This lesson discusses the process of planning an audit. This lesson covers topics such as audit programs; which has both a program as well as a project management aspect. An organization's size and complexity affects an audit program and how many resources are allocated. Participants also learn about audit program procedures and implementation. This lesson also covers audit records, monitoring and review and the 10 stages of an audit. [toggle_content title="Transcript"] Alright, so for chapter three we've got quite a few objectives here. I'll cover just a few. We want to understand the management of the overall audit program. That's kind of the big picture view where we're looking at the maturity of the audit program; is it well-structured? Is it well-designed? We'll talk about how audits get structured and some of the different components and strategies that go into auditing. We'll talk about the planning required for different audits. How do we implement risk control procedures, risk management procedures? What types of controls are expected to be implemented and how will that actual work be done? What about acquiring and using proper audit evidence? We'll look at some different evidence types and how that relates to the objectives of the audit. Then we'll also cover conflict with auditees, or stakeholders, and how that should be resolved. Alright, so starting off with understanding our audit program. The audit program is just what it sounds like: the bigger picture view of dealing with all of the different audit initiatives, also dealing with the logistics of performing all of those audits. So there's a program management aspect, where we're looking at all the ongoing activities and understanding where the resources are allocated and having a sense of whether or not the current allocation of resources is sufficient to get everything done on-time and on-budget. We also have to think about the projects. The projects are the shorter-term goals where you've got some well-defined end point initiative that gets begun, and of course the project management office will manage that. The project manager reports to the sponsor who's paying for the project. So there's an expectation that this person will be answerable to the sponsor as far as projects taking too long, going over budget, perhaps resizing the scope because of misalignment at the beginning of a project. There's a lot of interplay there that might go on. So, speaking of scope, we can look at some of the objectives in scope for projects. We've got some standards here: PCI 1.2, for instance, the payment card industry. They're dealing with sales, finance and IT. They might have a monthly audit because there's a lot of transactions when you're dealing with payment cards. Equal Employment Opportunity Commission; the EEOC. They're dealing with HR, maybe a quarterly review is good for that. Quarterly with HR again for personnel security clearances. That's a big deal, of course, if you're working for a government or a defense contractor. Then we have a couple of ISO standards: 14001; this is your green initiatives, your environmentally friendly deals with your facilities. Something you might do annually, then your 27002 series for information management systems. Again, with IT, quality control, something you might do quarterly. So, various different standards require different intervals for review. So what is the extent of the audit program? This scales, of course, with the size of an organization. Smaller organizations would have a less complex environment and therefore would not need as many resources allocated to auditing as compared to a larger organization which might have a growing team of auditors that are doing the various different tasks. So there are lots of different things to think about. What kind of product lines are involved? Products or services? How geographically dispersed is the organization? Is it all in one place or do they have offices in different countries or spread out within one country? What kind of things can be sub-contracted out? Certain tasks are safe enough to have a sub-contractor do them. Of course, the organization's leadership makes those kinds of decisions, concerns from interested parties. These are basically stakeholders that might have concerns about the way something's being done or not done and they've got some input for the overall audit program. We have to think about the number of activities that are going to be audited in a given environment, with trying to keep scope considerations in-mind. How frequently do the audits happen? How much time do the audits take? How much money is usually expended, or maybe the time is measured in man hours. Then we have to think about things like low profit activities or lay-offs, or products or services that are not performing and how that affects the overall organization. So an audit program needs to look at these factors and many others, of course to decide what is most important to look at first, and that way there's a prioritization that can happen. So there's lots of responsibilities for the audit program. The main goal is mitigating risk, or reducing risk. Trying to develop an audit management system, or an AMS, is a great way to go, especially if your organization is of a certain size. This makes sense. If you do have an AMS, you want to have certain functions available. Having a database support. We mention here COBIT 853 controls catalogue, ISO 27002 and SOX. Having a database keep track of all these different things, all the details, all of the inner relationships, makes a lot of sense. Of course there are tools that have the database integrated within the tool, so it's not something you necessarily have to deal with separately. So other things to think about: lists of audit tasks, those that are open or closed or completed. Approved audit procedures. We'll look at what's involved with creating a skills matrix - Resource scheduling, estimating budgets, having an ability to pull out historical records of previous audits. Again, this is why a database would be very useful in this kind of environment. So let's think about the audit program resource requirements. One thing off the top which makes sense is we have to have some kind of financial commitment from leadership in the organization. If the audit program is not properly funded, then there may be problems with getting audits done completely, or on-time and there could be quality control issues as a result. Also we want to make sure that the auditors are competent. Do they have a good track record? Do they have professional credentials? Have they been through various training programs? Are they keeping up-to-date on yearly training requirements? These are questions that you'd want to dig into a little bit. Finding the right technical experts. Now, these are non-auditors, but they work with the auditors to give them assistance in obtaining certain types of information. It could be that the auditor needs to understand how a mechanism produces its output, but they need help with learning how the mechanism actually works, or maybe they need the technical expert to demonstrate something or test something so they can provide evidence that something's working or not working. Using good audit tools: these could be software programs, of course, or applications. Part of the financial commitment is related to buying the right tools and, of course, getting proper training so that the auditors know how to use the tools effectively and efficiently. Then we have to think about administrative support. So having people that can help the auditor, maybe technical writers, or other folks who can provide help with creating effective presentations; talented people who can do some of the writing and the graphics work would be a great asset to the audit program. Alright, so now we'll start talking about some procedures. Having standards to follow is a good idea. We talked about this in earlier sections. This gives you a way to measure performance in a consistent way. And in a way that other organizations in that same industry, or in similar industries, might also measure their performance. So, in order to support a standard, we have to have procedures. So the procedures could be lots of different things. How do we schedule audits? How do we plan them? There could be lots of different little steps and tasks involved in this. Selecting the appropriate audit team. Trying to make sure that we can assess the competency of the different auditors or the other members of the team. Doing the audits themselves; how do we maintain audit program records? Whether you're using a database or some other kind of archival system, that's an important consideration, because you're going to need to return to those at some point. Then how do we deal with reporting to management on various levels of success or failure or other achievements along the way? So implementing an audit program is an important thing to plan properly. We want to make sure we've got management buy-in and that there's good communication between the various stakeholders and the people actually doing the work. So management is going to want to be visible to the audit program, or maybe the other way around. Maybe the audit program wants to be visible to management. So they can see that their money's being well spent and that they're getting good results and it gives everyone a sense of confidence or assurance to know that their programs are being audited correctly and that they're moving towards a higher level of maturity for the organization overall. Having some way to centralize your record-keeping. This is an important thing to think about again: going back to the concept of using specialized tools with databases. This gives the ability to not only keep the information in one place for access to the people who need access, but it also gives the ability to think about adding the appropriate security controls so that only people with a need to know can get to this information. That's really something important to think about. Then we have to think about distribution control. So if information needs to get sent from one individual or one group to another group for some kind of analysis, or some kind of processing as part of an audit, we have to have ways or mechanisms of doing this securely so that we can deal with existing workflows or be able to create new workflows in order to move information around where it's needed, when it's needed, and also protect that information at the same time. So an easy way to think about that is encrypting data at-rest and encrypting data in-transit. So that way nothing's being sent in the clear and everybody that's working on this knows that they've got the confidentiality that's required. Alright, so what about our audit program records? The auditor needs to know how those records are maintained. I mentioned using encryption. That would be a question that would come up, is encryption being used? If it is being used, what type of encryption is being used? Who has the keys? Is there a key escrow system? These are questions that might come up. So if you've got a very well-organized audit record management system, then that also translates into a high level of assurance for those people relying on the audit results. They know that the records are being properly managed, they're encrypted, only the people need access have access and that gives everyone a higher sense of confidence. What about the schedule for auditing? An annual schedule might be published at the beginning of the fiscal year. This makes sense. There might be some expectation that the schedule remains more or less the same year-to-year, unless some certain situations dictate that it should change. It makes sense that you might do your financial systems in the first quarter; you might do your security management systems in the second quarter and so on. Then we have to think about the records for individual audits. So who is doing the audit? Who is the auditee? What procedures were used? All of these different details do need to be tracked, especially with an eye to thinking about improving the process over-time. If someone's about to embark on a new audit, they might want to review previous audits of that same asset to understand what was done and look for ways where they might be able to do a better job. We have to think about corrective and preventive action reports. Things that the auditor recommended, the auditor follows up with the auditee to find out if something was fixed, or corrected. Then we think about the follow-up reports, as I was just mentioning. Lastly, what is the results of the review of the audit program itself? So it's kind of like a meta review. You're reviewing the program that's doing the auditing. We have to think about the personnel records of the people that are on the audit team. We want to know that these people were selected properly, that they have the correct credentials and the right background and experience. So you can create skills matrix. We can look at the training records of the auditors. Seeing maybe the auditors' performance evaluations. So they've got to answer to their boss to find out if they're doing a good job and that might be something that could be shared or reviewed. Then also we want to think about ways that performance might be improved. Alright, so when we have our audit program we have to think about how we're going to monitor it and how we'll do some review to see if it's performing as expected. So the first thing we can think about is KGIs: Key Goal Indicators. These are basically just showing that some goal was reached. An example might be something like paying off a large debt or paying off your mortgage, or getting accepted to college. These are KGIs for individuals but they would apply to an organization as well. Then we have KPIs: key performance indicators, which I spoke about a little bit in an earlier section. These are various different things that the organization decides are ways that they can measure their performance. So some examples are different changes in scope. The stakeholders might decide they want to modify things over-time so we need to measure the results. Perhaps a before and after type comparison is appropriate. Conforming with auditing procedures and schedules. That's an important KPI to consider. Making sure that you have consistency between your audit teams, as far as the procedures they use, their approach, their overall performance. These are lots of different ways you can compare one team to another. Maybe you've got a large enough organization where each major office or each major business division has their own audit team, so you could compare them in that kind of a scenario. What about feedback from clients, or record-keeping improvements? Maybe trying to implement observations from auditors for improvements. There are a lot of different things you can consider and, of course, measure to know how your organization's audit program's doing over-time. Now, if we think about planning an individual audit, the first thing that you want to consider is the scope. This is largely defined ahead of time. The auditee may decide what the scope is going to be, if that makes sense, or the auditor will decide because it's obvious by the type of audit what will actually be covered. In any case, the boundaries for the audit should be agreed upon before the audit begins. Any adjustments that need to take place should be done before any other activities begin, because you don't want to do less effort than required and you don't want to do more effort than required. Then we think about the audit criteria. What is it that the client wants to have accomplished? What are they being measured against? What procedures should actually be used to collect the evidence? These are things that would come up. Choosing an audit team. Remember, we might have to deal with technical experts as an adjunct to the auditors themselves. Then you have to think about the ranking within the team. There might be a senior auditor. There might be junior auditors. People that are still learning that are being delegated lower-level tasks. So the audit team, we have different teams for different types of audits. If you're doing an internal audit, this means that you're declaring that your asset is in compliance or conforms to the expectations for the organization. There does need to be some level of independence for an internal audit, but, of course the independence required is not on the same level as it would be for having an external audit. So a second-party audit would be an external audit. So you've got a customer or a vendor that wants to conduct an audit and that would be a different scenario but similar methodology. Then we have an independent external audit, or a third-party audit. This gives the highest level of trust because the auditors are not part of the organization directly and their conclusions and their objectivity should be considered above and beyond what would be achieved by an internal audit, for instance. Then we have the concept of an integrated or combined audit where we're blending one or more of these different audit types together in order to get the audit done more quickly, or more efficiently. Now let's look at the ten stages of an audit. We start off with approving the charter, or sometimes you have an engagement letter in-place of a charter, but similar concept. Basically laying the groundwork and the rules of engagement for the activities. Then there is some planning that begins. A risk assessment is done. Then a determination is made whether or not an audit is possible. There could be certain circumstances that might say that an audit is not possible. Maybe the situation arises where the audit is requested during a time when a lot of people are on summer vacation or winter holidays. So those could be situations. Or maybe the organization is in the middle of a merger and acquisition activity and it's just too chaotic of a time period to do an audit. So these could be reasons why an audit might be postponed. Then we think about doing the actual audit, gathering the evidence. Doing the various testing, analyzing the results of those tests. Finding a way to report those results and then doing the follow-up activities. So, at a high level, these are the ten steps that are expected. [/toggle_content]
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.