12 hours 57 minutes
So we've talked about the importance of the retention policy but now we're going to talk about the importance of data audit policy.
The learning objectives for this lesson are talking about the components of an effective data audit policy
and then also when you should consider when implementing an audit policy.
And then lastly, we're talking about the challenges that come with enforcing a data auto policy in cloud environments.
All right. What is an audit policy? Well, as we've talked about in past lessons auditing, is it about being able to enforce
traceability and non repudiation when it comes to actions taken within environments? But auditing in general is really about applying that set of standards or a particular framework or a set of regulatory requirements to a set of systems.
Now, some of the components of the audit policy, first and foremost is the audit period. Now different types of 3rd party audits
really have different periods. So the period is the amount of time that the audit is going to go through. Whether this audit is really a point in time where it looks at our specific controls in place, or is it over a period meaning a number. You can be three months or a whole year
to establish whether controls are maintained and enforced throughout that period of time. Now, the audit scope
is important because this is really includes what is being audited and it usually entails all the
hardware, data, people and processes that are associated with whatever the overall scope is, whether it's an organization or an individual product. It's also very important if you're not an auditor to also think about,
oh, if I'm moving a system or adding new applications to it, you're expanding the scope of the audit and
you need, you should let your audit function know that new systems are being uh included. Or if you make business decisions to expand the different geographic regions as we talked about, there could be different requirements related to regulations and that also changes the nature of the audits that need to be done over those environments.
All right. So let's also talk about the audit responsibilities. Well, the internal auditors may be focused on uh ensuring that you're meeting your concern obligations that are regulatory in nature.
And external auditors are looking at whether or not the organization is objectively meeting the control criteria related to what you say you put in place. The same is true for regulatory auditors are your controls meeting the spirit of the regulatory controls?
One of the biggest and most important pieces of having effective auditing is independence. Especially some organizations have internal audit functions, but you don't want them to get too close to the people doing the work because then they formed personal relationships and maybe are less objective about their evaluation of control effectiveness In the quality of evidence
independence is easier to maintain with external auditors as well as regulators.
One of the other very important pieces of effective auditing is ensuring that the chain of custody is maintained. So one of the things that comes up in audits are potential violations. And when auditing, you want to ensure that
if a violation is found that is properly documented and that the evidence is maintained so that if there is evidence of a potential crime in the case of a regulatory violation. In some cases, not all cases that that evidence can be maintained through any legal proceedings that may
be arise as a result of its discovery.
Another very important piece of maintaining an effective audit policy is to have effective processes and procedures for collecting audit evidence. Now this is where the cloud context gets a little difficult because
you don't have the same level of visibility into data. The systems in the architecture that you might went for an on premise situation, getting the necessary time stamps for audit evidence or regulatory requirements. Quality can be difficult in cloud based environments.
One of the ways you can address this risk is by having favorable contracts with your service provider and really establishing the needs related to audit quality, what data is available and you're right to audit
different aspects of the cloud environment.
And then ultimately, your auto policy should set the kings for how the controls and requirements set out in your auto policy are maintained and enforced.
Ultimately, you should really think of the audit policy is setting the rules of the road and engagement for how you are going to use auditing as a tool to ensure that your controls are done effectively and that you're meeting all your obligations to your customers. Whether they're whether these requirements are based on regulations or your own internal standards.
Alright, quiz Question A SAS company started to use a new cloud service provider for storage. What is the primary aspect of the audit that this would affect the auto period? The audit responsibilities
or the audit scope?
If you said scope, you're correct, the auto period will probably remain the same. You shouldn't necessarily be affected or changed as a result of bringing on a new cloud service provider. Other responsibilities, the responsibilities of the auditors as well as those people maintaining the controls don't really change. They may adapt slightly
if the environment is different or if they
uh different controls need to be adapted to this new provider. But ultimately, the scope has changed. Perhaps the old provider is no longer in scope if all the data is transported over or it no longer is relevant, But this new provider is has is included in the scope of the new audit. The scope has expanded to include this new provider.
All right. So in summary, we talked about what an audit policy is, how audit policies support security, and some of those challenges that come with auditing cloud environments.
All right, I'll see you in the next lesson.