Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers audits. Audits occur when issues that are not in compliance with company policy are discovered. This lesson discusses the three types of audits:
Internal audits and assessments (also called self-assessments)
Some audits are geared toward products (e.g. toys with toxic paint) and some are geared towards processes (e.g., business impact analysis). This lesson emphasizes the importance of the fiduciary relationship, which means acting in the best interest of another person and placing fairness ahead of your own interests. [toggle_content title="Transcript"] Alright, so what about the purpose of our audit? I spoke about this a little bit briefly earlier knowing that the audit is expected to uncover things that are non-compliant, so the general sense, that's what we're trying to do. So, in order to do this properly, we have to have some objectives for the audit, to say that, 'These are the things we're looking at. This is the scope. Maybe this is the timeline that's allotted,' and, based on all of these different factors, the auditor can then best decide how to spend their time and energy. Alright, so we have different types of audits to consider. You do need to know the difference between these types for the exam. So we have internal audits and assessments. Sometimes these are called self-assessments. These are valuable. Sometimes the self-assessment is done in the interim between an external audit. So it helps the organization understand whether or not they are doing things properly. For instance, if your audit is scheduled on an annual basis, you might do some self-assessments or internal audits on a quarterly basis to make sure that you're on-track, to make sure that the items that you're most interested in are being properly managed and properly protected. That way, when the external audit comes along, someone comes in from outside the organization; you can furnish them with some proof that self-assessments or internal audits were done, and that might make their job a little bit easier and give them a better foundation to perform the external audit. So the external audit, someone comes in from the outside, someone that's objective, not part of the organization, or maybe if they are part of the organization they're from a different section of it: a different business unit, let's say. In some organizations that I've worked for, the auditors were their own group within the organization and they weren't affiliated directly with any of the different business units. That could be the case. Or you simply just hire a third-party organization to do the work. There's a lot of advantages in doing an external audit because that means that the work is contracted. There are various parameters as regard to the scope, the duration, the cost, and, ideally, the person coming in to do the audit has no preconceptions about what the organization does, how they do it, what they're likely to find, and so on. That gives them the advantage to report more truthfully on what they discover because they're unbiased. Then we have independent audits. Again, using third-parties to do this gives different types of organizations or different types of customers or clients a perspective to operate from. I've got the example here of using consumer reports, or similar products or services like this. It's a way to gauge how well a product or service operates because other people are evaluating it. Other people are reviewing it. Other people have tested it. Or they're using this and they've got some feedback to offer. So, that's still valuable although it might not be as officially binding as someone who's doing a true third-party audit of an information system within your organization. So we have different types of audits that we talked about, and now we have to think about the approach being slightly different for those different types. So some things are audits for products; making sure that your product has the right size, color and markings, for instance. An example here would be toys that were pulled out of storage because they contained lead paint. China has been in the news many times over the years for producing unsafe products. Some of them are edible products. Trying to determine whether something is safe enough for consumption or for other types of use is an important thing to think about. Most likely, as a CISA, you're not going to be doing product audits, but you should be familiar with the concept. Auditing a process, on the other hand, is more up the alley of someone who's a CISA or an auditor in general, because now you're looking at different considerations, like a business impact analysis. Or you're looking at a disaster recovery plan. Trying to understand the organization made a process, they made a procedure, they've documented what they want to do, does it actually work as intended? Is it producing the results that were intended? Is it repeatable? Is it something that if you give someone else this process or this documentation, can they pick this up and follow the steps and do the work? Those are some of the questions that you might be able to answer here. Some other audit approaches: we have system audits. So you're trying to determine if the system is configured according to some standard that the organization defined, or it's configured to a standard which is defined by regulations. So, you're looking at the configuration of a system, how it's used, how you deal with preventative maintenance, how you deal with change control. When customers make requests, how is that handled? These are all things that should be looked at in detail and, you know you might have to interview people, you might have to examine certain things, you may have to test certain things. Those are kind of your three main ways of doing this kind of work, or any kind of auditing work. Financial audits; these are important for obvious reasons, especially when we go back to earlier discussions about the fraud that's taken place in many organizations around the world. You know, all the way up to the highest levels of the organization down to someone who's stealing out of the cash register. These are all different types of actions that might be detectable by doing a financial audit. You're looking at accounting methods, accounting results, making sure everything matches up correctly. Then we have operational audits. This is verifying that the practices that your organization abides by for its day-to-day operations, your short, medium and long-term goals, the business logic, if you will. You're trying to verify that all of those operational aspects are being done correctly, that they were designed correctly and that you have some ability to measure the results. Then we have integrated audits where you've got some blending of different audit types. Maybe financial audit blended with operational considerations, maybe also blended with system configuration audits. So there's lots of different ways you can approach this. Having some flexibility is important to the auditor and to the auditee. I mentioned compliance audits earlier. So this is a great way to discover things that are not configured correctly, or things that weren't built correctly, or designed correctly. If you have a standard, like an ISO standard, for instance, you could compare that against what's actually discovered to see if something is in compliance. If it's not in compliance, then that constitutes a finding, and some action would need to be taken as a result. We have administrative audits. This is making sure that we've got all the procedures in-place that are required for the organization to do its different tasks and making sure that we can produce the required documentation that supports all of these administrative tasks. And then we have system certification and accreditation, C&A, otherwise known as. The certification and accreditation process is now moving to an assessment and authorization process. That's something you learn more about if you study risk management framework. But that kind of goes very well with a compliance audit. These two go together fairly well. So you can configure systems, configure your security controls and then do a compliance audit to make sure that they're actually done correctly, that they're working correctly. And that kind of folds also, into what's known as continuous monitoring. That's a little bit beyond the scope of this course, but it gives you the idea that you can continuously monitor the controls that are protecting your systems to make sure that they're working as intended. Then, what about surveillance audits? Some kind of a check-up being done at a regular interval, or maybe it's being done as a surprise. Surprise surveillance audits are probably the most effective at discovering true problems. Again, going back to what I mentioned earlier, if the person or system being audited gets too much advance notice, then they might have time to fix things beforehand that would have been discovered otherwise. So, what kind of responsibility do you have as an auditor? There is the fiduciary relationship with the organization. Some financial aspect of what the auditor does in relation to the organization needs to be understood. So if we think about it, it is that, from the auditor's point of view, the goals of the organization come before their own goals. So it could be the case that the auditor has an opinion on certain things that they're finding and they might present that opinion with some well-reasoned arguments for why something might be improved or changed, but, ultimately, the organization has its own goals, stipulated by the top tier of leadership, of course, and the auditor needs to respect that relationship in order to do their job effectively. However, as I mentioned with the different types of fraud the auditor must also place the highest importance on the actual truth, or the truth of their findings. That this, it must be the ultimate goal in reporting objectively and not allowing yourself to be biased or swayed by the auditee. Alright, so let's talk now about the difference between audit and an assessment. So the audit is a systematic inspection of the records, doing that low-level analysis, looking at the details, and with a nod to the outside auditor, or third-party auditor providing the most truthful or most objective results because they don't have any conflicts of interest, or they shouldn't have any conflicts of interest. An assessment, however, is not as formal as an audit. It's done less frequently as well but it's a way to identify whether or not some of the potential findings that an audit would discover are going to be a problem. So if you're doing an assessment report, a self-assessment, a vulnerability assessment, these are different ways to try to understand the security posture or the effectiveness of security controls, or other types of controls for financial systems, and how well those are working. So, if assessments are done that supports when the actual audit is performed. So there are obvious differences between the auditor and the auditee. The auditor is the one doing the work. The auditee is the person or the organization that's being audited, and then the client requests the audit. So they have the authority to dictate the terms, how long it will take, how much money is allocated, and so on. So those are all things to keep straight as far as terminology goes. So, things to think about to make sure that you are independent as an auditor - Good questions to ask; are you auditing something that you helped develop or helped purchase or helped procure? That would be a conflict of interest, potentially, so that's something to think about. Making sure there are no conflicts or attitudes that the auditee might present to the auditor which could affect the results of the audit. If the auditee, for instance, was insisting on looking over the shoulder of the auditor, and second-guessing what they were doing, that would be a distraction and cause potential problems. So the auditor needs to be aware of that and be able to isolate themselves, if necessary, in order to get their work done without interference. I mentioned already financial gain that the auditor needs to be aware of. If there's any chance that the information they uncover could present a conflict or present a chance for financial gain, then that needs to be acknowledged and dealt with. It could be that the auditor needs to excuse themselves and say, 'I can't do this because I've got too much conflict. You really should give this work to somebody else.' So sometimes that happens. A person with really high ethics would do that. Any kind of business deals, pending legal actions between the auditor and the auditee should be well understood before any activity is embarked upon. There shouldn't be a conflict with the job that the auditor's currently working, or the person they're working for. So if you're auditing your boss, in a sense, that could be a potential conflict. And we want to make sure that the auditor is not accepting any gifts or special favors. Since that, as well, could affect the outcome of the audit. The idea really is to be objective, impartial and professional so that there aren't problems. [/toggle_content]