This lesson focuses on the role of the auditor in making observations and what they find has a lot of bearing on the organization. Auditors really need to be aware of confidentiality and how it relates the information they have access too. The results of audits are on average retained by a company for about seven years. This lesson also covers standard terms of reference; there are terms that mean the same thing across the board in auditor's reports and/or requests. Participants also learn about internal and external auditors. [toggle_content title="Transcript"] Okay, so as I mentioned earlier, the auditor should be considered as an executive position. There are lots of good reasons for this. The auditor is in a position where they're being paid very well to make observations, interview people, test things, examine things, and the outcome or the output of that work has a lot of bearing on the organization. One of the top things we need to think about as an auditor is the confidentiality aspect - A lot of things to think about here. For one thing, where the auditor does their work might vary. For instance you might be going into a particular location to look at something and you have to look at it while you're in that location, like someone's office, for instance, and you're not allowed to remove that material. It's kind of like going to the Library of Congress. You're allowed to look at certain books, but you can't check them out. So that's one aspect of it. Also auditors need to be in-touch with the legal training, or the legal personnel, rather, within the organization, to make sure that they've got all the proper documentation in-place so that everyone is protected against any disclosure, or accidental disclosure of information. One of the things we can think about is the principle of least privilege; meaning that the auditor is given access and information sufficient to get their job done but nothing more. From the point of view of the auditee, that makes sense as well. You wouldn't want to go on a long explanation about something if you don't need to. Give the auditor the information they're looking for and then move on to the next item, so everyone can get their jobs done more efficiently. We also have this concept of working papers; WPs. This is just a generic term for the documents that the auditor uses during the course of the audit. These could be working from templates, like spreadsheets and regular office documents, or it could be things that are generated dynamically as the auditor is doing their work. Maybe they're just taking notes using a laptop. In general, we're probably more thinking about having a pre-prepared document in a template type form to make the job easier, more consistent and more repeatable every time the auditor needs to repeat that type of activity. So it just depends on your working style as far as what makes the most sense for you. Some other things to think about, there's mention here of locking security cables for things like laptops. Maybe having screen filters so that people can't see what you're looking or possibly having auditors doing their work in an office that has its own locked door so that they can work in privacy without interruption, in case they're looking at sensitive information, or in case they're worried about other people looking over their shoulder at that sensitive information. So that's a couple of things to think about as far as some type of isolation for the actual auditing investigative part of the work. There's also mention of creating an archive of your documents. This is an important thing to think about as well because if you're creating all this documentation from your templates, or creating it from scratch, and building up all this information that's used when you have your findings and your differing mediation advice, and so on, you want to be able to have an archive of this material that you can return to at a later time if needed. It makes sense that this would all be protected electronically. It's very unlikely you'd be doing a lot of this work with actual paper, but if it is electronic documents then it makes it much easier to deal with moving this around, providing it to other people that may need it, and so on. You can use encryption, password protection, and other security controls to better protect that information. So, when the auditor is working with an executive or various executives, usually executives are concerned with the bottom line. What are the factors that affect the health of the organization? If your organization is losing money due to mismanagement or poor governance or actual fraud or embezzlement, then executives at the top level are going to certainly want to know why that's happening, how it's happening, where is the evidence showing that there is some activity that needs to be investigated? The auditor, of course, provides a vital role in this case in order to assist the organization in uncovering the evidence of crime. Obviously operating costs are a big factor as well. That affects the bottom line too. So if the payroll or other services within the organization are garnering too much of the available funds, then that becomes its own issue. Sometimes this is more of an accountant issue to think about, but regardless of where the error happens, some sense needs to be made of what is found and so that can be reported properly and some analysis can be done to understand where the problem occurred and what to do about it with an eye for prevention instead of just detection. Then executives are also thinking about opportunity. This makes sense in the context of looking at your revenue and other expenses because there could be opportunity that presents itself but it may not be feasible to act on that opportunity due to lack of resources. So, this all kind of ties together as far as the mindset that the executives might have. If the auditor can assist in addressing these three areas and trying to find any areas of fraud, waste and abuse, for instance, areas that can be improved for efficiency reasons, then that might free up more capital for different initiatives that the organization has in-mind. Now, working with IT professionals is much different than working with executives. IT professionals in general don't get to make too many decisions about how the organization operates or how it spends its money. First we have supporting roles. This would be everyone from your helpdesk worker to your system administrators, people that manage the network, for instance would all qualify as supporting roles. And an important thing to think about for someone that's in a supporting role is they might be a great resource for information about how something is done. So if you're examining something or testing something, IT support personnel are ideal people to work with. We just have to be careful that they are giving you unbiased information. For instance, you might have an organization that is standardized on one or two vendor's products. And, because of that situation, that might affect the way that the IT support person views your questions or your requests for advice. So they might be a little bit biased towards one vendor or another and that needs to be taken into account. We also have programmers for information systems. These are the people that are developing applications, creating interfaces, web applications, and so on. They've got a much closer relationship with the actual security controls that are used for the applications themselves and for the underlying operating system and possibly even the environment of operation, or your network. So they have their own perspective to offer to the auditor when asking questions about security controls the effectiveness of certain network topologies, and so on. So, slightly different perspective to think about between a support person and someone who's actually doing some development work. So I mentioned earlier in the objectives for the chapter that we need to think about how the audit information gets retained. A typical standard is seven years. Of course that could be different depending on what the organization requires and what regulatory confinements there might be in-place. Generally, seven years is a good rule of thumb to work with. It certainly couldn't hurt to keep something longer than is required, other than the effect of possibly taking up more space. So, another thing to think about is what I was speaking a few minutes ago about, is having an isolated area, or maybe a war room. In my experience, having the auditors maybe working in a office that has its own key card access. So, only people that have the right badge can get into that room. That way you keep out people who are casual office workers wanting to come by and chat and that kind of thing. It also helps to keep prying eyes away from sensitive material that the auditors may have procured and are analyzing in that workspace. This is not always possible, of course. Some organizations just don't have the facilities to create a separate area for auditors to work in. So it varies, but that's a good idea as a best practice consideration. Also that would apply with meetings and interviews. So remember we're interviewing, we're examining and we're testing. If you're interviewing somebody, asking them very sensitive questions about certain transactions or how the organization handles certain situations, how the policies work, that might not be a conversation you would like to have where other people around could hear. So it makes sense in that case to also consider going to a conference room or someplace where you can have a little bit more expectation of privacy. Alright, so I mentioned earlier about auditors being in somewhat of a leadership role. And this is an important thing to think about, because if the auditor is presenting themselves as a professional person with integrity, they treat people fairly, they treat people with respect, and they are good at being personable and finding out the information that they're seeking, either through an interview, examining something, or testing something, then that translates well into leadership qualities. And the people that are interacting with the auditor are going to be much more likely to cooperate if they like that person, if they like being around them, if they feel like they are treated fairly and if they feel that the information that they give the auditor is truly helping the organization and won't be just used against them for some other purposes later. If they believe the integrity of the auditor, then they trust in their professionalism and their ability to keep information confidential when it's required. The auditor needs to convey the objectives of the questioning, or the audit in general, to various stakeholders. So, in turn, they must have a good feeling about that interaction. They need to be able to actually believe what the auditor's telling them and, 'If you really found this, then we need to fix this, and let's take action.' So it's kind of a synergy between the auditee and the auditor to demonstrate leadership and then get the results that are needed as a result of a good leadership style. Of course, for some organizations that might not be as easy to do as others. It just depends on your corporate culture, and so on. What about planning and setting priorities? I've talked a little bit already about the value of planning ahead. Setting objectives, prioritizing those things which are most important to discover first, and then relegating other things to be most important to discover next, and so on. This is a very valuable exercise to undergo before doing any work, because now it gives the auditor, and the auditee, a sense of how things will go from start to finish, what's most important, what is of secondary importance, what is of tertiary importance, and so on. It just helps everyone get everything done more efficiently. So if the auditor knows what the business is, how it operates, whether they've got certain business cycles that are more important than others. For instance, if you were auditing a retail establishment, you might have to pay special attention during the holiday season, since that's when retail establishments do a large portion of their business for the year. That might be a bad time to do an audit, for instance, because everyone's too busy just keeping up with the demands of running the organization. Other considerations might be some organizations might have a lot of people taking vacation during July. That's a typical month that people go on their summer vacation. That might be a difficult time to find the right people to interview or to examine or test certain things that need to be looked at as part of an audit. So timing the business cycle needs to be considered somewhat. Prioritization that has something to do with what the client wants. Of course they can decide, to some degree, what they think is most important, but the auditor has some input here as well, and maybe some negotiation might take place so that both parties can agree that, 'This is the most important thing to look at first, and then we'll move on to something else.' So, some of this involves logistics, basically. Timing, available staff trying to prioritize those things that should be attacked first, and then, of course, you need to deal with finding other people to help round out the team. It could be that, as I mentioned in an earlier section, you're doing an audit but you don't have all the expertise required. So you do the portion you're able to do competently, but then you might have to bring in other people to do some portion that they are competent to do. This is why planning ahead of time makes the most sense. because now you're not scrambling in the middle of the audit trying to find someone to get part of the job done. So discover requests. This ties-in well with the items that I was talking about in the previous slide. If you need to get documents, you need to get information, it makes sense that you would make those requests when you know the people who can provide the answer are actually available. If you're making requests during regular business hours, during a normal time of the year, then you should get a decent response, but if you're doing it after business hours or during a very busy time of the year, or when people are on vacation, and so on, that causes problems. So knowing some of the scheduling information ahead of time makes a lot of sense. Just as it would if you were having to travel to a location. If you could group your activities together in one location before going to the next location, then you're more efficient, you're using the expenditure for the travel a little bit more wisely. When there are problems with scheduling or availability of people for interviews, and so on, the auditor needs to be able to deal with that in a professional, congenial way. To say that they can reschedule or try to accommodate a client as best as they can in order to make everyone's schedule workable. Now we're talking about standard terms of reference. This is an important concept to think about. So what we mean here is that you've got terminology being used that's considered standard so that, for instance, if someone says that something was tested, or not tested, or the access was denied, the meaning of those terms means the same thing in all cases. So having a little bit of a vocabulary, so to speak, for some of the language in the auditors' reports and the requests makes a lot of sense. Something was present or not present. A requirement was changed. Something was not verified, or it was verified. Maybe there was lack of time to get something done. These are all very concise terms that help convey the needs of the audit in a way that's consistent over time. So if somebody has to come back at a later time and look at this information, they could say, 'Okay, well it's very clear that someone wasn't present. They have ran out of time and we also had a new requirement.' And now everyone looking at this information can be on the same page, literally, with what's actually being discussed. Alright, so I mentioned a little bit about conflicts. We could also consider failures as something that needs to be considered. The reason is because when one professional's relating to another, sometimes they don't communicate very well. Maybe they have to learn a little bit about how each other communicates in order to have productive conversations. The key, though, is that the auditor remains professional, remains calm and has an attitude of resolution. 'We're going to get this worked out. Let's not get worked up. Let's just address the next issue and we'll take a break,' and so on. So little tactics like this can go a long way towards getting through a long process. Sometimes the people that are being audited are uncooperative. Maybe they're nervous. Maybe they are being taken away from other duties and that's causing them to be a little bit upset. So these are natural human nature things that we need to consider. Of course the auditor has their own considerations. They don't have unlimited time and money and energy to perform their work. So, the idea is to try and strike a balance between what the auditor needs and what the needs are of the client. So they feel respected, they feel that they're not being put under too much pressure, and therefore can create a good working relationship. So how would we value an external auditor versus an internal auditor? You might think that the internal auditor has more value in a lot of ways, and that might be the case. They have institutional knowledge. They understand how the business works. They know who the players are. They know who to talk to if they need certain bits of information. So that translates into more efficiency, as far as getting answers to questions, or getting something tested that needs to be looked at. Because the internal auditor has more familiarity and, of course, since they already working for the organization, there's little to no extra cost in using an internal auditor for some of your work. In contrast, the external auditor is getting paid for their opinion. They are a third-party, usually. So they're coming in from an auditing firm, perhaps, or from the auditing division of your organization. They might be more expensive if they're a third-party. Obviously they have to be paid for their time. But they offer something that the internal auditor can't offer, which is a more objective viewpoint. They don't have preconceptions about what the organization's doing, or maybe they have a little bit of information about that, but they don't have a lot of institutional knowledge that might bias their opinion one way or the other. So, even though the external audit is more expensive, it does provide a more unbiased opinion. Alright, so let's talk about the evidence rule. What we're dealing with here is making sure that the auditor has enough evidence to form a solid opinion. If the auditor has an opinion but they can't back it up with information that they gathered through an interview, or through examination or through testing something, then that's going to cause problems with the audit because now it might seem like the auditor's opinion is unsubstantiated. So it's an important thing to consider when gathering information and formulating an opinion, to make sure that you've got the correct evidence collection procedures at-hand. So, speaking of interviews, these are some of the people that might be interviewed. This is not an all-inclusive list, of course. In addition to thinking about who needs to be interviewed, we need to think about how much time should be allocated for that task. The more important someone is, the less time they'll probably have available. Their time is more valuable. Trying to interview the CEO, for instance, would be difficult to schedule, and they probably wouldn't have more than maybe ten or fifteen minutes to spare. Versus someone who's lower in the organization middle management or lower management, they might be easier to get into an interview and might also have more time available. So, if you're the data owner, most likely that's someone at the vice-president level. They've got some different responsibilities that we can see here. They can classify data. Decide what kinds of security controls should be in-place. Versus a data user, where they are someone that's running one of the business units, perhaps, or even a client of the organization. Their responsibilities are different because they've got to think about what constitutes acceptable use, acceptable access, and the data user, and somewhat the data owner as well are responsible for the security of that data. Having some discretionary control over who can get access to it is part of this picture as well. Then we have data custodians. Some examples, like a database administrator, maybe a programmer or a system admin. These people are tasked with protecting information, as it relates to the systems and networks that it resides on, or transmits across. They also have to be able to support the audit when it comes along, and be able to support the individual users when they need help with access or other considerations of performance. [/toggle_content]
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.