Audit Objectives.
The objectives of our audit are to evaluate security and assess strengths and weaknesses of XYZ’s security and access controls XYZ wide to address: confidentiality, integrity, and availability. We will use professional judgment in determining the standards that apply to the work to be conducted. If this engagement will not satisfy the requirements of all audit report users, laws, and regulations, we will notify you as soon as this comes to our attention. 1. To determine if adequate administrative security controls, such as policies and procedures, are in place to deter unauthorized access, alteration, theft, or physical damage to utilities or properties. 2. To determine if adequate physical and logical security controls are in place to restrict access by unauthorized users to specified sections, and determine whether essential security functions are being addressed effectively.
Evaluate the scope of the information security management organization It is not designed to replace or focus on audits that provide assurance of specific configurations or operational processes.
Audit Approach Physical Security of the 3rd Floor of XYZ Company will be audited by QTTR team. The minimum requirements set forth in the General Overview and Risk Assessment section, below, must be completed for the audit to qualify for core audit coverage. Following completion of the general overview and risk assessment, the QTTR auditor will use professional judgment to select specific areas for additional focus and audit testing. Specifically the minimum scope of the risk assessment and audit will include the following as they relate to the 3rd Floor of XYZ Company:
Environmental Controls
Natural Disaster Controls
Supporting Utilities Controls
Physical Protection and Access Controls
Physical Security Awareness and Training
Contingency Plans
The estimated audit time for all sections is 200 hours. This estimate does not including report writing, exit meetings, working paper sign off, and work paper cross referencing.
General Overview and Risk Assessment (60 hours)
For XYZ Company management, general overview procedures will include interviews of department management and key personnel; a review of available logs or documents; evaluation of policies and procedures associated with security and access controls; inventory of compliance requirements; consideration of key operational aspects; and an assessment of the physical environment.
Physical security defines the various measures or controls that protect an organization from a loss caused by theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure and power failures. Physical security measures should be sufficient to deal with foreseeable threats.
The following table summarizes audit objectives and corresponding high-level risks to be considered during the general overview.
Audit Objective
Areas of Risk
Obtain an understanding of significant processes and practices employed in maintaining and monitoring physical security for XYZ Company’s utilities and properties. Specifically addressing the following components:
Management philosophy, operating style, and risk assessment practices including:
Awareness and compliance with applicable laws, regulation and polices
Planning and management of physical security resources
Efficiency and Effectiveness Programs
Organizational structure, and delegations of authority and responsibility for physical security standards, policies, and monitoring
Process strengths (best practices), weaknesses, and mitigating controls
Compliance with applicable laws, regulations, policies, and procedures.
The physical security risk assessment processes may not identify key areas of risk including:
Natural disaster such as fire, earthquake, flooding, etc.
Environmental controls such as