Which of the following is not an audit conducted by external parties? (Wentz QOTD)
A. First-party audit
B. Second-party audit
C. Third-party audit
D. Regulatory audit
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. First-party audit.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Audit
systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the organization itself.
Note 2 to entry: External audits include those generally called second and third party audits.
Second party audits are conducted by parties having an interest in the organization, such as customers, or by other individuals on their behalf.
Third party audits are conducted by independent auditing organizations, such as those providing certification/registration of conformity or governmental agencies.Source: ISO 19011
Audit criteria
set of requirements used as a reference against which objective evidence is compared.
Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words “compliance” or “non-compliance” are often used in an audit finding.
Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements, contractual obligations, etc.
Audit evidence
records, statements of fact or other information, which are relevant to the audit criteria and verifiable
Audit findings
results of the evaluation of the collected audit evidence against audit criteria
Note 1 to entry: Audit findings indicate conformity or nonconformity.
Note 2 to entry: Audit findings can lead to the identification of risks, opportunities for improvement or recording good practices.
Note 3 to entry: In English if the audit criteria are selected from statutory requirements or regulatory requirements, the audit finding is termed compliance or non-compliance.
Audit conclusion
outcome of an audit, after consideration of the audit objectives and all audit findings.
Reference
以下哪項不是由外部機構進行的審計? (Wentz QOTD)
A. 第一方審計
B. 第二方審計
C. 第三方審計
D. 監管審計
It seems that the most recent questions are lacking a ‘suggested answer’?
Sorry about that. My response is getting behind because of my tight schedule.