Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson focuses on the role of the auditor in making observations and what they find has a lot of bearing on the organization. Auditors really need to be aware of confidentiality and how it relates the information they have access too. The results of audits are on average retained by a company for about seven years. This lesson also covers standard terms of reference; there are terms that mean the same thing across the board in auditor's reports and/or requests. Participants also learn about internal and external auditors. [toggle_content title="Transcript"] Okay, so as I mentioned earlier, the auditor should be considered as an executive position. There are lots of good reasons for this. The auditor is in a position where they're being paid very well to make observations, interview people, test things, examine things, and the outcome or the output of that work has a lot of bearing on the organization. One of the top things we need to think about as an auditor is the confidentiality aspect - A lot of things to think about here. For one thing, where the auditor does their work might vary. For instance you might be going into a particular location to look at something and you have to look at it while you're in that location, like someone's office, for instance, and you're not allowed to remove that material. It's kind of like going to the Library of Congress. You're allowed to look at certain books, but you can't check them out. So that's one aspect of it. Also auditors need to be in-touch with the legal training, or the legal personnel, rather, within the organization, to make sure that they've got all the proper documentation in-place so that everyone is protected against any disclosure, or accidental disclosure of information. One of the things we can think about is the principle of least privilege; meaning that the auditor is given access and information sufficient to get their job done but nothing more. From the point of view of the auditee, that makes sense as well. You wouldn't want to go on a long explanation about something if you don't need to. Give the auditor the information they're looking for and then move on to the next item, so everyone can get their jobs done more efficiently. We also have this concept of working papers; WPs. This is just a generic term for the documents that the auditor uses during the course of the audit. These could be working from templates, like spreadsheets and regular office documents, or it could be things that are generated dynamically as the auditor is doing their work. Maybe they're just taking notes using a laptop. In general, we're probably more thinking about having a pre-prepared document in a template type form to make the job easier, more consistent and more repeatable every time the auditor needs to repeat that type of activity. So it just depends on your working style as far as what makes the most sense for you. Some other things to think about, there's mention here of locking security cables for things like laptops. Maybe having screen filters so that people can't see what you're looking or possibly having auditors doing their work in an office that has its own locked door so that they can work in privacy without interruption, in case they're looking at sensitive information, or in case they're worried about other people looking over their shoulder at that sensitive information. So that's a couple of things to think about as far as some type of isolation for the actual auditing investigative part of the work. There's also mention of creating an archive of your documents. This is an important thing to think about as well because if you're creating all this documentation from your templates, or creating it from scratch, and building up all this information that's used when you have your findings and your differing mediation advice, and so on, you want to be able to have an archive of this material that you can return to at a later time if needed. It makes sense that this would all be protected electronically. It's very unlikely you'd be doing a lot of this work with actual paper, but if it is electronic documents then it makes it much easier to deal with moving this around, providing it to other people that may need it, and so on. You can use encryption, password protection, and other security controls to better protect that information. So, when the auditor is working with an executive or various executives, usually executives are concerned with the bottom line. What are the factors that affect the health of the organization? If your organization is losing money due to mismanagement or poor governance or actual fraud or embezzlement, then executives at the top level are going to certainly want to know why that's happening, how it's happening, where is the evidence showing that there is some activity that needs to be investigated? The auditor, of course, provides a vital role in this case in order to assist the organization in uncovering the evidence of crime. Obviously operating costs are a big factor as well. That affects the bottom line too. So if the payroll or other services within the organization are garnering too much of the available funds, then that becomes its own issue. Sometimes this is more of an accountant issue to think about, but regardless of where the error happens, some sense needs to be made of what is found and so that can be reported properly and some analysis can be done to understand where the problem occurred and what to do about it with an eye for prevention instead of just detection. Then executives are also thinking about opportunity. This makes sense in the context of looking at your revenue and other expenses because there could be opportunity that presents itself but it may not be feasible to act on that opportunity due to lack of resources. So, this all kind of ties together as far as the mindset that the executives might have. If the auditor can assist in addressing these three areas and trying to find any areas of fraud, waste and abuse, for instance, areas that can be improved for efficiency reasons, then that might free up more capital for different initiatives that the organization has in-mind. Now, working with IT professionals is much different than working with executives. IT professionals in general don't get to make too many decisions about how the organization operates or how it spends its money. First we have supporting roles. This would be everyone from your helpdesk worker to your system administrators, people that manage the network, for instance would all qualify as supporting roles. And an important thing to think about for someone that's in a supporting role is they might be a great resource for information about how something is done. So if you're examining something or testing something, IT support personnel are ideal people to work with. We just have to be careful that they are giving you unbiased information. For instance, you might have an organization that is standardized on one or two vendor's products. And, because of that situation, that might affect the way that the IT support person views your questions or your requests for advice. So they might be a little bit biased towards one vendor or another and that needs to be taken into account. We also have programmers for information systems. These are the people that are developing applications, creating interfaces, web applications, and so on. They've got a much closer relationship with the actual security controls that are used for the applications themselves and for the underlying operating system and possibly even the environment of operation, or your network. So they have their own perspective to offer to the auditor when asking questions about security controls the effectiveness of certain network topologies, and so on. So, slightly different perspective to think about between a support person and someone who's actually doing some development work. So I mentioned earlier in the objectives for the chapter that we need to think about how the audit information gets retained. A typical standard is seven years. Of course that could be different depending on what the organization requires and what regulatory confinements there might be in-place. Generally, seven years is a good rule of thumb to work with. It certainly couldn't hurt to keep something longer than is required, other than the effect of possibly taking up more space. So, another thing to think about is what I was speaking a few minutes ago about, is having an isolated area, or maybe a war room. In my experience, having the auditors maybe working in a office that has its own key card access. So, only people that have the right badge can get into that room. That way you keep out people who are casual office workers wanting to come by and chat and that kind of thing. It also helps to keep prying eyes away from sensitive material that the auditors may have procured and are analyzing in that workspace. This is not always possible, of course. Some organizations just don't have the facilities to create a separate area for auditors to work in. So it varies, but that's a good idea as a best practice consideration. Also that would apply with meetings and interviews. So remember we're interviewing, we're examining and we're testing. If you're interviewing somebody, asking them very sensitive questions about certain transactions or how the organization handles certain situations, how the policies work, that might not be a conversation you would like to have where other people around could hear. So it makes sense in that case to also consider going to a conference room or someplace where you can have a little bit more expectation of privacy. Alright, so I mentioned earlier about auditors being in somewhat of a leadership role. And this is an important thing to think about, because if the auditor is presenting themselves as a professional person with integrity, they treat people fairly, they treat people with respect, and they are good at being personable and finding out the information that they're seeking, either through an interview, examining something, or testing something, then that translates well into leadership qualities. And the people that are interacting with the auditor are going to be much more likely to cooperate if they like that person, if they like being around them, if they feel like they are treated fairly and if they feel that the information that they give the auditor is truly helping the organization and won't be just used against them for some other purposes later. If they believe the integrity of the auditor, then they trust in their professionalism and their ability to keep information confidential when it's required. The auditor needs to convey the objectives of the questioning, or the audit in general, to various stakeholders. So, in turn, they must have a good feeling about that interaction. They need to be able to actually believe what the auditor's telling them and, 'If you really found this, then we need to fix this, and let's take action.' So it's kind of a synergy between the auditee and the auditor to demonstrate leadership and then get the results that are needed as a result of a good leadership style. Of course, for some organizations that might not be as easy to do as others. It just depends on your corporate culture, and so on. What about planning and setting priorities? I've talked a little bit already about the value of planning ahead. Setting objectives, prioritizing those things which are most important to discover first, and then relegating other things to be most important to discover next, and so on. This is a very valuable exercise to undergo before doing any work, because now it gives the auditor, and the auditee, a sense of how things will go from start to finish, what's most important, what is of secondary importance, what is of tertiary importance, and so on. It just helps everyone get everything done more efficiently. So if the auditor knows what the business is, how it operates, whether they've got certain business cycles that are more important than others. For instance, if you were auditing a retail establishment, you might have to pay special attention during the holiday season, since that's when retail establishments do a large portion of their business for the year. That might be a bad time to do an audit, for instance, because everyone's too busy just keeping up with the demands of running the organization. Other considerations might be some organizations might have a lot of people taking vacation during July. That's a typical month that people go on their summer vacation. That might be a difficult time to find the right people to interview or to examine or test certain things that need to be looked at as part of an audit. So timing the business cycle needs to be considered somewhat. Prioritization that has something to do with what the client wants. Of course they can decide, to some degree, what they think is most important, but the auditor has some input here as well, and maybe some negotiation might take place so that both parties can agree that, 'This is the most important thing to look at first, and then we'll move on to something else.' So, some of this involves logistics, basically. Timing, available staff trying to prioritize those things that should be attacked first, and then, of course, you need to deal with finding other people to help round out the team. It could be that, as I mentioned in an earlier section, you're doing an audit but you don't have all the expertise required. So you do the portion you're able to do competently, but then you might have to bring in other people to do some portion that they are competent to do. This is why planning ahead of time makes the most sense. because now you're not scrambling in the middle of the audit trying to find someone to get part of the job done. So discover requests. This ties-in well with the items that I was talking about in the previous slide. If you need to get documents, you need to get information, it makes sense that you would make those requests when you know the people who can provide the answer are actually available. If you're making requests during regular business hours, during a normal time of the year, then you should get a decent response, but if you're doing it after business hours or during a very busy time of the year, or when people are on vacation, and so on, that causes problems. So knowing some of the scheduling information ahead of time makes a lot of sense. Just as it would if you were having to travel to a location. If you could group your activities together in one location before going to the next location, then you're more efficient, you're using the expenditure for the travel a little bit more wisely. When there are problems with scheduling or availability of people for interviews, and so on, the auditor needs to be able to deal with that in a professional, congenial way. To say that they can reschedule or try to accommodate a client as best as they can in order to make everyone's schedule workable. Now we're talking about standard terms of reference. This is an important concept to think about. So what we mean here is that you've got terminology being used that's considered standard so that, for instance, if someone says that something was tested, or not tested, or the access was denied, the meaning of those terms means the same thing in all cases. So having a little bit of a vocabulary, so to speak, for some of the language in the auditors' reports and the requests makes a lot of sense. Something was present or not present. A requirement was changed. Something was not verified, or it was verified. Maybe there was lack of time to get something done. These are all very concise terms that help convey the needs of the audit in a way that's consistent over time. So if somebody has to come back at a later time and look at this information, they could say, 'Okay, well it's very clear that someone wasn't present. They have ran out of time and we also had a new requirement.' And now everyone looking at this information can be on the same page, literally, with what's actually being discussed. Alright, so I mentioned a little bit about conflicts. We could also consider failures as something that needs to be considered. The reason is because when one professional's relating to another, sometimes they don't communicate very well. Maybe they have to learn a little bit about how each other communicates in order to have productive conversations. The key, though, is that the auditor remains professional, remains calm and has an attitude of resolution. 'We're going to get this worked out. Let's not get worked up. Let's just address the next issue and we'll take a break,' and so on. So little tactics like this can go a long way towards getting through a long process. Sometimes the people that are being audited are uncooperative. Maybe they're nervous. Maybe they are being taken away from other duties and that's causing them to be a little bit upset. So these are natural human nature things that we need to consider. Of course the auditor has their own considerations. They don't have unlimited time and money and energy to perform their work. So, the idea is to try and strike a balance between what the auditor needs and what the needs are of the client. So they feel respected, they feel that they're not being put under too much pressure, and therefore can create a good working relationship. So how would we value an external auditor versus an internal auditor? You might think that the internal auditor has more value in a lot of ways, and that might be the case. They have institutional knowledge. They understand how the business works. They know who the players are. They know who to talk to if they need certain bits of information. So that translates into more efficiency, as far as getting answers to questions, or getting something tested that needs to be looked at. Because the internal auditor has more familiarity and, of course, since they already working for the organization, there's little to no extra cost in using an internal auditor for some of your work. In contrast, the external auditor is getting paid for their opinion. They are a third-party, usually. So they're coming in from an auditing firm, perhaps, or from the auditing division of your organization. They might be more expensive if they're a third-party. Obviously they have to be paid for their time. But they offer something that the internal auditor can't offer, which is a more objective viewpoint. They don't have preconceptions about what the organization's doing, or maybe they have a little bit of information about that, but they don't have a lot of institutional knowledge that might bias their opinion one way or the other. So, even though the external audit is more expensive, it does provide a more unbiased opinion. Alright, so let's talk about the evidence rule. What we're dealing with here is making sure that the auditor has enough evidence to form a solid opinion. If the auditor has an opinion but they can't back it up with information that they gathered through an interview, or through examination or through testing something, then that's going to cause problems with the audit because now it might seem like the auditor's opinion is unsubstantiated. So it's an important thing to consider when gathering information and formulating an opinion, to make sure that you've got the correct evidence collection procedures at-hand. So, speaking of interviews, these are some of the people that might be interviewed. This is not an all-inclusive list, of course. In addition to thinking about who needs to be interviewed, we need to think about how much time should be allocated for that task. The more important someone is, the less time they'll probably have available. Their time is more valuable. Trying to interview the CEO, for instance, would be difficult to schedule, and they probably wouldn't have more than maybe ten or fifteen minutes to spare. Versus someone who's lower in the organization middle management or lower management, they might be easier to get into an interview and might also have more time available. So, if you're the data owner, most likely that's someone at the vice-president level. They've got some different responsibilities that we can see here. They can classify data. Decide what kinds of security controls should be in-place. Versus a data user, where they are someone that's running one of the business units, perhaps, or even a client of the organization. Their responsibilities are different because they've got to think about what constitutes acceptable use, acceptable access, and the data user, and somewhat the data owner as well are responsible for the security of that data. Having some discretionary control over who can get access to it is part of this picture as well. Then we have data custodians. Some examples, like a database administrator, maybe a programmer or a system admin. These people are tasked with protecting information, as it relates to the systems and networks that it resides on, or transmits across. They also have to be able to support the audit when it comes along, and be able to support the individual users when they need help with access or other considerations of performance. [/toggle_content]

Video Transcription

00:04
Okay, So, as I mentioned earlier, the auditor should be considered as an executive position.
00:11
There's lots of good reasons for this.
00:13
The honor is in a position where they
00:16
they're being paid what very well, too.
00:19
Make
00:20
observations,
00:22
interview people, test things, examine things.
00:26
And the outcome of the output of that work has a lot of bearing on the organization.
00:32
One of the top things we need to think about his new order is the confidentiality aspect.
00:38
A lot of things to think about here,
00:40
uh, for one thing,
00:43
where the auditor does their work,
00:45
my very,
00:47
for instance, you might be going into a
00:50
particular location to look at something,
00:53
and you have to look at it while you're in that location like someone's office, for instance,
00:57
and you're not allowed to remove that material.
00:59
It's kind of like going thio. The Library of Congress are allowed to look at certain books, but you can't check them out,
01:06
so that's one aspect of it.
01:07
Also, auditors need to be in touch with
01:11
the legal training
01:14
legal personnel rather within the organization, to make sure that they've got all the proper documentation in place
01:22
so that everyone is protected
01:26
against any disclosure or accidental disclosure of information.
01:30
One of the things we can think about
01:34
count applies this a little bit. Is the principle of Lise privilege
01:38
meaning that the auditors given access
01:41
and information
01:44
sufficient to get their job done, but nothing more?
01:47
And if, from the point of view of the auto T that makes sense as well, you wouldn't want to
01:53
go on you a long explanation about something. If you don't need to
01:57
give the auditor information are looking for and then move on to the next items, everyone get their jobs done
02:04
more efficiently.
02:05
So we also this concept of working papers. W peas.
02:08
This isn't just a generic term for
02:12
the documents that the auditor uses during the course of the audit.
02:16
These could be working from templates
02:20
like spreadsheets and regular office documents,
02:23
or could be things that are generated
02:25
dynamically as the auditors doing their work. Maybe they're just taking notes
02:30
using a laptop,
02:32
but in general were probably
02:36
more thinking about having a pre prepared documents in a template type form
02:42
to make the job easier, more consistent and more repeatable.
02:45
Every time the auditor needs to repeat that type of activity,
02:50
so it just depends on your working style as faras. What makes the most sense for you
02:54
some of the things to think about.
02:58
It's mentioned here of locking security cables
03:00
for things like laptops, maybe having screen filters so that people can't see what you're looking at,
03:07
possibly having auditors doing their work and a office that has a its own locked door
03:15
so they can work
03:16
in privacy without interruption in case to looking at sensitive information
03:22
or in case
03:23
they're worried about other people
03:25
looking over their shoulder at that sensitive information.
03:29
That's one thing to a couple of things to think about as faras,
03:32
some type of isolation for the actual auditing,
03:37
uh, investigative part of the work.
03:40
He's also mentioned of
03:43
creating an archive of your documents.
03:46
This is an important thing to think about as well, because if you're creating all this, documentation from your templates are creating it from scratch
03:53
and building up all this information that's used
03:57
when you have your findings and your
04:00
different remediation
04:01
advice and so on,
04:03
you want to be able to have an archive of this material that you can return to it, a later time if needed.
04:10
It makes sense that this would all be, ah,
04:13
protected electronically.
04:15
It's very unlikely you'd be doing a lot of this work with actual paper. But
04:18
if it is, Elektronik documents that it makes it much easier to deal with moving this around,
04:26
providing it to other people that may need it and so on.
04:29
You can use encryption, password protection
04:30
and other security controls to
04:33
better protect that information.
04:35
So when the auditor is working with an executive
04:39
or various executives,
04:42
usually executives are concerned with the bottom line, right?
04:46
What are the
04:46
factors that affect the health of the organization?
04:53
If you're your organization? Is losing money
04:56
due to mismanagement or poor governance
05:00
or actual fraud or embezzlement
05:02
than executives at the top level are gonna certainly want to know why that's happening, how it's happening?
05:09
Where's the evidence showing that there's
05:12
some activity that needs to be investigated?
05:15
The honor, of course. Her provides a vital role in this case
05:18
and able to
05:20
in order to assist
05:23
the organization
05:25
and uncovering the evidence of crime.
05:28
Obviously, operating costs
05:30
are a ah big factor as well.
05:33
That affects the bottom line two.
05:35
So if the payroll or other
05:39
service is within the organization
05:41
are garnering too much of the available funds
05:45
that becomes its own issue.
05:46
Sometimes this is war but accounting
05:48
accountant issue to think about.
05:51
But
05:53
regardless of where the air happens,
05:57
some sense needs to be made of what is found and so that that could be reported properly.
06:01
And some analysis can be done to understand where the problem occurred and what to do about it
06:08
with an eye for prevention instead of just detection. Right then, executives were also thinking about opportunity,
06:15
and this makes sense in the context of looking at your revenue and other expenses
06:23
because there could be opportunity that presents itself.
06:26
But it may not be feasible to act on that opportunity due to lack of resources.
06:31
So it's all kind of ties together as far as the mindset that executive might have.
06:38
And if the auditor can can assist in
06:40
in addressing these three areas
06:43
and trying to find any areas of fraud, waste and abuse, for instance,
06:46
areas that can be improved for efficiency, reasons
06:50
that might free up more capital for different initiatives that the organization has in mind
06:56
working with. I T professionals is much different than working with executives.
07:01
I T professionals in general, don't get to make
07:04
too many decisions about how the organization operates or how it spends its money.
07:11
First, we have supporting roles.
07:14
This should be everyone from your help desk worker to assist the administration system administrators.
07:19
People that manage the network, for instance, would all qualify as supporting roles.
07:27
And an important thing to think about for someone that's in a supporting role is
07:31
they might be a great resource for information about how something is done. So if you're examining something or testing something,
07:40
support personnel, ideal people to work with,
07:44
we just have to be careful
07:46
that they are giving you unbiased information.
07:49
For instance, you might have AH, organization that is standardized
07:55
on one or two vendors products.
07:59
And because of that situation that might affect the way that the ACI support person views your questions or your your your
08:07
request for advice.
08:11
So they might be a little bit biased towards one vendor or another, and that needs to be taken into account,
08:15
and we also have programmers
08:18
for information systems. These are the people that are developing applications, creating
08:24
interfaces with applications and so on.
08:28
They've got a much closer
08:31
relationship with the actual security controls that are used for the applications themselves
08:37
and for the underlying operating system and possibly even
08:41
the environment of operation or your network.
08:45
So they have their own perspective to offer to the auditor when asking questions about security controls,
08:52
the effectiveness of certain networked apologies, and so on.
08:56
So slightly different perspective to think about between a support person and
09:01
someone who's
09:03
actually doing some development work.
09:07
So I mentioned earlier in the objectives for the chapter that
09:09
we need to think about how the audit information gets retained,
09:15
a typical standard seven years. Of course, that could be different, depending on what the organization requires and
09:22
what regulatory
09:24
confinements there might be in place.
09:28
But generally, seven years is a good rule of thumb to work with.
09:31
It certainly couldn't hurt to keep something longer,
09:35
then has required other than the effect of possibly taking up more space.
09:41
Yeah,
09:41
so another thing to think about is what I was speaking up Ah, few minutes ago about is having an isolated area or maybe a war room.
09:50
My experience having the auditors may be working in a
09:56
office that has its own key card access.
10:00
The only people that have the right badge could get into that room.
10:03
That way, you keep out people who are casual office workers wanted to come by and chat that kind of thing. It also helps to keep prying eyes away from sensitive material that the auditors may have procured and are analyzing in that work space. This is not always possible, of course.
10:24
Some organizations just don't have
10:26
the facilities to create a separate area for honors to work in, so
10:31
it varies. But that's a good idea as a best practice consideration.
10:35
Also,
10:37
that would apply with meetings and interviews. Remember, were interviewing were examining, and we're testing
10:43
if you're interviewing somebody,
10:45
asking them very sensitive questions about certain transactions, or how the organization
10:50
handles certain situations, how the policies work,
10:54
that might not be a conversation you would would liketo have
10:58
where other people around could hear.
11:01
So it makes sense in that case to also consider
11:03
going to a conference room
11:07
or someplace where you can have a little bit more expectation of privacy.
11:11
All right. So I mentioned earlier
11:13
about auditors
11:16
being in somewhat of a leadership role,
11:18
and this is an important thing to think about,
11:22
because if the auditor is
11:24
presenting themselves as a professional person with integrity,
11:30
the true people fairly
11:31
they treat people with respect
11:33
and they are are good at being personable and finding out
11:37
the information that they're seeking either through it you know, an interview examining something or testing something
11:43
then that translates well into leadership qualities.
11:46
And
11:48
the people that are interacting with the auditor
11:52
are going to be much more likely to cooperate if they like that person if they liked being around them, if they feel like they are treated fairly
11:58
and if they feel
12:00
that the information that they give the auditor is truly helping the organization and won't be just used against them for some other purpose is later
12:09
if they believe the integrity of the auditor than they trust in their professionalism
12:13
and their ability to keep information confidential
12:16
when it when it's required.
12:20
The auditor needs to convey the objectives
12:24
of the questioning or the audit in general
12:26
to various stakeholders,
12:28
so in turn they must have a good feeling about that
12:33
interaction.
12:33
I need to be able to,
12:35
uh, actually believe what the auditors telling them.
12:39
And if you really found this, then we need to fix this on. Let's take action.
12:45
So it's kind of a synergy between the oddity and the auditor
12:48
to demonstrate leadership
12:50
and then
12:52
get the results that are needed as a result of of ah, good leadership style
12:58
course. Some organizations that may not be as easy to do is others. It just depends on your corporate culture and so on.
13:05
What about planning and setting priorities?
13:09
I talked a little bit already about the value of planning ahead,
13:13
setting objectives, prioritizing those things which are most important to discover first
13:18
and then relegating other things to be most important, discover next and so on.
13:24
This isn't a very valuable exercise to undergo before doing any work,
13:31
because now it gives the auditor
13:33
and the oddity
13:35
a sense of how things will go from start to finish.
13:39
What's most important, what what is secondary
13:43
of secondary importance, what is of tertiary importance and so on?
13:46
It just helps everyone get everything done more efficiently. So if the auditor
13:52
knows what the business is, how it operates,
13:56
whether they've got certain business cycles that are more important than others.
14:00
For instance, if you were auditing a retail establishment,
14:03
you might have to pay special attention during the holiday season, since that's when retail establishments do, ah, large portion of their business for the year.
14:13
That might be a bad time to do it on it, for instance, because everyone's too busy just keeping up with the demands of running the organization.
14:22
Other considerations might be. Some organizations might have a lot of people taking vacation during July,
14:30
right? If there ah,
14:31
that's a typical month of people go on their summer vacation.
14:35
That might be a difficult time, too.
14:37
Find the right people to
14:39
interview or to examine our test, certain things that need to be looked at as part of an audit.
14:43
So
14:45
timing the business cycle needs to be considered somewhat
14:50
prioritization.
14:52
That has something to do with what the client wants.
14:54
Of course, they could decide to some degree what they think is most important, but the auditor has some input here is well,
15:01
and maybe some negotiation might take place so that both parties can agree that this is the most important thing to look at. First then we'll move on to something else.
15:09
So some of this involves logistics, basically timing,
15:13
available staff
15:16
trying Thio Prioritize those things, that air that should be attacked first.
15:22
And then, of course, you need to deal with
15:24
finding other people
15:26
to help round out the team.
15:28
It could be that,
15:31
as I mentioned earlier section that you're you're doing an audit, but you don't have all the expertise required.
15:37
So you do the portion you're able to do competently, and you might have to bring in other people to do some portion that they're confident to. D'oh!
15:45
This is why planning ahead of time makes most the most sense.
15:48
Now you're not scrambling in the middle of the audit, trying to find someone to get part of the job done.
15:54
So Discovery requests
15:58
this ties in well with the items I was talking about the previous slide.
16:03
Or if you need to get documents, you need to get information,
16:06
it makes sense that you would make those requests when you know the people who can provide the answer are actually available.
16:12
If you're making requests
16:15
during up
16:17
regular business hours during a normal time of the year,
16:22
then you should get a decent response.
16:23
But if you're doing it after business hours or during a very busy time of the year,
16:27
or when people are on vacation and so on, that causes problems.
16:32
So knowing some of the scheduling
16:34
information ahead of time makes a lot of sense, just as it would if you were having to travel to
16:41
a location.
16:42
If you could group your activities together in one location before going to the next location, then you're more efficient. You're using the
16:51
the expenditure
16:52
for the travel a little bit more wisely
16:55
when there's problems
16:56
with scheduling or availability of people, for for interviews and so on.
17:02
The auditor needs to be able to deal with that in a professional, congenial way
17:07
to say that they can
17:08
God
17:10
reschedule or try to accommodate a client as best as they can in order to make everyone's schedule workable.
17:18
Now we're talking about standard terms of reference.
17:22
This is an important concept to think about.
17:25
So
17:26
what we mean here is that you've got
17:29
terminology being used
17:32
that's considered standard, so that,
17:34
for instance, us someone says that something was tested or not tested or the access was denied
17:41
that the meaning of those terms
17:44
means the same thing in all cases.
17:47
So having a little bit of a vocabulary, so to speak,
17:51
for some of the language in the auditor's reports and the requests makes a lot of sense.
17:57
Something's was present or not. President requirement was changed. Something was not verified or was verified.
18:06
Maybe there was lack of time to get something done.
18:08
Usual
18:11
very concise terms that help convey the
18:15
the needs of the audit
18:18
in a way that's consistent over time.
18:21
So if somebody has to come back at a later time and look at this information, they could say, OK, well, it's very clear that someone wasn't present. They have ran out of time
18:32
and we also had a new requirement.
18:34
And now that everyone looking at this information can be on the same page, literally, with what's what's actually being discussed?
18:42
All right, so I mentioned a little bit about conflicts.
18:47
Uh, we could also consider failures as something that needs to be considered,
18:52
and the reason is because
18:53
when we're one professionals relating to another, sometimes they don't communicate very well.
19:00
Maybe they have to learn a little bit about how each other communicates in order to get
19:04
in order to have productive conversations.
19:08
The key, though, is that the auditor
19:11
remains professional, remains calm and
19:15
and has a an attitude
19:18
of, uh,
19:21
resolution that we're going. We're going to get this worked out. Let's not get worked up.
19:25
It's just
19:26
address the next issue and we'll take a break. And so on. So little tactics like this could go a long way towards getting through
19:34
a long process.
19:37
Sometimes the people that are being audited
19:40
are uncooperative. Maybe they're nervous. Maybe they are being taken away from other duties, and that's causing them to be a little bit upset.
19:48
So these are natural, human, human nature, things that we need to consider course. The auditor has their own considerations. They don't have unlimited time and money
19:56
and energy to perform their work.
20:00
So the idea is to try to strike a balance between what the auditor needs
20:04
and what the needs are of the client.
20:07
So they feel respected. They feel they're they're not being
20:11
put under too much pressure
20:14
and that therefore, corn
20:15
create a good working relationship.
20:18
So how would we value an external auditor
20:21
versus an internal auditor.
20:23
You might think that the internal auditor has more value in a lot of ways, and that might be the case.
20:30
Oh, they have
20:30
institutional knowledge.
20:33
They understand how the business works.
20:36
You know who the players are.
20:37
You know who to talk to if they need certain bits of information.
20:41
So
20:41
that that's a uh translates into more efficiency as far as getting answers to questions or getting something tested that needs to be looked at
20:52
because the internal auditor has more familiarity.
20:56
And, of course,
20:57
since they are already working for the organization,
21:00
there's little to no extra cost in using an internal auditor for some of your work.
21:06
In contrast,
21:07
the external auditor
21:10
is getting paid for their opinion. There were 1/3 party
21:14
usually so they're coming in from a an auditing firm, perhaps, or from the auditing division of your organization.
21:22
They might be more expensive if there are third party. Obviously there have to be paid for their time,
21:27
but
21:29
they offer something that the internal auditor can't offer, which is a more objective viewpoint.
21:34
They don't have preconceptions about
21:38
what the organization is doing.
21:42
We're gonna have a little bit of information about that, but they don't have a lot of institutional knowledge that might bias their opinion one way or the other.
21:51
So even though the external audit is more expensive,
21:55
it does provide a more unbiased,
21:59
uh, opinion.
22:02
All right, so let's talk about the evidence rule.
22:04
What we're dealing with here is making sure that the auditor has
22:10
enough
22:11
evidence to form a solid opinion
22:15
if they're the auditor has an opinion, but they can't back it up with information that they gathered through an interview or through examination or through testing something.
22:25
And that's going to cause problems with the audit, because
22:29
now it might seem like the auditor's opinion is unsubstantiated.
22:33
So it's an important thing to consider
22:36
when gathering information
22:37
and formulating an opinion to make sure you've got the correct evidence collection procedures
22:42
and at hand.
22:44
So speaking of interviews,
22:47
these are some of the people that might be interviewed. This is not an all inclusive list, of course,
22:52
but in addition to thinking about who needs to be interview, we need to think about how much time
22:57
should be allocated for that task.
23:00
The more important someone is the last time, they will probably have available, their time is more valuable.
23:06
Trying to interview the CEO, for instance,
23:08
would be difficult to schedule,
23:11
and they probably wouldn't have more than maybe 10 or 15 minutes to spare
23:15
versus someone who's lower in the organization, middle management or lower management.
23:19
They might be easier to get into an interview and might also have more time available.
23:26
So if you're the data owner, most likely that's a someone at the vice president level.
23:32
They've got some different responsibilities. If you can see here, they classified data
23:37
decide what kinds of security control should be in place
23:41
versus he did a user
23:45
where they are someone that's running one of the business units, perhaps,
23:49
or even a client of the organization.
23:55
Their their responsibilities are different because they've got Thio.
24:00
Think about
24:00
Wiccans constitutes acceptable use, acceptable access.
24:06
And
24:07
the
24:08
the data user and somewhat the date owner as well are responsible for the security of that data.
24:15
Having some discretionary control over who could get access to it is part of this picture as well.
24:22
And then we have data custodians,
24:23
some examples, like a database administrator, maybe a programmer or system admin.
24:30
These people are
24:32
tasked with protecting information.
24:33
A zit relates to the
24:37
systems and networks that it resides. Honor transmits across.
24:41
But they also have to be able to support
24:45
the audit when it comes along
24:47
and be able to support the individual users when they need some help with
24:52
access or other considerations of performance.

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor