Search…
Overview
Index
References
Terminology*
Standards*
(ISC)2
Code of Ethics
CCSP
Concepts/Topics
Auditing
Audit Planning
Audit Responsibilities
BC/DR*
Business
Cloud
Data
Forensics
IAM
Legal
Risk
Software
Technology
Training
Laws
Argentina
Australia
Canada
EU/EEA
International
Russia
Switzerland
United States
Standards
Auditing and Assurance
Cloud Computing
Cloud Computing Reference Architecture
Data Center Design
Forensics
Privacy
Risk Management
Secure Architecture and Design
Secure Application Development
Security Management and Controls
Supply Chain
Models and Guidance
Application Risk Management
Cloud Computing
Cloud Computing Certification
Cloud Computing Risk Management
Security Management and Controls
Threat Models
Powered By GitBook
Auditing

Terminology

Acronyms

Acronym
Definition
AUP
Agreed-Upon Procedures

Definitions

AUP

An agreed-upon procedure is a standard a company or client outlines when it hires an external party to perform an audit on a specific test or business process. The procedures, which are called audit standards, are designed and agreed upon by the entity conducting the audit, as well as any appropriate third parties.
The auditor does not provide an opinion; rather, the entities or third parties form their own conclusions based on the report.

Auditability

Auditability is collecting and making available necessary evidence related to the operation and use of the cloud.

Gap Analysis

To create an accurate frame of reference, a gap analysis is conducted. This is like a lightweight audit in that there are generally findings of weaknesses or vulnerabilities, but the purpose is to identify those weaknesses so they can be remediated prior to any actual audit work. It also provides a starting point for those organizations in the early stages of an information system program development, providing them with a clear starting point.
Gap analysis benchmarks and identifies relevant gaps against specified frameworks or standards. This includes reviewing the organization's current position/performance as revealed by an audit against a given standard.
The value of such an assessment is often determined based on what you did not know or for an independent resource to communicate to relevant management or senior personnel such risks, as opposed to internal resources saying what you need or should be doing.
Typically, resources or personnel who are not engaged or functioning within the area of scope perform gap analysis. The use of independent or impartial resources is best served to ensure there are no conflicts or favoritism. Perspectives gained from people outside the audit target are invaluable because they may see possibilities and opportunities revealed by the audit, whereas the personnel in the target department may be constrained by habit and tradition.

Purpose

Auditing forms an integral part of effective governance and risk management. It provides both an independent and an objective review of overall adherence or effectiveness of processes and controls. Audits verify compliance by determining whether an organization is following policy. This is not to be confused with verifying whether policy is actually effective. Testing is the term used to ensure policy is effective.
Previous
Domain 6
Next
Audit Planning
Last modified 2yr ago
Export as PDF
Copy link
Outline
Terminology
Acronyms
Definitions
Purpose