Abstract
The role of IT audit and other digital assurance functions is to provide comfort to stakeholders regarding risks and the controls that have been implemented by management to safeguard an organisation. This paper discusses the misalignment between digital assurance activities and security testing. When performing security testing from an assurance perspective, it is common for the discussion with management to focus on the number of findings, not necessarily the impact. From a security testing perspective, a single finding could result in a business compromise, or multiple low findings could be chained together to result in a more significant business impact. Citing example findings across multiple sectors and geographic locations, the paper details what security testing results often look like, related challenges in an assurance context, the difference between security testing and other assurance activities, how to get management buy-in, and key recommendations on how best to use security testing as part of a digital assurance toolkit, with the caveat that scarce specialist skills are required.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callSimilar Papers
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
