1 hour 21 minutes
screens, everyone welcome to sever Security Audit Overview Episode three went to perform a cyber security audit.
Now the learning Jack gives are for you to learn what is an annual audit or is a quarterly audit was a special audit
as well as understanding the purpose of an audit schedule.
The annual audits air normally performed
once a year,
and that's just done to meet audit requirements.
Basically, what that means is that every entity, every division, every program should be audited at least once a year.
Now, annual audits air there for Laura's programs or programs are more stable than others
now. Quarterly audits, on the other hand, are performed on higher risk programs.
Means that there's a lot of differences, a lot of activities going on. We need to take a look at them more frequently than just once a year.
And there's also special audits because we discuss before abnormalities like data breaches, new leadership lawsuits, et cetera,
that require us to go in and take a look at something.
Thank you know here's a definition for my sack of regarding annual audits.
Cyber security audit should be planned on an annual cycle. Take into account consideration of the business cycles
and caused minimal disruption of business activities.
Now the cycles can be calendar year or fiscal year, and calendar year basically means no January 1st 2 December 31st
fiscal cycles, however different
and not all organizations will have the same fiscal years.
For example, the federal government fiscal year begins October 1st and ends in the end of September
Dialogue. It should also be scheduled to make sure there's minimal disruption to business activities.
This is because audits are often intensive and time consuming, and the last thing you really want to do is schedule an audit during the busy part of the year for a particular division or department.
Now. Quarterly audits, on the other hand, are there to monitor higher risk programs or functions.
All right, Some examples are access control
or configuration management.
With regards to access control.
Whenever an employee checks on, you want to make sure that they're given access to all the appropriate parts of the organization,
email, et cetera.
When they leave, you want to make sure that you cut all that stuff off immediately. That's for the security of the organization.
They're no longer an employee so they don't need access
now. Because of that, you don't want to wait 365 days to make sure
that people are performing access control properly.
You'd like to do that every 90 days or sooner if possible.
Quarterly audits can also be performed to verify correction from previous order failures. For example, consecutive failures within a program or division
may need additional oversight
if they haven't fixed in the past two audits, you're going to have to do quarterly audits to make sure that they are working towards correcting those deficiencies.
And quarterly audits may also be performed. This part of new programs or projects management needs on by a status update on a new program or new project is it's being implemented.
And what better entity to do that, then? The internal on a team
and special audits?
Well, basically there abnormalities are unplanned events to require attention. We talked about this before data breaches leadership,
and they're often directed by management. Magical wants us to go in, take a look at it and basically brief them on the current situation.
They write her first quiz,
which of the phone statements are true?
Annual audits were based on counter fiscal year cycles.
Quarterly audits are for higher risk programs
or special circumstances may require an unplanned audit.
No, the correct answer is all of them.
They are based on counter fiscal year cycles. Quarterly audits are for hire is programs
and special circumstances. Abnormalities may require an unplanned on it.
All right, let's talk about the audit schedule.
Now. The audit schedules a predetermined and pre approved schedule of planned audits
approved by senior leadership and published and distributed Simple Understand, right?
Well, the only problem is you can't use last year's audit schedule, changed the dates on it and then re submit it and think it's gonna work for the upcoming year.
No. Why is there?
That's because every single audit schedule has to be planned according to organizational requirements,
and they can change from year to year.
For example, an entity that used to be on a quarterly audit schedule
now has changed to an annual on its schedule.
You have to take them into account.
You also have to take into account the fact of holidays
and special days like company picnics or company meetings.
You know, the Fourth of July
American Independence Day is always going to be on the Fourth of July.
How are the fourth of July in one year? Can be on a Thursday
and the following year. It can be on a Monday,
so you have to take that into account when you're actually building your audit schedule.
No one to have your audit scheduled, planned out and approved
then that document helps provide planning for the audit team and the organization
for the auditing. That gives you an idea of when your auditor actually gonna be occurring. And it allows people to take vacation time in between the audits
and, as far as the organizations concerned, gives them advance notice of when to expect an audit to be occurring. This way, they can plan for it in advance.
Die on its schedule should be approved by senior leadership,
and the reason for that is fairly straightforward.
Sometimes you're gonna come across an individual, it says. Well, you know, unless it comes from my boss from my boss's boss, I really don't care
this way by having it signed off at the highest level possible CEO president level. It's gonna increase employees interest as well as their opportunity to participate in the audit.
Now the Arctic schedule must be published and distributed.
This is because it provides advanced notice of the audits
to the oddities
we all can understand. The secret in surprises are not good.
Okay, time for no matter which bomb.
During a time when I was a quality assurance officer,
I used to personally hand out the audit schedule
two different department heads and entities that we were auditing.
Now this was an act of good faith on my part,
basically making sure that they actually had a copy handed to them personally.
And this way they couldn't say, Well, I didn't know or we didn't have time to prepare. You were given advance notice directed by myself.
All right, Last quiz.
Which of the following statements are not true? Once again, not true.
Audit schedules are based on calendar fiscal year cycles.
Audit scheduled should be kept quiet to improve negative results.
Audit schedule should be approved by higher authority.
Well, it was fairly obvious.
Hard schedule should be kept quiet to improve negative results is incorrect.
Schedules should be published once again. Secrets and surprises. They're not good for anyone.
In this video, we discuss annual on its quarterly audits, special audits and audit schedules.
All right, if you're ready, let's move on to the next episode.