. Must the company be certified?

Answer: The need for certification will depend on customer's requirements in the RFP, but if the audit is not for certification purposes the company normally does not need to be certified, provided it can evidence the auditors competence.

4. Which certification body do we use in case the client wants to be certified?

Answer: If the company wants to be certified, then your own organization should be a certification body, accredited by an accreditation body (e.g., UKAS for UK, or ANAB for USA), and for this purpose your organization has to be certified by an accreditation body against ISO/IEC 17065.

5. How can I do an IT Audit plan to cover audit of databases, OS Platforms, Hardware architecture, Network WLAN

Answer: One way to define an audit plan is for you to define an audit checklist, considering identified requirements and documents to organize what you must audit and what you must look for.

This article will provide you further explanation about audit checklist:
- How to create an ISO 20000 internal audit checklist https://advisera.com/20000academy/blog/2016/11/08/how-to-create-an-iso-20000-internal-audit-checklist/

These materials will also help you regarding audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
- ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/

GRR acceptance crriteria is 10%. In case of GRR for attributes Kappa value acceptance criteria is 0.75. That means in simple comparison method we have min. 90% acceptance. So why Kappa value of 0.75 is accepted and it means 25% rejection is accepted. No able to understand the statistical acceptance in case of attribute study.