AUDIT ENGAGEMENT LETTER Draft 
10/23/2013
Dear The Management Committee of XYZ Company (“XYZ”): The purpose of this letter is to set out the basis on which we are to act as Information System auditors of the XYZ and the respective areas of responsibility of the XYZ’s Management Committee (“MC”) and of ourselves.
Project Overview Any organization that depends on technology in the conduct of business needs evidence that such technology is efficiently and securely managed. A security policy is a set of vital mechanisms by which the XYZ’s security objectives can be defined and attained. These key information security objectives should consist of:
Confidentiality to ensure that only the people who are authorized to have access to assigned areas are able to do so. It’s about keeping valuable information only in the hands of those people who are intended to see it.
Integrity to maintain the value of logs information, which means that it is protected from unauthorized modification. Logs information only has value if we know that it’s correct. A major objective of security policies is thus to ensure that logs information in not modified or destroyed or subverted in any way.
Availability to ensure that all the utilities and systems are available and operational when they are needed. A major objective of an access security policy must be to ensure that utilities information is always available to support critical business processing. The purpose of this audit is to evaluate the access and security internal controls related to the XYZ and to assess whether there are internal control weaknesses that could allow errors and irregularities to go undetected.
Audit Scope. Based on an initial risk-based assessment plus a discussion with client, the scope has been defined as the 3rd floor VIP rooms and all access points to those rooms. The QTTR audit team has categorized the audit area into three main sections for convenience. Those sections are defined as follows:
1. Outside:
a. Golf putting area
Dear The Management Committee of XYZ Company (“XYZ”): The purpose of this letter is to set out the basis on which we are to act as Information System auditors of the XYZ and the respective areas of responsibility of the XYZ’s Management Committee (“MC”) and of ourselves.
Project Overview Any organization that depends on technology in the conduct of business needs evidence that such technology is efficiently and securely managed. A security policy is a set of vital mechanisms by which the XYZ’s security objectives can be defined and attained. These key information security objectives should consist of:
Confidentiality to ensure that only the people who are authorized to have access to assigned areas are able to do so. It’s about keeping valuable information only in the hands of those people who are intended to see it.
Integrity to maintain the value of logs information, which means that it is protected from unauthorized modification. Logs information only has value if we know that it’s correct. A major objective of security policies is thus to ensure that logs information in not modified or destroyed or subverted in any way.
Availability to ensure that all the utilities and systems are available and operational when they are needed. A major objective of an access security policy must be to ensure that utilities information is always available to support critical business processing. The purpose of this audit is to evaluate the access and security internal controls related to the XYZ and to assess whether there are internal control weaknesses that could allow errors and irregularities to go undetected.
Audit Scope. Based on an initial risk-based assessment plus a discussion with client, the scope has been defined as the 3rd floor VIP rooms and all access points to those rooms. The QTTR audit team has categorized the audit area into three main sections for convenience. Those sections are defined as follows:
1. Outside:
a. Golf putting area