The first step is understanding the business objectives of the area to be audited. Second is the analysis of risks associated with the business function and their impact on the business from both operational integrity and financial reporting points of view. Having those items defined, the auditor can set forth a plan that identifies the steps to be performed, the scope of examination and the amount of resources needed to complete the job. What are the aims of security audits? How often are they done?
Assuring that permissions and privileges are properly assigned, monitored and maintained and that they do not expose the organization to undetectable error, misuses and, or fraud. Annually an audit is performed on information security as a separate entity. Security within applications is audited during each application/operational area audit. This could also be annual. What is the difference between an "information security" audit and an "application/operational area" audit? Are they done simultaneously?
An information security audit is a compliance review performed by the information security department validating that users of the system(s) are in compliance with procedures. These are done on a routine basis and normally are full in scope. In other words the security audit would include a full review of access rules, access violations, etc. The key words are routine and full scope. An application/operation audit on the other hand is a periodic examination to ensure compliance to company standards for application development (system life cycle methodology), change/migration management, security (as it relates to the application specifically), end user balance and control processes, and compliance to internal policies and external regulations and laws. The same is true for an operational audit. The difference is that the audit focuses on processes and not systems. What was the hardest aspect of it?
The most difficult issue is the evaluation of how system access and system and application privileges are properly segregated to impose an effective system of control. For example, there should be a way to restrict a system's administrator from performing specific application transactions. This is usually difficult since it's corrective process deals with adding resources. How does a bad (or good) audit affect security policy? How do they affect security spending?
Well a bad audit means that the audit succeeded, since you've noted that the security practices are not acceptable. At that point management will take corrective actions if they believe in the need for security. When the corrective actions require spending, the issue should always be a cost benefit. You should not impose security over its related benefit. Too many times this is done. How can a company prepare for an audit? Do you have any tips a company could use?
Preparing for an audit starts with a company understanding the need for an audit and accepting its added value to their organization and business objectives. Some companies look at audits as necessary evils. However, planning for an audit requires accepting why auditing is good for the business and expecting to take the audit's findings as positive criticism and move forward. Tips for preparing for an audit would include requesting that the auditor have an "pre-audit planning or entrance meeting" with management to discuss the purpose of the audit, the scope of examination and to gather from management any issues, concerns, etc. that management may have. A good auditor will incorporate management's needs into their audit. The auditor must be a service to management, not an enemy or a critic alone. Since auditors view things from an objective view, they should first have the best interest of the company in mind. Auditors are control specialists and management needs to understand that sound control practices will improve the companies' performance and provide management confidence in the operation and financial integrity of the company. You say "corrective actions" should be balanced with their cost benefits. Does an audit help a company figure out how to do this?
Absolutely. A good auditor will not recommend spending huge money to fix an insignificant issue. If they do, they are not working in the best interest of the company. Auditors should equate the need for improvement, institution of new controls, etc. with the perceived cost. A reasonable timetable of return on investment is also important to keep in mind. I've always thought that I should be able to sell each recommendation on the basis that they were good for the auditee. If I cannot prove the company can save more from the recommendation than it cost to institute, then I should never bring the issue up at all. Why does a bad audit mean that the audit has succeeded? Do all companies have security areas that need improving?
What I meant was that when you perform an audit and your findings reflect a "bad system of control", they could really be good if management takes the proper corrective actions to address the weakness noted. Remember that the weaknesses are really noted for future improvement and protecting the company from losses, misuse of resources, waste, errors, etc. So, bad audit results can and should mean good audits to the company.