Today, transferring almost any information to virtual environments, facilitating access to information and widespread use of information systems can cause major security problems. “Information and Communication Security Audit Guide” has been published in order to reduce and neutralize the security risks encountered in order to ensure Information and Communication Security, and to ensure the security of critical data that may threaten national security or cause disruption of public order, especially when its confidentiality, integrity or accessibility is impaired. Institutions included in the Information and Communication Security Guide are expected to carry out certain studies. These studies; planning, implementation, managing changes, controlling and taking precautions.
It is necessary to select a certain universe in order to effectively evaluate the findings in the audits to be made in order to ensure information and communication security. The “Universe” is the group that the researcher thinks will best reflect the event or phenomenon he or she is examining, or that he wants to get information about. The universe consists of elements and masses (individual, class, unit, element, event or phenomenon, etc.) where different elements come together and have a very large data area.
In information and communication security control, the target universe is "asset groups". The audit team should act with a risk-based audit approach and take the materiality criteria as a basis while determining which asset groups within the framework of the guideline compliance activities to include in the scope of the audit.
The group that the researcher examines, is interested in, wants to have an idea about and takes from the universe he is actively researching and thinks represents that universe is called "sample". The sample is the set that is thought to best represent that universe in cases where the entire universe cannot be measured. In order to determine the sample, it is necessary to determine the "target population" first. In order to carry out the research, it is necessary to determine the data related to the target population; The target universe is the universe that the researcher examines, is interested in and wants to generalize the results determined as a result of his work. The target universe may also be individuals, groups, social institutions or events and phenomena that the auditor will refer to in the direction he wants to practice.
After the target population is determined, a sampling frame is created that is believed to best reflect the population and clarify the details requested from the study. A “sampling frame” is a list of items or elements that can literally represent the universe. After the sampling frame has been determined, each element that makes up the sample should be determined, similar to the elements in the universe. In order to reduce sampling errors, first of all, the sample size to reflect the universe should be adjusted in a balanced way. “Sample size” is the number of elements that can reveal the details of the universe.
Sample Selection Methods
In the audit study, the control of whether the sample reflects the target population in the best way can be understood by looking at the way the samples are selected. It is possible to examine the sampling method under two main headings as probabilistic (non-purpose) sampling and non-probabilistic (purposive) sampling methods, depending on whether there is a probability element in the selection stage and the research objectives and research questions are clearly expressed.
|
Sampling Type |
Purpose |
| Outlier or Abnormal State Sampling | Learning unusual findings related to the relevant case or learning from the unusualness of the case |
| Density Sampling | Explanation of the information-laden states of the phenomenon intensely but without exaggeration. |
| Maximum Diversity Sampling | Identifying broad situations and important common patterns to identify differences |
| Homogeneous Sample | Focus, reduce diversity, simplify analysis and facilitate group discussions |
| Typical Case Sampling | Show typical, ordinary, normal or average situations |
| Critical Case Sampling | Making logical generalizations and applying knowledge to different situations |
| Snowball or Chain Sampling | To be able to explain different phenomena by reaching from person to person and from person to situation |
| Criteria Sampling | Identifying situations that meet certain criteria |
| Theory-Based Sampling | Constructing or verifying theories |
| Confirmatory or Falsifying Case Sampling | Exploring difference and diversity, deepening fundamental analysis |
| Stratified Purpose Sampling | Facilitate comparisons and analysis by identifying specific subgroups |
| Opportunistic or Emerging Sample | Taking advantage of unexpected situations |
| Purposeful Random Sampling | Reduce prejudice; increase credibility and reliability |
| Political or Political Situation Sampling | Avoid potential interest by drawing attention to research or removing sensitive topics from research |
| Easily Accessible or Convenient Sample | Choosing the easy one; save time, money and effort at the expense of knowledge and reliability |
| Hybrid or Mixed Sample | Triangulation, flexibility; meet a variety of interests, multiple goals and needs |
¹ Table 1: Sampling Methods in Qualitative Research
Sampling methods affect the validity, reliability, consistency, orientation and credibility of the audit scope. In this context, auditors should have the knowledge, skills and determination to select these examples so that they can focus on examples that they think will best reflect the facts.
Sample Volume
The sample size may vary depending on the depth of the data and the purposes of the research. sample size; It depends on what the researcher wants to know, the purpose of the research, what is on the agenda, what will be useful, what will be credible, and what can be done with the time and resources available.
Determining the sample size in qualitative research is about the compromise that the researcher will make between breadth and depth. With the same fixed resource and limited time, a researcher can work with a large number of people (breadth) while a researcher can work with a smaller number of people (depth). If the cases under study are informative, in-depth information from a small group of people may be more valuable than limited information from a large sample. More superficial information from a large number of people can be helpful in determining the boundaries of a phenomenon and examining different situations or understanding their changes.
Gathering Audit Evidence in Information and Communication Security Audit
In the Information and Communication security audit guide, some basic elements that should be included in the audit evidence regarding the implementation of the audit are mentioned. Audit evidence refers to all information, documents and documents obtained during the audit to provide a basis for the audit report and the auditor's opinion. While collecting audit evidence, the auditor can use the previous audit report and findings. If the audit is carried out through service procurement, it is the Authority's discretion to share the audit report and findings with the service provider. Sufficient, appropriate and reliable audit evidence should be gathered to reduce audit risk to a reasonable level. The key elements and explanations that should be included in audit evidence are given below:
- Reliability: The appropriateness of the source from which audit evidence is obtained, under what circumstances and at what time.
- Relevance: There is a logical link between the audit evidence and the purpose of the measure whose effectiveness will be evaluated.
- Sufficiency: The audit evidence is at a level to strengthen the auditor's assessment.
- Repeatability: The evidence obtained by the auditor can be obtained by another auditor under the same circumstances.
More than one audit method may be used in combination when collecting audit evidence to provide reasonable assurance on the audit opinion. In some cases, the auditor may ensure the adequacy of the audit evidence to be collected by an automated single control test, while in some cases the auditor may use sample selection methods. ²
Application of Sampling in Information and Communication Security Audit
Although the application process of the sample seems to be based on decision making in general, it can also vary depending on the auditor's method knowledge, research skills and experience, and knowledge in the field of auditing. Differences can also be seen in the stages of determining samples and collecting data from different types of research methods.
Stratified Purpose Sampling: Stratified purposive sampling is a new sample group that is purposefully selected from the stratified sample. At this point, the selection of a new sample from an already determined stratum in line with the purpose of the research is stratified purposive sampling.
Stratified purposive sampling serves the purpose of “facilitating comparisons and analysis by identifying certain subgroups” as indicated in the table. If it is necessary to decide specifically on the type of sample to be used in the information and communication security audit, it would be the most accurate method to determine the asset groups in line with the stratified purposeful sampling method.
There are three factors in the purposive sampling selection approach:
- Who will be selected as the sample (or locations) for the study,
- Characteristic sampling methods,
- The size of the sample to be studied
is decision making
Selecting the sample according to the items given above is an important method to be used by the audit team when deciding whether the measures are effective or not. Sample selection is a process that must be applied when the audit is conducted on a sufficient number of assets, process records and transactions to form an opinion on the audit report.
¹ To examine the sampling methods in detail: 497090 (dergipark.org.tr)
² To access the Information and Communication Security Audit guide: https://cbddo.gov.tr/SharedFolderServer/Projeler/File/BG_Denetim_Rehberi.pdf
