Page 1078 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1078
staff performing these audits normally have a reporting line that is
completely independent of the functions they evaluate. In many
organizations, the chief audit executive reports directly to the
president, chief executive officer, or similar role. The chief audit
executive may also have reporting responsibility directly to the
organization’s governing board.
External Audits
External audits are performed by an outside auditing firm. These
audits have a high degree of external validity because the auditors
performing the assessment theoretically have no conflict of interest
with the organization itself. There are thousands of firms who perform
external audits, but most people place the highest credibility with the
so-called Big Four audit firms:
Ernst & Young
Deloitte & Touche
PricewaterhouseCoopers
KPMG
Audits performed by these firms are generally considered acceptable
by most investors and governing body members.
Third-Party Audits
Third-party audits are conducted by, or on behalf of, another
organization. For example, a regulatory body might have the authority
to initiate an audit of a regulated firm under contract or law. In the
case of a third-party audit, the organization initiating the audit
generally selects the auditors and designs the scope of the audit.
Organizations that provide services to other organizations are
frequently asked to participate in third-party audits. This can be quite
a burden on the audited organization if they have a large number of
clients. The American Institute of Certified Public Accountants
(AICPA) released a standard designed to alleviate this burden. The
Statement on Standards for Attestation Engagements document 16
(SSAE 16), titled Reporting on Controls, provides a common standard
