This lesson covers performing the audit, making sure the right staff is assembled and that everyone is aware of their roles. Organizations can create a skills matrix which can help the auditor decide where to place resources in the audit. It is also important to identify which individuals in an organization have special interest in the audit. This lesson also covers data collection techniques for an audit and assigning work to the audit team. [toggle_content title="Transcript"] Alright, so now we're ready to talk about performing the audit. So we've talked a little bit about some of the considerations to get ready. Defining the scope, the objectives, doing some of that proper planning ahead of time to make the job of getting the audit done that much easier and more smooth. That's what we're trying to think about. We have to think about getting the right staff assembled, making sure we've got the audit committee understood: who's going to be doing the communication to upper management, how will we be reviewing the controls? These are all good questions to understand well before embarking on actually beginning the audit. So how do we decide if our auditors are competent? You can look at a matrix like this. So we've got an auditor with experience in at least three complete audits. Maybe they're qualified to be an audit team leader. We can also think about someone that might be a competent auditor or a technical expert. Someone who is very good with their communications or negotiating skills also might make a good audit team leader. If someone's got good secondary level education formal training, they might make a good leader as well as a competent auditor and even a technical expert. Four more years in IT that's related to auditing type work might be a good choice for all three categories. Somebody's maybe gone through five days or more of training in the area that's going to be audited, also a good choice for all of the different categories. Or someone who's been in the audit side of things in IT might make a good audit team leader or possibly a competent auditor. So it's a good way to just think about the different skills that people bring to the table to decide where they fit in best. Then we can think about a skills matrix. So this is just an example skills matrix. You need someone to look at existing policies. So we might pick JAY DO. They've got an IA background. Maybe they have their CISA certification. They might be good as an internal auditor. Someone needs to do some network perimeter analysis. So they might also have a CISA. Maybe a network plus or a CEH or security plus certification. So they're working in the payment card industry. They've done some section 11 testing. Network vulnerability scans. Again, someone who's got a CISA or perhaps a CEH or a network plus certification or some similar training might be a good choice here. Maybe they're a Windows or UNIX administrator. Then maybe we need someone to do a log review. To understand how to correlate those events to different things; perhaps scan events or other transactions that need to be investigated. So someone that's got a computer science background. Maybe they're a system analyst. They might make a good choice for this. So putting all your people together in a matrix like this gives the audit committee or the audit team or the lead auditor a way to assess all of the different resources that they have from a human perspective and decide where those people would best fit into the overall effort. So how do we ensure that we have quality control for the audits? If we have specifications, and those are well defined, and we can conform to those specifications, that basically creates the concept of quality. Also, proper planning as well as considering preventive measures helps to ensure that we have quality. A good point that's made here is that we cannot define quality after an appraisal is done. This has to be considered beforehand so that we can choose those correct procedures and methodologies to provide the quality from the beginning instead of something that is considered afterward. Thinking about zero defects is a great standard to aspire to. It might not always be achievable, but it's certainly something to aspire to. So if we have to design a quality control process or maybe you're trying to enhance one that's already there, we have to think about the right methodology to use for audits. It makes sense right off the top. You want to have very good documentation, checklists, templates, procedures, so knowing what your auditee's needs are and being able to match that with your normal methodology, your normal way of doing things, is what we're getting at here. We want to know what the business cycles are for the auditee. Trying to get the right people in the room for interviews. Maybe you can even hold workshops to discuss certain topics with a group of people instead of doing one-on-one discussions which take more time. We talked a little bit earlier in an earlier section about the terms of reference. Making sure that the client and the auditor agree on those terms of reference so that you can both speak the same language. Then we want to think about measuring the performance of the plan against the actual performance of the organization. Trying to get those two to match-up as closely as possible. And then being able to respond to complaints in a timely and professional manner. So if an auditee is complaining and you're not doing anything about it, that's going to affect the quality of the audit or subsequent audits. So, contacting the auditee: establishing that rapport is an important thing to consider. You want to have some agreement on the scope and the objectives of the audit, of course. You want to deal with problems as they come up in a timely fashion. If there's complaints or delays, or other obstructions then there should be good communication between the auditor and the auditee to get that resolved to everyone's satisfaction. Questions and complaints come up. Those should also be responded to in a professional timely manner. You don't want to create any areas where there's friction or frustration because that could impede the progress of the audit and also affect levels of cooperation. What about issues that are outside the scope of the audit? How should that be handled? There needs to be some professional diplomacy being employed so that nobody gets their feathers ruffled when something goes wrong and it appears that the mistake is on one side or the other. Having a good reporting process: knowing that the schedule is well-defined and can be adhered to based on the client's requirements and the auditor's available resources. We have to think about how we will report the findings. Making sure that we can adhere to the confidentiality requirements. The principle of least privilege applies here. So only those people that need to know should be given access to sensitive information. Also we need to think about what happens when evidence is uncovered of illegal acts. If someone is committing fraud, for instance. So making the initial contact with the auditee requires, at first, looking at all the documents that are agreed upon for the process of doing the audit, all the records that are relevant to the audit, perhaps even records of previous audits. The auditor might provide a list of items that they are going to want to investigate or test. A list of people they want to interview. Whatever the rules of site safety are for that particular location might be discussed. Who's going to be an observer and who will act as a guide for the audit team? These would be good things to know ahead of time. And then back again to having workspace for the audit team. Can't overlook the physical requirements of someone being in your organization and where are they going to sit? Do they have a private area? Do they have a conference room, that kind of thing? Then we have to think about a communications schedule. If we start off with the list of stakeholders, then we can decide who's most interested in these activities and what are their communication preferences? Is it telephone? Is it in person? Is it email? The stakeholders may have positive or negative interest in the audit. Negative interest would be someone that's trying to not be part of it for various reasons. Maybe they're too busy. Maybe they're trying to hide information and they don't want that to be uncovered because of an audit. So that in itself becomes a point of interest. We have to think about what is in the messages that we send between auditors and the client. What level of detail is required or desired? Confidentiality again needs to be considered since sensitive information may be required to be only viewed by those people who need to see it, and so we think again about where the auditor works, what kind of tools did they use, do they have the ability to do encryption, and so on? What kind of technology is used to do the communication? Again, email, phone calls, meeting in person, or using a specialized tool that allows people to communicate within the tool itself. These are options. Then making sure you have a simple process to follow when there are complaints. How do we collect data? What types of techniques do we need to consider here? You can have someone observe. They watch someone doing their job. They take notes. Maybe they ask them to do something and test something and they're basically watching someone perform their various duties. There might be document review. Looking at policies and procedures, looking at standards, making sure that if a policy exists, is it actually being used, or was it created and not used? That would be an important data point to uncover. When you're interviewing people, paying special attention to time requirements and availability requirements. Is the person available? How much time can they afford to spend with the auditor during an interview? As I mentioned earlier, workshops can be a way of doing group interviews or getting consensus from a group instead of doing one-on-one interactions. That might save time, but it might not always be applicable. It just depends on the circumstances. Then we have the concept of computer-assisted audit tools, or CAT. These can help to coordinate activities and aid in the collection of evidence, giving some reporting facilities and so on. Surveys might also be used. This is a great way to get information from a wide group of people. Of course it's sometimes difficult to get a high participation rate in surveys, but it's a worthwhile effort. Then we move on to thinking about the hierarchy of controls. What about the concept of management being exempt from controls? Where they've got some controls in-place, but it's only for people other than management. That could be a problem if this allows for deception or fraud to take place because someone that's in management is more or less above the law, so to speak. If the controls are implemented correctly, and they are strong controls, then that should help to provide assurance or confidence that the assets are being protected correctly. We can't overlook the concept of someone being exempt from the controls to begin with. Now we have to think about the controls that already exist. A preventive control is something that tries to prevent something from happen. It's pretty self-explanatory. A detective control is something that detects an instance of an event. Finds a problem and then sends some kind of alert. Detective controls can be something like an intrusion detection system. Something happens, the device senses it and then it lets somebody know. A corrective control tries to repair a problem after it gets detected. There's various instances of corrective controls that might be in-use in your environment. What about administrative controls? These are things that come from management in the form of policies and procedures. So they decide what you're supposed to do, what you're not supposed to do how the organization functions and so on. Then we have technical controls; sometimes called logical controls. This is actually using some software or hardware or firmware to provide a technical solution to something that needs to be done. Firewalls, password protection, encryption. These are all different types of technical controls. Then we have physical controls. Good examples might be things like gates, guards, guns, locks. Security cameras, and so on. Alright, moving on to preparing the audit plan. Again, we think about the emphasis on documentation here. Having correct documentation, gathering what's required before the biggest part of the planning happens helps to move the planning process along more smoothly. If your plan requires that you have all the documents ready to go, then gathering all this information ahead of time is going to ease things along. So lots of different questions might come up, as far as what will be actually performed during the audit. Who is actually involved? What was audited? What evidence was collected? What procedures were used to test something? When did this activity happen? Where did it happen? What was the purpose of the activity? Then were the proper procedures executed in this particular case? Good questions to have ready at any moment. Alright, so we looked before at a skills matrix. Now we can think about how certain members of the team might do certain tasks. So we have our lead auditor. They're going to manage the audit team. They're going to communicate issues to the client or the auditee; facilitating, getting extra assistance or escalating assistance, and also performing quality control. The auditor, on the other hand, also manages the audit team. They manage the technical experts to get information as required that's outside their area of expertise. They collect samples; they do their testing, analyze results, determine findings and prepare reports. Then we have our technical expert assisting in the collection of samples, testing and analyzing results. The auditor that's in training would just observe various things. They observe communications. They observe when the technical experts are being consulted. They observe collections of evidence and then assist in determining the findings, preparing reports and doing quality control. Then, lastly, the guide helps get access to different assets and aspects of the facilities in the physical locations and helps with escalating access to different components within the facility. So a pretty good breakdown of how different members of the team might do different tasks. Now we think about preparing the documents that we'll be working from. Again, we start with our objectives, knowing what the criteria and standards are that are going to be followed. What is the scope of the audit? Where is the activity going to take place? When is it going to take place? How long will the activity take? What are the roles and responsibilities of the audit team? How do we allocate resources to the audit team? Agreeing upon that working language and the reporting language. This goes back to the concept of our terms of reference. Then we think about the reporting topics that will be produced as an output of the report, or as an output of the audit, any logistics that are required for travel or where people will work when they arrive. That should all be known ahead of time. Then we think about confidentiality matters. How that is dealt with, and lastly how the follow-up actions will happen for the audit. Alright, so when we're actually on-site, we have to think about the agenda. This is a sample agenda here. We confirm the objectives, making sure everyone's on the same page as far as what's going to be done, making sure we have the engagement letter or the audit charter to confirm that we have the proper authority to do the audit. Where is the action going to take place? Locations? Access level? Maybe you have an executive summary of all of the audit activities that will be performed. Then you confirm all the communication channels. If you've got a guide or a liaison, you would want to identify that person or persons and make sure that they're aware of what the requirements are. Then we think about the interview schedule, or other meetings that are scheduled, and make sure that those are still agreeable to the client, make any adjustments as needed. Then you might have a Q&A period at the end of this time period to make sure that everyone is comfortable with the groundwork that's been laid up to this point. [/toggle_content]
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.