. Prepare a detailed audit plan (Audit Plan) by specifying objectives. Audit scope, work plan, procedures, and details of operations, which cover three main audit tasks for the system as follows:

 

Information Technology General Control Audits (ITGCs) are based on critical controls by ISO/IEC 27001: 2013 Information Security Management System (ISMS). It covers governance and management of information technology at the organizational level, including:

• Strategic Planning and Budgeting

• Risk Management and Management

• measuring and evaluating performance; and

• Reporting on compliance with relevant policies

 

IT Application Controls only checks the controls designed in the system program.

And there are automated controls to ensure that the system has adequate, accurate, and reliable power, including:

• Logical Access Controls

• Automated Work Flow Rules such as PR/PO approval workflow

• Field entries are enforced based on predefined values, e.g., automatic credit limit check, Configuring automated accounting, setting the Tolerance Limit of the difference in price and quantity for debt settlement in the system (3-way match), etc.

• Automated calculations such as sales price calculations Calculation of the cost of raw materials and goods

 

Personal Data Protection Audit ensures that The organization has adequate and appropriate information technology protection measures. To prevent any unauthorized or misleading collection, use, or disclosure of personal information; and by the Personal Data Protection Act B.E. 2562, covering the following topics:

• Formation of Data Protection Policy and Privacy Notice

• Maintaining records of personal data processing activities

• Personal Data Protection Impact Assessment

• Management of request and withdrawal of consent (including Cookie Consent)

• Management according to the rights of the personal data subject

• Deleting, destroying, or making personal information non-personally identifiable after the expiration of the retention period or which is not related to or beyond the necessity to collect that personal data or as requested by the data subject or where the owner of the personal data has withdrawn his consent

• Management of personal data breach incidents

• Formation of an agreement between the data controller and the data processor (Data Processing Agreement)

 

2. Carry out an examination of information technology work according to the audit scope in item 1, which covers information technology general control audits. Inspection work for specific control systems and audit work on personal data protection

​

3. Meeting to discuss the inspection's closing and the audit's conclusion with the staff and the organization's management to confirm the correctness of the issues detected and find a solution. And prepare a draft audit report showing the findings, Clarifications of the relevant management of the organization, risks, impacts, and recommendations for improvement that are clear and actionable to the organization's direction for information.

​

4. Prepare the Final Audit Report and present the report to the Audit Committee for acknowledgment. Including giving advice and answering questions and discussions with the Audit Committee. for improvements that are beneficial to the operations of the organization