When documented security procedures do not exist, what should an IS auditor do?

In a situation where documented security procedures are lacking, the best course of action for an IS auditor is to identify and evaluate existing practices. This approach allows the auditor to understand what informal or unrecorded security measures are currently in place, assess their effectiveness, and determine how well they align with established security principles and frameworks.

This evaluation is critical as it provides insights into the organization's current security posture, helping to identify gaps and areas for improvement. By understanding existing practices, the auditor can make informed recommendations for developing formalized security procedures that are tailored to the organization’s specific needs and risks.

Creating a procedures document based on practices may seem logical, but without a thorough evaluation, the auditor risks formalizing potentially weak practices that do not provide adequate security. Simply issuing an opinion and ending the audit without a deep analysis would overlook valuable information and fail to provide constructive feedback. Conducting compliance testing on available data without knowing the context of existing practices may yield misleading results and misses the opportunity to enhance the organization's security framework.