Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers the audit charter, which is the authority issued by an organization's executive management to perform an audit. Participants learn about the audit committees within an organization, these are the people who make sure audits progress accordingly. This unit also discusses the objectives and scope of an audit. There are different types of audits: 1. Product or Service 2. Process 3. System 4. General Control 5. Organizational plans It's also important to remember the client has duties when preparing for an audit such as deciding the scope and objectives an audit. [toggle_content title="Transcript"] Alright, so starting with our audit charter. This gives the authority required to do the actual audit. Some authority is needed since the auditor is going to be asking questions and doing various things; asking other people for help, and they need to be able to carry some authority with them or refer to someone else who has the authority to make sure that people cooperate and that they get the answers they need in a timely fashion. So the executive management of the board directors is responsible for this. The audit charter should detail the scope of the audit as well as the objectives. Shows who's giving the authority to command the resources required to do the audit and it also shows who is accountable for the different activities as they progress throughout the progress of the audit. What are going to be the reporting requirements? So what does the audit committee actually do? We can see the relationship to the board of directors. We've got the CEO and the COO working together. Maybe your CFO and the auditors are somewhat more separated but they all form the audit committee. Everyone that's in the audit committee should have the ability to read financial statements, basically a high level of financial literacy. This committee should exist in every organization. It may not be as formally defined as we would like, but the concept should still be there that you've got a core group of people that's responsible for making sure that audits progress accordingly. In addition to financial literacy, the people in the audit committee should have perhaps accounting training or other professional credentials, or related work experience, to show that they are in the right position to manage this kind of work. So we talked about the engagement letter. This delegates authority, to an external organization sometimes, if that's the case. Or it defines the authority required, even if it's an internal audit that's taking place. So different things that the engagement letter needs. It should have the audit charter outlined so that all the relevant points are detailed and well understood. Shows that the auditor is independent and has the correct level of responsibility. There's an agreement for terms and conditions that the audit will take place under these circumstances. It'll take this long. It's expected to use this many man hours, or cost this much money. And then we haves the completion dates, which tries to close the loop to say that 'It should be done by this time period,' and maybe you've got some contingency plans if these conditions cannot be met. So what about the objectives and the scope of the audit? These need to be carefully considered by management. They are going to be the ones that are looking at the way the business works and what impact the audit might have on their operations. So do they use a formally adapted standard in order to do the audit? Is there a certification required? In certain industries, that's a necessity. It just depends on which regulations or industry standards you are subjected to. As far as the data, what data is involved? Is it financial? Is it engineering data? What actually will be done with the data? How will it be used? Who is it being collected for? These are all good questions to answer upfront so that you can clearly understand what the end goals are and what will be done with the information as it's generated? What about the technology platform? Are we going to be using paper, or specialized tools, or some blend of those things? This is a good thing to learn about ahead of time as well so that there isn't wasted effort on tools and methods that aren't going to be acceptable to the client. Where does the actual work get done? Dealing with our facilities. Are the systems or assets being audited all in one place, or are they dispersed through various different offices or divisions? What about space for the staff themselves? If you have to put an audit team into a conference room or give them some cubicles, that should be known as a requirement ahead of time so that you don't end up with a situation where people show up to do their work and you have no space for them to actually sit down and do it. Who are the people that are going to be involved? Will the auditee have people that they want to assist the auditors? So this is where a skills matrix comes into play, showing who's got various talents and experience that are applicable to the audit at-hand. Now we'll think about different audit types. Product or service audit, that's a pretty straightforward idea. We're trying to make sure that something is working correctly, that it's providing the intended benefit to the client or to the customer, or we can audit processes. Trying to make sure that each individual process produces the exact results that are desired, and also that the methods being used are correct. Maybe you're auditing a system: making sure its design or configuration is acceptable or meets certain criteria or certain standards. We have some security controls; preventative, detective and corrective controls. We'll talk a little bit more about those later. Or maybe you're auditing organizational plans. How is the organization dealing with their current objectives? What are their short, medium and long-term plans? Questions might arise about the business operation itself. What are the business cycles? If it's a retail organization, maybe you have to focus on the fact that the holiday shopping season is the busiest time of year. Financial organizations, maybe they're more busy during the tax time of year. So these are different levels of understanding that need to be documented ahead of time and accommodated as required by the auditors. What about reporting cycles? There might be annual or quarterly or monthly reporting cycles. Those should be well understood. Critical business processes; those things that keep the organization viable, should be understood as a different type of process versus something that is of secondary importance. What about auditors being able to tour facilities? Who should be interviewed? What kinds of schedules are required for people to be available for interviews? What about existing plans? If the organization is planning to expand or merge with another organization, or some other kind of large scale effort that should be a known quantity before the full understanding of the business operations can be achieved. Strategic objectives; remember tactics feed-up into strategy. So is the organization doing something in the near future that's going to impact the ability to do audits? How are they integrating their IT initiatives with requirements for budgetary spending? What are the defined goals of the information systems? Maybe medium and long-term plans. Plans that are 1-3 years, or three years or more. How are those going to be affected by some of the goals of the organization? What work is happening between now and the end of the year, or the end of the fiscal year? Good questions to ask so that there's an understanding of what the organization's doing. This helps to differentiate a chaotic time period versus a normal period where we can have a baseline understanding of what the organization's doing on a day-to-day basis. Financial objectives: these are important things to think about, always the bottom line has to be kept in-mind. What kind of outlay is being currently considered for projects, or future projects? Sometimes people use the term 'burn rate', because you've got a bunch of cash reserves for various projects, how quickly is that being depleted relative to the requirements for the organization's projects? Business continuity plans might be worth discussing. Financial reporting objectives. These are all things to think about. Then we have operational objectives. What about whether this would be an administrative audit? How do we measure performance and how do we deal with those metrics once we've gathered them? How is capacity planning done? Who's responsible for deciding, based on your current growth and income trends, what your capacity might need to be a year from now, or two years from now? Business continuity strategy: that's an important concept. It comes up again and again. Always trying to think about what you would do if the organization suffered some kind of a disaster. What about plans for increasing staff, or reducing staff? These are things that might affect other decisions as they relate to understand the business and what the organization actually does. So we have to think about scope. Scope comes up in many different contexts, but having restrictions on the scope is something to also think about. It could be that there are people in management or there could be political pressures that might affect the way that the scope gets dictated. There could be resistance or non-cooperative elements within the organization that are making an audit program more difficult to be successful. There might not be enough resources. It could be that the organization is trying to do more with less; they've got a very minimal staff and therefore it's difficult to get certain things done because people are too busy with their day-to-day activities. What about if your audit procedures themselves are just ineffective, they're not producing the results that are required? That could affect the ability to expand the scope to the desired level. Alright, so let's talk now about gathering requirements for an audit. The client has their own duties. They must set the scope and of course they have to do their own internal analysis to determine if the scope is appropriate, based on their level of resources. They decide what the objectives should be. They give access to the auditor and whatever other resources they actually require to get the work done. They also would define how they want the reporting to be done, and if there's any confidentiality requirements they would dictate those as well. The auditee also has to think about confirming that the audit is being done for the right reasons, that the scope is correct. Defining critical success factors, or CSFs. These are ways to measure performance, maybe in a milestone fashion, or some other mechanism that makes sense to the client. They decide what the roles and responsibility of different personnel will be. Try to assist when evidence gathering is being done. Giving the access to auditors so that they can communicate with previous auditors if needed, or be able to review previous audit records. Then also thinking about reporting to senior management certain details and certain progress as the audits are progressing. The auditor has some duties as well. They need to be able to accomplish their objectives by doing proper planning: make sure that they can reach their goals or their milestones as needed based on the requirements of the audit and their available resources. Trying to understand which standards will be used. Of course the client has some say in this, and there should be some agreement ahead of time to make sure everyone is on the same page. How are the audit procedures going to be documented or identified? It's good to have this understanding ahead of time so that there isn't any activity being done in a fashion that's not compliant with what's actually required for the audit itself. Having a detailed project plan. Making up schedules that show when certain events will take place, whether it's examining something, interviewing something, doing some testing. And then not the least important, providing cost estimates for the audit. So having a planning approach that's systematic makes a lot of sense. That way the auditor can do their job in a predictable, more efficient fashion, as time goes on. So, as a fundamental objective, we're trying to make sure that we have the proper controls being implemented to protect assets. We also want to make sure, as a secondary consideration, that all of the actions of the auditor and the organization themselves are within the law and compliant with regulations. So, thinking about this in four smaller steps: we want to think about the plan. Is there a defined method that should be used? If the plan is in-place, is it being followed correctly? Then we check to see if anyone is monitoring the processes that are being audited. Then, lastly, during the act phase; you're looking at the differences to see, 'This is what we expected. This is what we've found. What is the difference between those two?' So what is the difference between a traditional audit versus an assessment or a self-assessment? This is a good question to ask. Traditional audits use a professional auditor, using their formal skills. The auditor then manages the entire process and offers an opinion. An assessment, on the other hand, is more of an informal activity trying to verify certain things that may already exist in the environment; trying to make sure that you've got everything implemented that was supposed to be implemented, but it's only as useful as the skills of the people doing the assessment. The internal assessment is a self-assessment. This is what the auditee does on their own, and this could be done in support of other types of audits where the auditee can generate some information, gather some evidence which could be useful to the auditor to make their job a little bit easier and to make the overall process less time consuming and more efficient. Alright, so if you're performing an audit risk assessment, we have to think about the different types of risks. So inherent risks are self-defining. These are things that are always there. There's always some risk in a particular type of process or the type of business that an organization engages in. What about detection risk? Here, the risk is that we're not able to detect something that should have been detected. Sampling risks: this could be that the auditor's sampling procedures are flawed in some way. So maybe they are rejecting something they should not or they're accepting something they shouldn't. That can go both ways. Non-sampling risks would be that the auditor doesn't detect something that they should have because they didn't do enough sampling, or they didn't sample the right kind of information. Then there is the control risks where there could be cases where the auditor; maybe their procedures are a little bit sloppy, or they're not doing things correctly so now there are errors that get introduced, or they lose control of the process somewhat and these things need to be discovered so that they can get corrected. There are also business risks. So these are related to regulations or contracts. They could be related to financial aspects of what the business is doing. Risks for technology as well. If systems fail or technology becomes outdated, or is discovered to be flawed, then that could constitute a technological risk. Operational risks, there are some things that just don't work right in the organization. Maybe they used to work right but now they don't, or there's a flawed process and therefore it doesn't produce the desired results. And because we can never completely remove all risk, we have to think about residual risks. So you work as hard as you can to get rid of the risk or maybe get it to a level that's acceptable, and whatever's left over is therefore a residual risk. Then these all kind of pull together to give us some of the audit risks. So knowing that the information that's being sampled is being done correctly, that we're getting the required level of evidence and that the analysis is being done correctly as according to different standards and professional expectations. Alright, so moving on, we have to think about the risk management strategy. So the auditor thinks about this in the context of what the risk are to the organization. What assets need to be protected? What kind of exposure to risk is there for those assets that need to be protected? What kind of threats are there? Are the threats internal, or external, or both? Then, lastly, how do we deal with different security issues? Then we think about the responses to risk. One thing you can do is accept a risk. This is only advisable, of course, when the risk is within your risk tolerance. If you accept a risk that's a dangerous thing to do, then that would be a poor decision. But it is a choice that's available when the conditions are right. You can also mitigate risk, so you find that there's a problem, you do the best that you can to reduce the risk as low as possible. We can also transfer risk. Typically this is done by buying insurance, or you can transfer it by having someone else do the activity, like a sub-contractor or a consultant. Lastly, we try to avoid risk. So this would be a situation where some activity is considered undesirable, so you just don't do it at all. Or you don't use a certain tool or a certain asset in a certain way so that the risk is completely removed from the equation. Alright, so all of these things that we've been talking about should help get to the point where we can decide if the audit is actually feasible or doable. Is it going to produce results that are actually useful and meaningful? Are the goals that the auditee or the client has set; are they realistic, or are they trying to over-reach somewhat? This would be a good time to understand that. Is there enough time to do this audit with the desired level of quality? Do you have the proper skills to do the work and is the auditee cooperative? There's a lot of factors beyond this as well that would dictate whether or not the audit will actually be feasible. [/toggle_content]