Internal Control Questionnaires for
Find out in more detail what the ICQs actually look like by checking this sample - the malware ICQ . Note: although the sample is an Acrobat PDF version, we provide customers with the original/unlocked editable files produced by Microsoft Word for ease of customization and use.
The ICQs are similar in structure and style to the sample, with a mind map overview followed by the actual questionnaire/checklist, typically about 6 pages in total.
The questions are deliberately open-ended in style to encourage the reviewers or auditors to explore and describe the controls in more depth than crude ‘yes/no’ ticklists. In reality, information security is often a matter of “Yes but ...” or “Not entirely ...”. More open ICQs allow the nature or gravity of the findings to determine the depth of analysis.
The SWOT (Strengths, Weaknesses, Opportunities and Threats) column and summary section at the end are used to analyze and record significant findings that deserve management attention. The Ref column is used to reference evidence, policies, interview notes etc. collected and examined during the review.
The pack of 31 generic ICQs costs just US$145* . Given that each one would take an experienced and qualified IT auditor at least an hour to create, let alone the time to research the topic area, we hope you’ll agree that less than US$5 per checklist is outstanding value for money.
Please contact us to buy the ICQs or for further information. We will ask you to sign a license agreement and pay by PayPal using a credit card. The ICQs will be delivered electronically as a Zip file containing the unlocked MS Word documents. We offer support by email - if you need more information or just want to discuss the risks and controls with independent consultants, just let us know and we’d be pleased to help. [The first hour of email support is free of charge.]
These ICQs are intended as general prompts or reminders, and are not literally meant as a set of questions to be asked verbatim. They are generic and do not necessarily address any organization’s specific requirements (e.g. laws and other compliance obligations, business/strategic objectives) that are normally identified during the scoping phase of an independent audit or management review. They are unlikely to be sufficiently comprehensive without modification. The are intended for use by experienced IT auditors and similar competent persons. Use at your own risk. Seek more specific advice and assistance from suitably qualified and experienced advisors with knowledge of your particular circumstances and obligations. None of this is legal advice!
* plus GST (sales tax) for New Zealand customers
Copyright © 2012 IsecT Ltd.