Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson discusses the process of planning an audit. This lesson covers topics such as audit programs; which has both a program as well as a project management aspect. An organization's size and complexity affects an audit program and how many resources are allocated. Participants also learn about audit program procedures and implementation. This lesson also covers audit records, monitoring and review and the 10 stages of an audit. [toggle_content title="Transcript"] Alright, so for chapter three we've got quite a few objectives here. I'll cover just a few. We want to understand the management of the overall audit program. That's kind of the big picture view where we're looking at the maturity of the audit program; is it well-structured? Is it well-designed? We'll talk about how audits get structured and some of the different components and strategies that go into auditing. We'll talk about the planning required for different audits. How do we implement risk control procedures, risk management procedures? What types of controls are expected to be implemented and how will that actual work be done? What about acquiring and using proper audit evidence? We'll look at some different evidence types and how that relates to the objectives of the audit. Then we'll also cover conflict with auditees, or stakeholders, and how that should be resolved. Alright, so starting off with understanding our audit program. The audit program is just what it sounds like: the bigger picture view of dealing with all of the different audit initiatives, also dealing with the logistics of performing all of those audits. So there's a program management aspect, where we're looking at all the ongoing activities and understanding where the resources are allocated and having a sense of whether or not the current allocation of resources is sufficient to get everything done on-time and on-budget. We also have to think about the projects. The projects are the shorter-term goals where you've got some well-defined end point initiative that gets begun, and of course the project management office will manage that. The project manager reports to the sponsor who's paying for the project. So there's an expectation that this person will be answerable to the sponsor as far as projects taking too long, going over budget, perhaps resizing the scope because of misalignment at the beginning of a project. There's a lot of interplay there that might go on. So, speaking of scope, we can look at some of the objectives in scope for projects. We've got some standards here: PCI 1.2, for instance, the payment card industry. They're dealing with sales, finance and IT. They might have a monthly audit because there's a lot of transactions when you're dealing with payment cards. Equal Employment Opportunity Commission; the EEOC. They're dealing with HR, maybe a quarterly review is good for that. Quarterly with HR again for personnel security clearances. That's a big deal, of course, if you're working for a government or a defense contractor. Then we have a couple of ISO standards: 14001; this is your green initiatives, your environmentally friendly deals with your facilities. Something you might do annually, then your 27002 series for information management systems. Again, with IT, quality control, something you might do quarterly. So, various different standards require different intervals for review. So what is the extent of the audit program? This scales, of course, with the size of an organization. Smaller organizations would have a less complex environment and therefore would not need as many resources allocated to auditing as compared to a larger organization which might have a growing team of auditors that are doing the various different tasks. So there are lots of different things to think about. What kind of product lines are involved? Products or services? How geographically dispersed is the organization? Is it all in one place or do they have offices in different countries or spread out within one country? What kind of things can be sub-contracted out? Certain tasks are safe enough to have a sub-contractor do them. Of course, the organization's leadership makes those kinds of decisions, concerns from interested parties. These are basically stakeholders that might have concerns about the way something's being done or not done and they've got some input for the overall audit program. We have to think about the number of activities that are going to be audited in a given environment, with trying to keep scope considerations in-mind. How frequently do the audits happen? How much time do the audits take? How much money is usually expended, or maybe the time is measured in man hours. Then we have to think about things like low profit activities or lay-offs, or products or services that are not performing and how that affects the overall organization. So an audit program needs to look at these factors and many others, of course to decide what is most important to look at first, and that way there's a prioritization that can happen. So there's lots of responsibilities for the audit program. The main goal is mitigating risk, or reducing risk. Trying to develop an audit management system, or an AMS, is a great way to go, especially if your organization is of a certain size. This makes sense. If you do have an AMS, you want to have certain functions available. Having a database support. We mention here COBIT 853 controls catalogue, ISO 27002 and SOX. Having a database keep track of all these different things, all the details, all of the inner relationships, makes a lot of sense. Of course there are tools that have the database integrated within the tool, so it's not something you necessarily have to deal with separately. So other things to think about: lists of audit tasks, those that are open or closed or completed. Approved audit procedures. We'll look at what's involved with creating a skills matrix - Resource scheduling, estimating budgets, having an ability to pull out historical records of previous audits. Again, this is why a database would be very useful in this kind of environment. So let's think about the audit program resource requirements. One thing off the top which makes sense is we have to have some kind of financial commitment from leadership in the organization. If the audit program is not properly funded, then there may be problems with getting audits done completely, or on-time and there could be quality control issues as a result. Also we want to make sure that the auditors are competent. Do they have a good track record? Do they have professional credentials? Have they been through various training programs? Are they keeping up-to-date on yearly training requirements? These are questions that you'd want to dig into a little bit. Finding the right technical experts. Now, these are non-auditors, but they work with the auditors to give them assistance in obtaining certain types of information. It could be that the auditor needs to understand how a mechanism produces its output, but they need help with learning how the mechanism actually works, or maybe they need the technical expert to demonstrate something or test something so they can provide evidence that something's working or not working. Using good audit tools: these could be software programs, of course, or applications. Part of the financial commitment is related to buying the right tools and, of course, getting proper training so that the auditors know how to use the tools effectively and efficiently. Then we have to think about administrative support. So having people that can help the auditor, maybe technical writers, or other folks who can provide help with creating effective presentations; talented people who can do some of the writing and the graphics work would be a great asset to the audit program. Alright, so now we'll start talking about some procedures. Having standards to follow is a good idea. We talked about this in earlier sections. This gives you a way to measure performance in a consistent way. And in a way that other organizations in that same industry, or in similar industries, might also measure their performance. So, in order to support a standard, we have to have procedures. So the procedures could be lots of different things. How do we schedule audits? How do we plan them? There could be lots of different little steps and tasks involved in this. Selecting the appropriate audit team. Trying to make sure that we can assess the competency of the different auditors or the other members of the team. Doing the audits themselves; how do we maintain audit program records? Whether you're using a database or some other kind of archival system, that's an important consideration, because you're going to need to return to those at some point. Then how do we deal with reporting to management on various levels of success or failure or other achievements along the way? So implementing an audit program is an important thing to plan properly. We want to make sure we've got management buy-in and that there's good communication between the various stakeholders and the people actually doing the work. So management is going to want to be visible to the audit program, or maybe the other way around. Maybe the audit program wants to be visible to management. So they can see that their money's being well spent and that they're getting good results and it gives everyone a sense of confidence or assurance to know that their programs are being audited correctly and that they're moving towards a higher level of maturity for the organization overall. Having some way to centralize your record-keeping. This is an important thing to think about again: going back to the concept of using specialized tools with databases. This gives the ability to not only keep the information in one place for access to the people who need access, but it also gives the ability to think about adding the appropriate security controls so that only people with a need to know can get to this information. That's really something important to think about. Then we have to think about distribution control. So if information needs to get sent from one individual or one group to another group for some kind of analysis, or some kind of processing as part of an audit, we have to have ways or mechanisms of doing this securely so that we can deal with existing workflows or be able to create new workflows in order to move information around where it's needed, when it's needed, and also protect that information at the same time. So an easy way to think about that is encrypting data at-rest and encrypting data in-transit. So that way nothing's being sent in the clear and everybody that's working on this knows that they've got the confidentiality that's required. Alright, so what about our audit program records? The auditor needs to know how those records are maintained. I mentioned using encryption. That would be a question that would come up, is encryption being used? If it is being used, what type of encryption is being used? Who has the keys? Is there a key escrow system? These are questions that might come up. So if you've got a very well-organized audit record management system, then that also translates into a high level of assurance for those people relying on the audit results. They know that the records are being properly managed, they're encrypted, only the people need access have access and that gives everyone a higher sense of confidence. What about the schedule for auditing? An annual schedule might be published at the beginning of the fiscal year. This makes sense. There might be some expectation that the schedule remains more or less the same year-to-year, unless some certain situations dictate that it should change. It makes sense that you might do your financial systems in the first quarter; you might do your security management systems in the second quarter and so on. Then we have to think about the records for individual audits. So who is doing the audit? Who is the auditee? What procedures were used? All of these different details do need to be tracked, especially with an eye to thinking about improving the process over-time. If someone's about to embark on a new audit, they might want to review previous audits of that same asset to understand what was done and look for ways where they might be able to do a better job. We have to think about corrective and preventive action reports. Things that the auditor recommended, the auditor follows up with the auditee to find out if something was fixed, or corrected. Then we think about the follow-up reports, as I was just mentioning. Lastly, what is the results of the review of the audit program itself? So it's kind of like a meta review. You're reviewing the program that's doing the auditing. We have to think about the personnel records of the people that are on the audit team. We want to know that these people were selected properly, that they have the correct credentials and the right background and experience. So you can create skills matrix. We can look at the training records of the auditors. Seeing maybe the auditors' performance evaluations. So they've got to answer to their boss to find out if they're doing a good job and that might be something that could be shared or reviewed. Then also we want to think about ways that performance might be improved. Alright, so when we have our audit program we have to think about how we're going to monitor it and how we'll do some review to see if it's performing as expected. So the first thing we can think about is KGIs: Key Goal Indicators. These are basically just showing that some goal was reached. An example might be something like paying off a large debt or paying off your mortgage, or getting accepted to college. These are KGIs for individuals but they would apply to an organization as well. Then we have KPIs: key performance indicators, which I spoke about a little bit in an earlier section. These are various different things that the organization decides are ways that they can measure their performance. So some examples are different changes in scope. The stakeholders might decide they want to modify things over-time so we need to measure the results. Perhaps a before and after type comparison is appropriate. Conforming with auditing procedures and schedules. That's an important KPI to consider. Making sure that you have consistency between your audit teams, as far as the procedures they use, their approach, their overall performance. These are lots of different ways you can compare one team to another. Maybe you've got a large enough organization where each major office or each major business division has their own audit team, so you could compare them in that kind of a scenario. What about feedback from clients, or record-keeping improvements? Maybe trying to implement observations from auditors for improvements. There are a lot of different things you can consider and, of course, measure to know how your organization's audit program's doing over-time. Now, if we think about planning an individual audit, the first thing that you want to consider is the scope. This is largely defined ahead of time. The auditee may decide what the scope is going to be, if that makes sense, or the auditor will decide because it's obvious by the type of audit what will actually be covered. In any case, the boundaries for the audit should be agreed upon before the audit begins. Any adjustments that need to take place should be done before any other activities begin, because you don't want to do less effort than required and you don't want to do more effort than required. Then we think about the audit criteria. What is it that the client wants to have accomplished? What are they being measured against? What procedures should actually be used to collect the evidence? These are things that would come up. Choosing an audit team. Remember, we might have to deal with technical experts as an adjunct to the auditors themselves. Then you have to think about the ranking within the team. There might be a senior auditor. There might be junior auditors. People that are still learning that are being delegated lower-level tasks. So the audit team, we have different teams for different types of audits. If you're doing an internal audit, this means that you're declaring that your asset is in compliance or conforms to the expectations for the organization. There does need to be some level of independence for an internal audit, but, of course the independence required is not on the same level as it would be for having an external audit. So a second-party audit would be an external audit. So you've got a customer or a vendor that wants to conduct an audit and that would be a different scenario but similar methodology. Then we have an independent external audit, or a third-party audit. This gives the highest level of trust because the auditors are not part of the organization directly and their conclusions and their objectivity should be considered above and beyond what would be achieved by an internal audit, for instance. Then we have the concept of an integrated or combined audit where we're blending one or more of these different audit types together in order to get the audit done more quickly, or more efficiently. Now let's look at the ten stages of an audit. We start off with approving the charter, or sometimes you have an engagement letter in-place of a charter, but similar concept. Basically laying the groundwork and the rules of engagement for the activities. Then there is some planning that begins. A risk assessment is done. Then a determination is made whether or not an audit is possible. There could be certain circumstances that might say that an audit is not possible. Maybe the situation arises where the audit is requested during a time when a lot of people are on summer vacation or winter holidays. So those could be situations. Or maybe the organization is in the middle of a merger and acquisition activity and it's just too chaotic of a time period to do an audit. So these could be reasons why an audit might be postponed. Then we think about doing the actual audit, gathering the evidence. Doing the various testing, analyzing the results of those tests. Finding a way to report those results and then doing the follow-up activities. So, at a high level, these are the ten steps that are expected. [/toggle_content]

Video Transcription

00:04
All right, So for Chapter three, we've got quite a few objectives here.
00:08
Cover just a few.
00:10
We want a man understand the management of the overall audit program.
00:14
That's kind of the big picture of you, right? We're looking at
00:18
the maturity of the audit program. Is it well structured? Is it well designed?
00:23
We'll talk about how audits get structured and some of the different components and strategies that go into hiding.
00:31
We'll talk about the planning required for different audits.
00:35
How do we implement risk control procedures, risk management procedures?
00:41
What types of controls are expected to be implemented? And how will that I will that actual work be done?
00:47
What about acquiring and using proper audit evidence?
00:51
We'll look at some different evidence types and how that relates to the objectives of the on it.
00:58
And then we'll also cover with conflict with oddities
01:02
or stakeholders
01:03
and how that should be resolved.
01:04
All right, so starting off with understanding our audit program,
01:08
the on IT program, is just what it sounds like. You're the bigger picture view of dealing with all the different audit initiatives,
01:19
also dealing with the logistics of of performing all of those audits.
01:25
So there's a program, Andrew an aspect.
01:26
We're looking at
01:27
all the ongoing activities
01:30
and
01:32
understanding where the resources are allocated
01:34
and
01:36
having a sense of
01:38
whether or not the current allocation of resources is sufficient to get everything done on time and on budget.
01:46
We also have to think about projects.
01:48
The projects are the shorter term goals where you've got some well defined
01:55
endpoint initiative
01:57
that gets that gets begun.
01:59
And, of course, the Project Manager office will manage that
02:02
the project manager
02:05
reports to the sponsor who's paying for the project.
02:08
So there's an expectation that that this person will be answerable to the sponsor as far as projects taking too long going over budget,
02:19
Uh, perhaps re sizing the scope
02:22
because of, you know, Miss misalignment at the beginning of a project with a lot of interplay there that might go on. So we speaking of scope,
02:31
we can look at some of the objectives and scope for projects.
02:35
Uh,
02:36
we've got some standards here.
02:38
PC I 1.2, for instance, payment card industry.
02:42
They're dealing with sales finance and I t.
02:46
They might have a monthly audit because that's a lot of transactions
02:50
when you're dealing with payment cards.
02:53
Equal Employment Opportunity Commission, the E O. C.
02:57
They're dealing with HR. Maybe a quarterly review is good for that
03:00
Quarterly With HR again for personal security clearances.
03:06
That's Ah ah, big deal. Of course, if you're working for a government or a defense contractor
03:12
and then we have a couple of ice. So standards 14,001.
03:15
This is your green initiatives. You're environmentally friendly
03:19
deals with your facilities, something you might do annually.
03:23
And then you're 27,000 and two Siri's
03:28
for information management systems again with I t. Quality control
03:31
something you might do quarterly.
03:34
So various different standards require different intervals for review.
03:40
So what is the extent of the audit program?
03:44
The scales, of course. With the size of an organization, smaller organizations
03:49
would have a less complex environment and therefore would not need as many resource is allocated to auditing
03:57
as compared to a larger organization, which might have a growing team of auditors that are doing the various
04:03
different tasks. So there's lots of different things to think about
04:08
what kind of product lines are involved. Product or service is
04:12
how geographically dispersed is the organization Is it all in one place, or do they have offices in different countries or or us spread out within one country?
04:24
What kind of things could be subcontracted out?
04:27
Certain tasks are safe enough to have a subcontractor,
04:30
uh, do them.
04:32
Of course, the organization's leadership makes those kinds of decisions
04:38
concerns from interested parties.
04:41
These are
04:42
us basically stakeholders that might have
04:45
concerns about the way something's being done or not done,
04:48
and they've got some input for the overall audit program.
04:54
We have to think about the number of activities they're going to be audited
04:58
in a given environment
05:00
with trying to keep scope considerations in mind.
05:03
How frequently do the audits happen?
05:06
How much time do they the audits take? How much money is usually expended? Or maybe the time is measured in man hours?
05:15
And then we have to think about
05:17
things like low profit activities
05:20
or layoffs
05:23
or products are service is that are not performing and how that affects the overall organization.
05:29
So not a program needs to
05:31
look at these factors and many others, of course,
05:34
to decide what is most important to look at first.
05:39
And that way there's a prioritization that can happen,
05:42
so there's lots of responsibilities for the honest on IT program.
05:46
The main goal is mitigating risk reducing risk.
05:49
Trying Thio develop an audit management system or in a m S is ah, great way to go, especially if your organization is of a certain size. But this makes sense.
06:00
If you do have an and us you want to have certain functions available.
06:04
Having a database support
06:08
mention here of Kobe, it 853 controls catalog
06:12
I. So 27,002 and socks
06:15
having ah database. Keep track of all these different things. All the details, all of the relationships
06:21
makes a lot of sense. And there's course. There are
06:25
tools that have the database integrated
06:28
within the tool, so it's not something you necessarily have to deal with separately.
06:33
Eso other things. Think about a list Subotic tasks
06:38
those that are open or closed or completed
06:41
approved audit procedures.
06:43
Well, look at what's involved with creating a skills matrix
06:46
resource scheduling, estimating budgets,
06:50
having a an ability to
06:54
to pull out historical records of previous audits. Again, This is why database would be very useful, this kind of environment,
07:00
so let's think about that. The audit program resource requirements.
07:05
One thing off the top, which makes sense, is we have to have some kind of financial commitment from leadership in the organization.
07:13
If the audit program is not properly funded,
07:16
then there may be problems with getting on. It's done completely or on time,
07:23
and there could be quality control issues as a result.
07:27
Also, we want to make sure that the auditors are competent.
07:30
Do they have a good track record? Do they have professional credentials? Have they been through various training programs? Are they keeping up to date
07:40
on yearly training requirements? These are questions that you'd want to dig into a little bit
07:46
finding the right technical experts.
07:49
Now these are non auditors, but they work with the auditors to give them assistance in obtaining certain types of information.
07:58
It could be that the auditor needs to understand
08:01
how a mechanism
08:03
produces its output,
08:05
but they need help with learning how the economic mechanism actually works.
08:11
Or maybe they need the technology technical expert to demonstrate something or test something so they can provide evidence that something's working or not working.
08:22
Using good audit tools,
08:24
these could be ah
08:26
software programs. Of course, our applications
08:30
part of the financial commitment is is related to buying the right tools and, of course, getting proper training so that the auditors know how to use the tools effectively and efficiently.
08:41
And then we have to think about administrative support.
08:46
So having
08:46
people that can help the auditor, maybe technical writers
08:50
or someone or other folks who can provide help with creating
08:54
effective presentations,
08:56
you know, talented people who can do some of the writing and the graphic
09:03
graphics work
09:03
would be a great asset to the audit program.
09:07
All right, so now we'll start talking about some procedures.
09:09
Having standards
09:13
to follow is is ah, good idea. We talked about this in earlier sections because this gives you a way to measure performance
09:20
in a a consistent way
09:22
and in a way that all other organizations in that same industry or in similar industries might also measure their performance.
09:31
So in order to support a standard, we have to have procedures,
09:35
so the procedures could be lots of different things. How do we schedule audits? How do we plan them?
09:41
There could be lots of different little steps and tasks involved in this
09:46
selecting the appropriate on IT team,
09:48
trying to make sure we can,
09:50
uh,
09:52
assess the competency of the different auditors or the other members of the team
09:56
doing the honest themselves.
09:58
How do we maintain audit program records?
10:03
You know, whether you're using a database or some other kind of archival system. That's an important consideration
10:09
because you are going to need to return to those at some point.
10:11
And then how do we deal with reporting to management
10:15
on various levels of success or failure or other achievements along the way? So implementing an audit program
10:22
is an important thing that Thio plan properly? I want to make sure we've got managing buying that there's good communication between the various stakeholders
10:33
and the people actually doing the work.
10:37
So management is gonna want to be visible
10:39
to the audit program or maybe the other way around. Maybe the auto program
10:45
wants to be visible to management
10:46
so they can see that their money is being well spent on that they're getting good results
10:50
and gives everyone, uh,
10:52
sense of confidence or assurance to know that their programs are being audited correctly
11:00
and that they're moving towards a higher level of maturity for the organization overall,
11:05
having some way to centralize your record keeping
11:09
This is an important thing to think about again, going back to the concept of using specialized tools with databases.
11:16
This gives the ability to not only
11:18
keep the information in one place for access to the people who need access,
11:24
but it also
11:26
gives the ability to think about adding the appropriate security controls
11:31
so that only people with a need to know can get to this information.
11:35
That's really something important to think about.
11:37
Then we have to think about distribution control.
11:41
So if information needs to get sent from one individual or one group to another group for some kind of analysis or some kind of processing
11:52
as part of an audit,
11:54
we have to have ways of mechanisms of doing this securely
11:58
so that we can
12:01
a deal with existing work flows or,
12:03
um,
12:05
be able to create new work flows in order to move information about where it's needed when it's needed.
12:11
And they're on also protect that information
12:16
at the same time. So
12:16
easy way to think about that as encrypting data at rest and encrypting data in transit
12:22
so that we know nothing's being sent in the clear. And everybody that's working on this knows that they've got the confidentiality that's required. All right, So what about our audit program records?
12:33
The auditor needs to know how those records are maintained.
12:39
I mentioned using encryption
12:41
that that would be a question that would come up
12:43
encryption being used if it is being used. What type of encryption is being used?
12:48
Who has the keys?
12:48
Eyes there? Is there a key escrow system? These are questions that might that might come up.
12:54
So if if you've got a very well organized audit record management system, then that also translates into high level of assurance for those people relying on the audit results.
13:07
They know that the records are being properly managed, their encrypted on lee. The people that need access have access, and that gives everyone a higher sense of confidence.
13:18
What about the schedule for auditing?
13:20
An annual schedule might be published at the beginning of the fiscal year.
13:24
This makes sense,
13:26
and
13:28
there there might be some expectation that the schedule remains more or less the same week. Two herbs are a year to year,
13:35
unless some certain situations dictate that that should change.
13:39
It makes sense that you might do your financial systems in the first quarter. You might do your security management systems in the second quarter and so on.
13:48
Then we have to think about the records for individual audits.
13:52
So who was doing the audit?
13:54
Who was the oddity?
13:56
What
13:56
procedures were used?
13:58
All these different details do need to be tracked,
14:03
especially
14:03
with an eye to thinking about improving the process over over time.
14:09
If someone's about to embark on a new audit, they might want to review previous audits of that same
14:13
asset
14:15
to understand what was done and look for ways or they might be able to do a better job.
14:20
We have to think about corrective and preventive
14:24
action reports,
14:26
things that the auditor recommended.
14:31
You know, the auditor follows up with the oddity to find out if something was fixed
14:35
or corrected.
14:39
And then we think about the follow up reports as I was just mentioning.
14:43
And lastly,
14:43
what is the
14:46
results of the review of the audit program itself?
14:50
So it's kind of like a meta review. You're reviewing
14:52
the program that's doing the auditing we have to think about the personnel records of the people that are on the audit team.
15:01
We want to know that
15:01
these people were selected properly, that they have the correct credentials and the right background and experience
15:09
so you can group create skills matrix.
15:11
We could look at the training records of the auditors
15:16
seeing maybe the auditors performance evaluations.
15:20
So they've gotta answer to their boss
15:24
to find out if they're doing a good job.
15:26
And that might be something that's that could be shared or reviewed.
15:31
And then also, we want to think about ways that performance might be improved.
15:35
All right, so we have our audit program. We have to think about how we're going to monitor and how well do Cem
15:41
review to see if it's performing as expected.
15:45
So first thing we could think about is K G uys. Key goal indicators.
15:50
These are basically just showing that some goal was reached.
15:54
Example might be something like, you know, paying off. Ah, large debt or paying off your mortgage
16:00
or getting accepted Thio College. These air these air kg eyes for individuals, but they would apply to an organization as well.
16:07
Then we have KP eyes keep performance indicators,
16:11
which I spoke about a little bit earlier. Section
16:14
these air various different things that the organization decides our ways that they could measure their performance.
16:21
So some examples are
16:22
different changes in scope. Stakeholders might decide they want to modify things over time, so we need to measure the results. Perhaps a before and after a type comparison is appropriate,
16:36
conforming with auditing procedures and schedules.
16:40
That's an important K p I to consider
16:42
making sure that that you have consistency between your audit teams
16:48
as faras Thea the procedures. They used their approach,
16:52
their overall performance, these air lots of lots of different ways. You can compare one team to another. Maybe you've got a large enough organization Where,
17:00
huh?
17:03
Each major office or each major business division has their own audit teams. You could compare them in that kind of ah scenario.
17:11
What about feedback from clients
17:14
or recordkeeping improvements?
17:17
Maybe trying to
17:19
implement observations from monitors for improvements,
17:23
a lot of different things you can consider
17:26
and, of course, measure
17:27
to know how your organizations on that program is doing overtime.
17:32
Now we think about planning an individual audit first thing that you want to consider is the scope.
17:37
This is a largely defined ahead of time. The audit team me decide what the scope is going to be if they have that makes sense, or the auditory will decide, because it's obvious by the type of audit what will actually be covered.
17:52
But in any case, the boundaries for the audit should be agreed upon before the audit begins.
17:59
Any adjustments that need to take place should be done before and any other activities begin because you don't want to
18:06
do less effort than required, and you don't want to do more effort than required.
18:11
Then we think about the audit criteria.
18:14
What what is it that the client wants to have accomplished? What are they being measured against?
18:19
What procedures should actually be used to collect the evidence? These are things that would come up
18:26
choosing an audit team.
18:27
Remember, we might have to deal with technical experts as an adjunct to the auditors themselves,
18:36
and then you have to think about the ranking within the team that might be a senior auditor that might be junior auditors, people that are still learning that are being delegated, lower level tasks
18:48
So the order team.
18:49
We have different teams for different types of audits. If you're doing an internal audit,
18:55
this means that you are. You're declaring that your
19:00
asset is in compliance or conforms to the expectations for the organization.
19:07
There doesn't need to be some level of independence for an internal audit,
19:11
but of course
19:15
it's It's not as ah,
19:18
the independence required is not on the same level as it would be
19:22
for having extra lauded.
19:25
So a second party on it would be an external audit.
19:27
So you've got a customer or vendor
19:30
that wants to conduct an audit,
19:34
and that would be, ah, different scenario
19:37
but similar methodology.
19:41
Then we have an independent external audit or 1/3 party audit.
19:45
And this gives the highest level of trust
19:49
because the auditors are not part of the organization directly
19:52
and their conclusions and their objectivity should be considered above and beyond what would be achieved by an internal audit, for instance,
20:03
And then we have the concept of integrated or combined on it,
20:07
where we're blending one or more of these different types
20:11
together in order to get the audit done more quickly or
20:17
are more efficiently
20:18
Now let's look at the 10 stages of an audit.
20:21
We start off with approving the charter,
20:23
or sometimes you have an engagement letter in place of a charter but similar concept,
20:29
basically laying the groundwork
20:30
and the rules of engagement for the activities.
20:33
And there's some planning that begins.
20:37
A risk assessment is done.
20:38
Then determination is made. Whether or not an audit is possible,
20:44
there could be certain
20:45
circumstances that might say that it is not possible.
20:48
Maybe the situation arises where
20:52
the audit is requested during a time when a lot of people are on summer vacation or winter holidays,
20:57
so those could be situations. Or maybe the organization is in the middle of a merger and acquisition activity, and it's just too chaotic of a time period to do in on it.
21:08
So these could be reasons why an audit might be postponed.
21:14
Then we think about doing the actual audit, gathering the evidence,
21:18
doing the various testing, analyzing the results of those tests,
21:22
finding a way to report those results
21:26
and then doing the follow up activities
21:29
so at a high level, these are the 10 steps that are expected

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor