NIT SP 800-53A R4
NIT SP 800-53A R4 “defines the three assessment methods that can be used by assessors during security and privacy control assessments: (i) examine; (ii) interview; and (iii) test. The application of each method is described in terms of the attributes of depth and coverage, progressing from basic to focused to comprehensive.”
CISA Review Manual, 26th Edition
According to CISA review manual, 26th edition, IS audit is the formal examination, interview and/or testing of information systems to determine whether:
– Information systems are in compliance with applicable laws, regulations, and/or industry guidelines.
– IS data and information have appropriate levels of confidentiality, integrity and availability.
– IS operations are being accomplished efficiently and effective targets are being met.
Audit as Independent Assessment
Assessments conducted by independent parties are called audits. First-party audits are conducted by the internal audit function or department. Second-party audits are conducted by external parties such as first-tier customers per the contractual requirements. Third-party audits are conducted by external parties like the big four accounting firms or ISO certification bodies.