Information System Audit & Assurance

An information system is essentially made up of five components hardware, software, database, network and people. These five components integrate to perform input, process, output, feedback and control. Hardware consists of input/output device, processor, operating system and media devices. Software consists of various programs and procedures. Database consists of data organized in the required structure. Network consists of hubs, communication media and network devices. People consist of device operators, network administrators and system specialist. Our Information System Audit service provide ability for an organizations to understand the issue areas in their Information system at all the 5 component levels.

We provide audit & assurance services for following types of IS:

  1. Operations support system

  2. Transaction Processing System

  3. Process Control System

  4. Enterprise Collaboration System

  5. Management Support System

Our IT specialist examining your organisation’s end to end IT environment & control landscape to identify the strength of its current security controls and pinpoint any potential vulnerabilities.

Our methodologies for IT security Audit consist of two broader methods:

  • - Manual or systematic measurable of an organization IT control environment. Manual assessments includes but not limited of interviewing staff, review of Process, procedures and policies, review or inspection of Applications /databases for configurations, workflows and integrations, reviewing application and operating system access controls, and analyzing physical access to the systems.

  • Automated assessments of the Organization IT system by using tool/software for performing checks for security vulnerabilities ( refer to Cyber Security (VAPT section for details), Forensic assessment of systems, Audit log reviews, The assessment includes IT infrastructure (Servers, Network Devices, Computers, UTMs, Switches, Routers and WAPs), Applications, Databases and any others scoped system.

  • Our objective of IT security audit is to provide a comprehensive report to management for understanding organization’s control design and operation effectiveness and recommend solutions for remediation of Security Risks.

While we tailor every SSAE 18 based SOC 1/2/3 readiness and audit engagement to meet each client’s unique requirements and challenges, our roadmap to compliance typically follows a four-phased approach that creates the general framework of each engagement. Our goal is to create an efficient, unobtrusive framework so that you can focus on your business, and we can focus on your compliance. Our team of readiness and assurance professionals serves our clients by combining knowledge of industry standards and regulatory requirements with proven methodologies and tools to produce cost-effective, value-added results. And what really sets us apart from our competitors is our highly personalized, client-centric level of service. We view ourselves as your business partner and treat our engagements as an opportunity to continuously improve your business processes, rather than a mere exercise in compliance.

Our Standard Methodology:

Statement on Standards for Attestation Engagements No. 18 (SSAE18) addresses the importance of accurately disclosing the relationship between the service organization and the subservice organization. 

Provides assertion by service organizations management and independent assurance by service auditors on processes and controls that affect the entity’s financial reporting .

.Provides management assertion and independent service auditor’s opinion on SysTrust & WebTrust principles – Security, Availability, Integrity, Confidentiality and Privacy

Provides assertion by service organizations management and independent assurance by service auditors, just like SOC 2, is based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report can be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system).  .

Its no longer enough to secure company infrastructure only. With increase in reliance from third party services/products and regulators requiremente to continuous monitor the service provider’ environement to ensure safeguard to customer data. Vendor Security Risk Management services is developed to help our customers to cope up with third party security risks.

Our Approach

Our Domains for vendor Assessment

Domains for assessment
Security Policy Application Security Incident response
Organizational Security Data classification Business continuity planning
Employee awareness & training Data Security Disaster Recovery
HR Security Vulnerability management Asset management
Identity management Access management Physical security
Fourth Party Cloud Mobile
Configuration management Event monitoring Change Management
Network Security Intrusion detection / prevention Contractual compliance
Compliance Specific
PCI DSS

Network and Systems Security,Protection of CHD, Access management, Vulnerability management, Monitoring, Policies and procedures

Geography / Industry specific compliances For e.g. MAS TRM,APRA PPG 234,HIPAA,CFR 11
Privacy

Data Classification, Privacy Impact. Assessment, Organization policies, procedures , Awareness, Data flows,Security controls for data at rest and in transit,incident management,Access management,