400 likes | 758 Views
Essential Audit Skills Learn How to Successfully Prepare and Perform Audits. Presented by Martin Holzke, Senior (IT) Auditor. Agenda. Presenter Motivation Planning the Audit Communication Performing the Audit Reporting Remediation Resources. Presenter. Martin Holzke
E N D
Essential Audit Skills Learn How to Successfully Prepare and Perform Audits Presented by Martin Holzke, Senior (IT) Auditor
Agenda • Presenter • Motivation • Planning the Audit • Communication • Performing the Audit • Reporting • Remediation • Resources
Presenter • Martin Holzke • Director of SoftQualM (Scotland) Ltd • Degree in Physics • IT Consultant since 1991 • IT Trainer since 1993 • IT Auditor since 2003 • Author of “Essential Audit Skills”
Motivation • Audits are Assessments • Reality vs. • Requirements, Expectations and Assumptions • Audits can • Make all the Difference or • Be a Waste of Resources
Motivation • Hands-on Experience • Customers, Colleagues, Trainees etc. • Lack of Learning Resources • Loads on Domain Schemes (CISA, SOX etc.) • Little on Soft Skills • Results • This High-Level Webinar • Further Learning Resources
Planning the Audit • The Purpose of Audits • Establishing the Scope of the Audit • Preparing the Audit • Scheduling the Audit
Planning the Audit • The Purpose of Audits • Re-Assurance of Stakeholders • Continuous Improvement • Added Value "Trust is good, control better." Vladimir Ilyich Lenin, Former Russian Leader
Planning the Audit • Establishing the Scope of the Audit • Scope? What Scope? • Scoping Issues • Documenting the Scope • Reviewing the Scope
Planning the Audit • Examples
Planning the Audit • Preparing the Audit • Getting the Business Ready for the Audit • Defining Reference Structures • Keeping Evidence • Defining the Audit Plan • Managing Documents “If it can’t be evidenced it doesn’t exist”
Planning the Audit • Scheduling the Audit • Who? What? When? • Dependencies • Testing Period • Availability and Notification Requirements • Announcing the Schedule
Communication • Communication is Key • Involving the Right People • Creating the Right Atmosphere • Opening and Closing Meetings with Management
Communication • Communication is Key • Jargon Free Language • Respect • Widen your Horizon
Communication • Involving the Right People • Internal and External Stakeholders • Management • Subject Matter Experts • Team Heads and Operators • Auditors • External Advisors
Communication • Creating the Right Atmosphere • Personal Motivation • Desire and Opportunity for Improvement • Appreciation and Reward of Honesty • No Blame Culture “If it's going to come out eventually, better have it come out immediately.” Henry A. Kissinger, Former US Secretary of State
Communication • Opening and Closing Meetings with Management • Awareness • Progress and Status • Commitment • Support
Performing the Audit • Assessing Documentation and Evidence • Interviewing and Corroborative Enquiry • Sampling Approaches • Identifying Exceptions and Deficiencies
Performing the Audit • Assessing Documentation and Evidence • Clerical • Sufficiency • Reprocessability “If it can’t be evidenced it doesn’t exist”
Performing the Audit • Examples • Review of Oracle DBA Accounts • Review performed by: Joe Smith, Manager Oracle Support Team • Review performed on: 01/12/2007 • Oracle DB reviewed: ORAFI on UX10 • List of DBA accounts obtained: • MEYERM • BLOGGJ • BROWND • ORABCK • Observations: • All accounts belong to current Oracle Support Team members with DBA duties except ORABCK. • Investigation of suspicious account ORABCK confirms requirement for extra privileges however well below DBA. • Actions: • M. Meyer (RFC 001265643) • Create DB role BCK • Remove DBA privileges from ORABCK • Grant role BCK to ORABCK • Conclusion: • One exception noted and addressed. • Successful completion TBC in next review due 01/01/2008. • 5. User Access to Systems and Applications • 5.1. All new and amended user access to any system or application is governed under this policy and respective procedures listed under 5.10. For the avoidance of any doubt amended user access here includes revoking the same. • 5.2. All applications for new or amended user access require the current application form as referenced under 5.10. to be completed and send to the IT Security Officer. • 5.3. Applications need to be authorised by signature of the respective employee’s line manager. • 5.4. Access to business applications additionally has to be authorised by signature of the respective application owner. The list of current applications and respective owners is referenced under 5.10. • 5.5. Applications owners are responsible to ensure segregation of duties requirements are not violated when authorising access. • 5.6. Elevated access (sys admin etc.) to corporate servers and network elements additionally has to be authorised by signature of the Head of CIO. • ... • 5.10. Additional documentation referred to in this policy is available from http://security.mycomp.com/useraccess/ on the corporate intranet.
Performing the Audit • Interviewing and Corroborative Enquiry • Know-how • Reliability • Filling the Gaps • Proof of Absence • Observation • Last Resort Alternative to Evidence
Performing the Audit • Sampling Approaches • Sampling vs. Point-in-Time • Sample Sizes • Obtaining a Reliable Sample • Resampling
Performing the Audit • Identifying Exceptions and Deficiencies • What Constitutes an Exception? • Formal, Design and Isolated Exceptions • The “Sake” of Exceptions • When does it become a Deficiency?
Reporting • Establishing Documentation Standards • Creating Workpapers • Compiling the Audit Report • Adding Recommendations for Improvements
Reporting • Establishing Documentation Standards • Branding and Uniformity • Structure and Content • Ease-of-Use and Completeness • Template Libraries • Naming Conventions • File Types
Reporting • Creating Workpapers • Templates • Transparency • Clerical • Reprocessability • Tabular Sample Assessments, Scans and Screenshots as Supporting Evidence
Reporting • Examples
Reporting • Compiling the Audit Report • Test Results • Exceptions and Deficiencies • Management Comments • Statistics • Conclusion
Reporting • Adding Recommendations for Improvements • Recommendations vs. Exceptions • Always Room for Improvement • Early Warning System • Subjects • Business Processes and Evidence • Education and Awareness • Audit Structure
Audit Follow-Through • Management Response • Root Cause Analysis • Remediation • Re-Assessment • Process Improvement
Audit Follow-Through • Management Response • Acceptance and Remediation • Acceptance without Remediation • Rejection
Audit Follow-Through • Root Cause Analysis • Cause Behind the Cause • Systematic and Structural: 5 Whys • Problem Management
Audit Follow-Through • Remediation • Plan of Action • Responsibilities • Measurable Milestones • Success Indicators • Escalation
Audit Follow-Through • Re-Assessment • On Reported Success of Corrective Action • Scope • Schedule
Audit Follow-Through • Process Improvement • “The audit of the audit” • “There’a always room for improvement” • “Nobody is perfect!”
Resources • Books • Tutoring • Courses
Resources • Books by Martin Holzke • “Essential Audit Skills” ISBN 978-1-906972-03-5 (Paperback)ISBN 978-1-906972-06-6 (Kindle eBook) • “Oops-A-Daisy”ISBN 978-1-906972-01-1 (Paperback)ISBN 978-1-906972-07-3 (Kindle eBook) • www.softqualmpress.com
Resources • Tutoring • Standard Package to Accompany the Book • Tailored Coaching Packaging • On-site, Distance Learning, In-house
Resources • Courses • Full Range Hands-on Course (5 days) • Tailored Courses on Selected Aspects • On-site, Distance Learning, In-house
Resources • Upcoming Series of 5 Webinars each • 2 hours Coverage of One Domain • Exercise to Take Home • 26th & 31st July, 2nd, 7th & 9th August 2012 • 7PM UK Time (2PM Eastern, 12PM Pacific Time) • £49 (some €60 or US-$75) • £195 for all 5 (some €240 or US-$300) plus a free copy of the book “Essential Audit Skills”
The End • Q&A • Thanks for attending … • I hope it was enjoyable … • And You have gained from it. • Feel free to connect on LinkedIn.