GUID - 5101 - Guidance on Audit of Information Security

Summary

GUID 5101 supplements GUID 5100 by providing guidance on audit of information security. The guidance laid out in this GUID is consistent with the Fundamental Principles of Public Sector Auditing (ISSAI 100) as well as with the Compliance Audit Principles (ISSAI 400).

The transition to computerised information systems and electronic processing of information by auditees in the public sector makes it imperative for SAIs to develop appropriate capacity to audit controls related to information systems. As part of the audit of information systems, there is a need to ensure that controls to maintain confidentiality, integrity and availability of information systems and data (i.e. information security) have been designed and applied by auditees.

The guidance applicable to audit of information systems is outlined in GUID 5100. The objective of this GUID is to provide specific and additional guidance for a compliance audit of information security.

Audit of information security can be taken up as a compliance audit or, in certain circumstances, as a combined audit incorporating financial, compliance and/or performance aspects. This GUID covers audit of information security being taken up either as a distinct compliance audit or as part of a combined audit engagement to see whether the IT management meets the necessary standards and requirements for information security.