Performing an IS Audit
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi, and welcome back to
00:00
Certified Information Systems Auditor.
00:00
This lesson will be covering
00:00
performing and information systems audit.
00:00
Now, let's have a look at what
00:00
we'll be covering in this lesson.
00:00
We'll be talking about some of
00:00
the key elements of an audit,
00:00
the different types of audits that you might come across,
00:00
the types of testing that you'll
00:00
undertake when you are performing an audit,
00:00
planning an audit at a very high level
00:00
at least to get some
00:00
of the key aspects that you'll need to perform,
00:00
some of the audit evidence and how to
00:00
gather the evidence and also some of the considerations,
00:00
and the interview and
00:00
observations as part of audit evidence.
00:00
Let's have a look at performing an audit.
00:00
Basically, there's six main areas that you need to focus
00:00
on and we'll cover this in a very high-level list.
00:00
Looking at the purpose and objectives,
00:00
so why are you auditing?
00:00
An audit is an expense and it
00:00
takes time and resources of an organization.
00:00
It needs to have a very fine purpose and an objective.
00:00
Is it to determine the accuracy of an information system?
00:00
Is to determine the
00:00
appropriate security controls are in place?
00:00
Next, we have a look at the scope.
00:00
Now, the scope is exactly what will be audited.
00:00
In a simple information system,
00:00
it might be a single server or in
00:00
a complex information system distributed across
00:00
multiple sites with large number of users and
00:00
a large number of
00:00
resources and assets that need to be covered.
00:00
It will look at a risk analysis.
00:00
That's the key aspect of
00:00
all auditing is to determine a level of risk,
00:00
whether it's acceptable for the business.
00:00
You'll be looking at audit procedures.
00:00
Basically, if you're conducting
00:00
an audit from a large system, particularly,
00:00
you may not be the only auditor involved,
00:00
and so it's very important that all auditors are
00:00
performing these same steps in exactly the same way.
00:00
Another aspect of performing
00:00
an audit will be the resources.
00:00
Now, these can be either resources
00:00
to conduct the audit itself,
00:00
so yourself and/or a team of
00:00
auditors and also the stakeholders that you may
00:00
need to engage to help you collect evidence
00:00
and take you through the
00:00
actual system that you're auditing.
00:00
That leads us into schedule,
00:00
which is obviously fairly important for
00:00
a resource planning perspective and also making sure
00:00
that you have the stakeholders
00:00
available when you need them and
00:00
also your audit doesn't interfere with
00:00
business functions that are taking place.
00:00
Now there are several types of audits.
00:00
You'll often be coming across compliance audits.
00:00
That will be basically
00:00
a fairly significant aspect of the work that you do.
00:00
But here, there are a number of different types
00:00
of audits that will vary depending
00:00
upon the type of business that you're working
00:00
within and also the type of organization.
00:00
Types of testing.
00:00
There's three main types of testing.
00:00
Compliance, this we'll use to determine if the design
00:00
of the control and
00:00
the associated procedures are in place.
00:00
This is very much,
00:00
is this control in place or is it not in place?
00:00
If it is in place, is it working effectively?
00:00
Substantive testing will be determining if the function
00:00
is not only working and in place but if it is accurate.
00:00
For example, in a financial system,
00:00
whether the results of the particular process being
00:00
conducted on the data results in a correct outcome.
00:00
It's a hybrid approach which will be a combination
00:00
of both compliance and substantive.
00:00
Now, planning your audit term methodology.
00:00
We're looking at different stages here.
00:00
Pre-Audit planning, this is
00:00
basically to ensure that you've got
00:00
all your resources and your stakeholders lined
00:00
up in the timings that you need them.
00:00
The statement of work, this is
00:00
particularly important if you are
00:00
an external auditor coming in to audit
00:00
an organization who is a client.
00:00
The statement of work is very much a defined statement of
00:00
exactly what you will and won't do
00:00
within the audit and also the outcomes.
00:00
What type of reporting is required from the audit?
00:00
Procedures development, this will depend.
00:00
If you're an external auditor,
00:00
you may basically look at
00:00
the procedures that the organization has that you're
00:00
auditing or you may have
00:00
a fine set of procedures that you do
00:00
with your own particular auditing work.
00:00
An important aspect of this
00:00
also is the communications plan.
00:00
You want to ensure that the organization and
00:00
all the key stakeholders are very aware
00:00
of what you're doing and when you're doing it.
00:00
Finally, looking at reporting.
00:00
Report preparation is fairly key and critical.
00:00
If done a lot of work,
00:00
potentially in auditing a system,
00:00
particularly if it's very complex,
00:00
you may have multiple findings
00:00
from multiple different people.
00:00
This needs to be basically brought together
00:00
into a single report for the key stakeholders.
00:00
Obviously, with a large complex system,
00:00
there may be some loose ends that need to be wrapped up.
00:00
Any tidying up, any confirming findings,
00:00
or re-testing particular findings if they're in doubt,
00:00
can be done in this stage,
00:00
and the post-audit follow up,
00:00
which can take place either
00:00
directly at the end of the audit
00:00
or after the term time that
00:00
the business has had a bit of time to ingest
00:00
the findings and any of following
00:00
questions that they might have for you as the auditor.
00:00
As an auditor, you'll be
00:00
basically looking for audit evidence.
00:00
There's different types of
00:00
evidence that you'll come across depending
00:00
upon the type of audit and
00:00
the type of business that you're within.
00:00
It can be simple as observations.
00:00
You're looking at business process taking place.
00:00
Any written notes that you may take during
00:00
that plan or observations can form the evidence.
00:00
Correspondence within the business can be part of
00:00
the audit evidence trial for auditors.
00:00
Independent confirmation, so evidence of
00:00
your audit could very well be
00:00
the results of a previous audit.
00:00
Now, processes and documentation
00:00
for in the business will give you
00:00
an indication that particular controls
00:00
are actually in place and being conducted.
00:00
Business records and personnel interviews,
00:00
which we'll also talk about a
00:00
little bit later in this lesson.
00:00
Considerations for your evidence.
00:00
You're needing to look at independence
00:00
and qualifications of the provider.
00:00
Who is giving you this evidence?
00:00
Are they a stakeholder and is
00:00
this actually something that they're qualified to do?
00:00
You also need to look at the objectivity and
00:00
also the timing of the evidence within the audit process.
00:00
Then to gather evidence that can
00:00
come from a number of different areas.
00:00
It could be something as simple
00:00
as an organizational chart.
00:00
Looking at how functions are
00:00
performed across the organization,
00:00
different sections, roles, and responsibilities,
00:00
the definitions, any project charters.
00:00
If you're auditing a project that's underway,
00:00
third-party contractors and SLAs
00:00
in large organizations these days,
00:00
it is quite common to see
00:00
one or more components of a given system
00:00
that may be conducted or run
00:00
by a separate organization entirely.
00:00
Documented IS policies and procedures are critical.
00:00
Any risk register will just
00:00
give you evidence that basically
00:00
that risk is being managed and identified.
00:00
Incident logs which could be written to
00:00
security incidents or any failure of
00:00
systems and any relevant IS
00:00
standards that are applicable to the organization.
00:00
Now, interviewing and observing personnel.
00:00
This is can be quite
00:00
useful because you're actually seeing
00:00
the functions performed as on the day to day basis.
00:00
You can get a walk-through of
00:00
the written process and procedures and you can
00:00
determine as to whether they are
00:00
actually performed in that particular way.
00:00
You can also look at basically the security awareness
00:00
and whether that is part of the organization's culture.
00:00
It can also help you to find
00:00
the reporting relationships which might pick up on
00:00
your organizational chart as your other evidence element.
00:00
Now, it can have some drawbacks, of course.
00:00
Auditors can often be seen in very adversarial ways.
00:00
It can be seen as auditor is coming in
00:00
to check up on exactly what the employee is doing,
00:00
and it can be seen as a very much a punitive approach.
00:00
That can usually be handled very well simply
00:00
by a good communications plan and
00:00
explaining to the stakeholders that you're
00:00
observing exactly what you're
00:00
doing and what the outcomes are going to be.
00:00
A few other considerations,
00:00
particularly in large organizations
00:00
where there is a significant amount of data.
00:00
Data analytics tools can often be of
00:00
assistance for you to get
00:00
evidence of a particular function.
00:00
It might be impossible for you to do
00:00
a reasonable sample of a given number of transactions.
00:00
But if data analytics tool might
00:00
be able to give you that level of view.
00:00
There's also other generalized audit software and
00:00
other computer-assisted techniques that can be used to
00:00
help you achieve your audit evidence.
00:00
We've reached the end of the lesson.
00:00
Today, we've covered basically key elements,
00:00
so what's made up within an audit,
00:00
the types of audits that you could be doing,
00:00
the types of testing,
00:00
how to plan an audit,
00:00
at least at a very high level,
00:00
so some of the considerations
00:00
around gathering audit evidence,
00:00
and also a few other considerations around
00:00
interviews and observations of personnel.
00:00
Thank you for listening and
00:00
hope to see you at the next lesson.
Up Next
