Auditing

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:01
>> Now we want to talk about auditing.
00:01
Auditing can also be used incorrectly really,
00:01
but can also be used interchangeably with accounting,
00:01
and I see that a lot.
00:01
Some folks will put the last day's auditing,
00:01
some will put accounting.
00:01
Accountability is what auditing gives us.
00:01
But it doesn't mean they're the same thing.
00:01
But we're going to stick with
00:01
a more consistent term of auditing.
00:01
When we talk about auditing,
00:01
what we're looking to do is to ensure
00:01
compliance, we want accountability.
00:01
We want to make sure our individuals are following,
00:01
whether it's company policy,
00:01
standards, external standards,
00:01
make sure we're in compliance with laws and regulations.
00:01
That's what auditing is all about.
00:01
We also go back and audit internally,
00:01
just basic access to resources.
00:01
I audit and determine,
00:01
whose access this file or folder,
00:01
particularly if those files or folders
00:01
are of a significant or sensitive nature.
00:01
I will audit user accounts
00:01
and determine or try to determine,
00:01
does anybody have too many rights or
00:01
privileges based on their role within the organization?
00:01
When we talk about auditing,
00:01
our auditors are focused on compliance.
00:01
I will also mention that auditor's job is to audit.
00:01
You didn't see that coming, did you?
00:01
But their job is to audit,
00:01
to document, and to report.
00:01
Auditors do not fix.
00:01
They do not correct.
00:01
Also, technically, auditors shouldn't recommend
00:01
remediation strategies either because
00:01
that's a conflict of interest.
00:01
So really your auditors come in,
00:01
they conduct their assessments,
00:01
they write up their reports,
00:01
they turn those reports over to senior management or
00:01
whichever entity authorized the audit,
00:01
but never will there be
00:01
modification associated with an auditor.
00:01
Auditors don't even have write permission,
00:01
they just have read permission.
00:01
We just keep in mind for now,
00:01
auditing is all about compliance.
00:01
Now, when we start off the audit process,
00:01
first thing that we've got to do is we've got to
00:01
meet with senior management or
00:01
whoever's authorizing the audit and make
00:01
sure that we understand the goals of the audit.
00:01
Am I trying to verify
00:01
compliance with laws or regulations,
00:01
with internal policy, best practices, external standards?
00:01
You can't test for everything,
00:01
and you want to figure out what is it that's
00:01
relevant to the hiring party,
00:01
whoever hired me as an auditor.
00:01
We also want to make sure that we're
00:01
focused on the correct scope.
00:01
So am I auditing the business,
00:01
a department or just a specific system?
00:01
Then, we're going to choose our team.
00:01
We are going to define the scope.
00:01
We're going to write that up,
00:01
we're going to define our goals,
00:01
we'll determine what budget is available to us,
00:01
and we'll pull together our team members
00:01
and begin plotting out the course of this project.
00:01
As we're managing this as a project,
00:01
we need to make sure that we have
00:01
a documented expectation or
00:01
baseline for the schedule and for the costs associated.
00:01
So time and budget,
00:01
I have a specified period of time and
00:01
a specified budget and
00:01
I want to work within those realms.
00:01
I want to have plans for
00:01
the processes we take in auditing,
00:01
for the types of reports for our stakeholders,
00:01
the scope of work to be done,
00:01
all of those elements,
00:01
and I make sure that I follow my plans.
00:01
If I'm deviating from my plans,
00:01
there may be a formal change
00:01
control process that I need to go
00:01
through or I may just need to document deviations,
00:01
but you'd plan, you do what's your plan,
00:01
and you document any differences from the plan,
00:01
basically is how that goes.
00:01
Now, I can have audits
00:01
conducted internally or externally.
00:01
With internal audits, they're going to be cheaper.
00:01
You have auditors that know more
00:01
details perhaps about our specific organization.
00:01
That can be a disadvantage as well though.
00:01
We don't want our auditor's worrying
00:01
about the politics of the company.
00:01
We don't want them giving
00:01
free passes because they have that internal relations.
00:01
They are cheaper.
00:01
We do get to control
00:01
dissemination of information a little bit better,
00:01
but we have to worry about conflict of interest.
00:01
Now with external auditors,
00:01
you flip the script
00:01
and usually they're much more expensive.
00:01
But we do get the benefit of having
00:01
a true neutral third party evaluating our environment.
00:01
They may have a deeper experience
00:01
within the industry than just our organization.
00:01
So they would be able to help us with industry standards,
00:01
best practices, and of course,
00:01
we would want them to sign
00:01
a non-disclosure agreement before they begin,
00:01
because often the auditors
00:01
are going to be privy to sensitive information.
00:01
So we want to make sure that we have
00:01
some document where we can legally
00:01
enforce a non-disclosure clause.
00:01
One type of document that is useful if I'm looking for
00:01
third-party assurance with an organization are
00:01
service organizational control documents, SOC documents.
00:01
Now, we don't get too deep into these
00:01
because there are different levels or different SOCs.
00:01
But I would memorize what SOC 1,
00:01
SOC 2, and SOC 3 documents do.
00:01
In relation to audit and assurance,
00:01
SOC 1 focuses on financial controls.
00:01
Now, that's probably not going to be the answer on
00:01
this exam because that's not our focus, the finances.
00:01
Our focus is going to come with a SOC 2, and SOC 3,
00:01
because both of these focus
00:01
on the CIA triad for information,
00:01
how confidentiality,
00:01
integrity, and availability are enforced.
00:01
Now, SOC 2 documents are for internal customers,
00:01
I don't know whether internal customers,
00:01
probably not the best way to say it,
00:01
but for existing,
00:01
that's the word I was looking, for existing customers.
00:01
There's going to be lots more information and
00:01
potentially sensitive information in a SOC 2 document.
00:01
Usually, the customers have to sign
00:01
a non-disclosure agreement when they're reviewing SOC 2s.
00:01
SOC 3 documents contain publicly available information.
00:01
I could see them as something like,
00:01
I don't know, let's say that you are evaluating
00:01
a Cloud service provider to
00:01
determine whether or not you want
00:01
to do business with them.
00:01
You're most interested in
00:01
their security controls for information.
00:01
Which SOC document which you use to
00:01
give you the best assurance?
00:01
In that case, SOC 3.
00:01
SOC 1's financial,
00:01
SOC 2 would not be publicly available.
00:01
So if I'm not currently a customer,
00:01
really to get confidentiality,
00:01
integrity, availability, those security focuses,
00:01
it would have to be a SOC 3 document.
00:01
In this section,
00:01
we looked a little bit more at auditing,
00:01
and we talked about managing
00:01
our audit program through
00:01
project management or perhaps program management.
00:01
We looked at internal versus external documents,
00:01
talked about the benefits of each,
00:01
and then we wrapped things up by looking at
00:01
specific documents called
00:01
service organizational control documents,
00:01
more frequently referred to as SOCs.
Up Next