The need for an audit process

- [Instructor] All right, let's talk about the need for an audit process and why it's a good idea to have a process in place in general, not just for auditing, but for many things. So it is important to have some kind of structured, documented series of steps to go through to do anything complex and audits are no different. So you want to employ an audit process that one, is repeatable. This is something you're going to have to do over and over again, as much as we like it. Audits are something you don't just do once and then you stop annoying people and you go away. Sadly you got to come back time after time and audit typically on a regular basis. Either it's quarterly or annually or maybe it's based on some certain event that happens every now and then. Whenever that interval is you're going to have to do it again and you want to make sure you have something that can be done every time the same way, you can train people on how to do the audit, the auditors, and you can train people on how to be audited, here's the kind of information that auditors are going to want to see, here's the time of time commitment that they're going to require from you during that audit, et cetera, et cetera. So that's very important. It's also very important to keep things organized. By having things all spelled out ahead of time, here's all the things we're going to be doing, here's all the resources we're going to need, here's all the human resources we're going to need, we're going to need access to Jim and Bob and Cindy from this team, we're going to have to interview such and such and such and such. I can't tell you how many times I've been in an audit on both sides of the table, whether it's the audit person, the auditor running around actually doing the audit, or someone being audited, that we've had to wait on someone that wasn't available that was required for some important piece of the audit. Oh, Bob's not available this week and he's got no backup, so we just have to grind to a halt. By keeping organized, by having it all spelled out ahead of time you can avoid such a pitfall. Finally, you want to be trackable. You want to be able to produce work products from this process, this audit process, that you can refer back to and see how well we're doing. You want to mature this over time. That's why we often keep talking in this course about the PDCA, the plan-do-check-act type of cycles, or the Deming cycles, so that we're constantly trying to improve and mature our process. Any process should be matured and audit processes are big and complex and they're no different. So the basic audit process steps are one, you want to define requirements. No matter what audit process or best practice documents you pull off the shelf they're going to follow these basic steps. You're going to start with defining requirements. So you and the governing body, whatever that governing body is, the board of directors, executive management, an audit committee, who ever it is, you'll figure out what it is that you want answered by this audit. What are those questions we want answered? Are we in compliance with such and such? Do we fall in line with this law? Are we achieving our goals here. What are those controls that we want tested? All of this has to be defined ahead of time and this where most people drop the ball, they don't do this well enough ahead of time. They don't know really what the requirements are. Oh yeah, we're going to do a Sarbanes-Oxley, and oh, we going to do a PCI audit. But they don't really understand what it is they're testing for, why they're testing for it, and what are the controls that we really need to look at. It's not just as simple as pulling some checklist off of the shelf, you really have to understand what it is and make sure that when you build that checklist you know what it is that should be on there. Two, the bulk of any audit is collecting evidence, going around interviewing people, testing things, looking at configurations, looking at log files, running scans, testing for certain software being installed, or licenses to be installed. That's where the real grunt work comes in, that's where most audits spend most of the time is just collecting all the evidence. And then finally, you're going to determine whether something is or is not in compliance with those requirements. That's what an audit's really all about. Are we compiling with what we're supposed to be compiling with? Are we following these rules? Are we in compliance with this law? Are these controls in place? Are they sufficient? That's what the governing body, whoever it is, is going to want answered. And so really that's what any audit evolves into or is created up of. So audit processes can answer the following questions, one, how do you know if your requirements are right? Well, having an audit process in place forces you to go through and create those requirements based on a step by step process that makes sense based on some best practices, some industry best practices. So by forcing you to go through it you can make sure you do that step right the first time. Two, how do you know if you've evaluated the entire enterprise? Make sure you've gotten everything that you need to include in this audit? Well, remember COBIT principle number two: Cover the enterprise from end-to-end, that's an example of a best practice that makes sure you cover all the bits and pieces you need to within your enterprise. Now another element of that is how do you know if you've missed something? That doesn't just necessarily mean part of the enterprise, but potentially just something like this asset or that business process or this person, have we gotten to everything. By following a strictly defined process that has documented steps, that's been trained to everybody, both auditor and auditee, this is one way you can avoid it, having a process in place, a documented process in place based on best practices. Do you know if you've introduced any risk into your audit? Look, audits are big, complex things. It's very easy to miss something, it's very easy to while auditing something open up some hole, it's very easy to introduce faulty data in if you don't collect it the right way or if you're not impartial, or if you don't sample correctly. There's a lot of things you can do to make mistakes that will give the governing body in that report a false impression of where things really are. So if you follow a process, this is all about why it's a good idea to have a process in place, if you follow that process this is one way to avoid all of those auditing related risks. Now when we talk about risk, it's good to mitigate those risks by simply implementing industry recognized best practices, by using those existing frameworks that are out there that you can download and use for inspiration on building your own audit process. So the ideal circumstances are, one, have some kind of independent verification of every aspect of the audit. Now what that typically means is somebody is going to be doing the work, and then somebody is going to be checking that person's work. We call that the two-person or the two-man rule. Where someone does the work, someone checks them out. Now you may have it be the case where Bob does the work and Alice checks his work, and then Alice does some other task, and Bob checks her work. So you're sort of cross-checking each other. That's a good efficient use of talent and skills. Another thing is you want to have independent validators, meaning the people doing the validating of the audit work and the people who are doing the audits shouldn't be reporting to or in the reporting structure of the people they're auditing. You don't want them to be working for the IT director, for example, they should be reporting directly to whatever the governing body is, whether it's the board, whether it's the executive management, whether it's some audit committee, they should have this independence from. It's very important that auditors are independent from the people they're auditing. Use checklists, that's a big one. It's as simple as that. Write it all down, have it spelled out, have it trained into the people who are going to be actually going through this checklist, so that they know step by step what we're going to be doing. You can see ahead of time these are the things we're going to need to do, and you can check each one off the list and make sure you don't miss something. It's a simple little thing, but man, is it valuable. You want to keep audit records. Record all the stuff you do and create those work products as you're going through this audit process, so you know exactly what's been done and how successful it was. This is a way you can go back and check to make sure that we've succeeded in the certain task and we can mature it and make it better and more efficient for next time around. Once you've recorded these things store them in some kind of secure archive, so that you can refer back to them time and time again and you can say well, last year in the audit we did it this way and we had a measure of success. This time, this year around we did it a different way, we slightly matured the process, it's a bit more efficient, and we're getting better. And if we do it next year we should do it this way. It's one way to track a trend over time and figure out whether what you're doing makes sense or whether it needs more attention or when do you need to change a process in some way. So keep those audit records and then keep them in a secure archive. Now the secure is not to be understated there. Listen, audit records are very sensitive things. They usually contain all the vulnerabilities, all the areas of security deficiencies, all the things that are going wrong in the environment, so it's a very, very juicy thing for an attacker to get ahold of, for example. These are very sensitive documents oftentimes and they're really only for the eyes of the governing body. So keep them secure and keep them locked away and allow them to be the guide for maturing that process over time. But those are some very important reasons why you want to have a process not just for auditing, but for many things in general, auditing in particular, because audits tend to be very, very complex.