Show ColumnsAuthor: Ed Gelbstein, Ph.D. A young Certified Information Systems Auditor (CISA) asked for suggestions about where and how to start to plan an IS audit. As the question was not more specific than that, the reply was, “It all depends,” and a few questions had to be asked to better understand the context. There was agreement from the outset that the traditional general controls review would not be the best approach. This column presents the questions that would provide enough information to get started and the subsequent steps to come up with a realistic audit plan that adds value to the organization. Basic Information NeedsIf the auditor is a member of an internal audit organization, a good deal of information should be readily available and there will be colleagues able to share it and put it in context. This must include the definition of any applicable regulatory framework as well as any preferred audit standards (e.g., COBIT). If the audit is to be outsourced to an external entity, gathering the remaining information may prove more laborious. Q1: Why has the audit been proposed or requested?
Q2: Describe the organization and its IS/IT. Small organizations constitute a special case: They will not have the resources to properly apply good practices (e.g., IT Infrastructure Library [ITIL]1 and Data Management Body of Knowledge [DMBOK]2), frameworks such as COBIT 5,3 or standards such as International Organization for Standardizations (ISO) ISO 20000 (service management) or ISO 27000 (security). A previous column4 in this series addressed the special case of auditing small IT organizations. Q3: What is the audit history?
Q4:
What about metrics, performance and risk indicators? Lagging indicators are useful to determine trends (improvement or deterioration), but cannot be relied upon for predictions of future performance, which need leading indicators. COBIT 5 provides extensive descriptions of both lagging and leading indicators for each process it covers. Q5: Describe the enterprise’s risk assessment and management program. As risk-based auditing combines business knowledge, risk assessment and strategic audit before deploying audit resources, it allows the internal audit function to focus on risk domains proportionate to the business’s potential exposures. A properly conducted risk assessment would, ideally, be based on a recognized framework such as COBIT 5 for Risk (there are other frameworks such as one from the US National Institute of Standards and Technology [NIST]5 and Operationally Critical Threat, Asset, and Vulnerability Evaluation [OCTAVE]6) and include a ranked register that can be used to identify which risk factors are dependent on information systems and services. FindingsThe answers to the five questions should provide a robust understanding of the starting point for the proposed audit. They may also raise additional questions. The absence of past audits, implemented recommendations, metrics and risk assessments are themselves important findings that should set the tone for the proposed audit. Mapping the Information Collected Against the IS Audit UniverseThe IS audit universe is undergoing a relentless expansion that, in turn, needs updated and new policies, practices, frameworks and audit guidelines. A high-level view of the current audit universe would include:
To this list one could add human factor issues such as ability to exploit systems and technologies, training and continuing education, and many more things that will be defined by the nature of the business. The information gathered from the responses to the previous section’s five questions should be analyzed and mapped against this list, which outlines the audit universe. This will help identify areas of greatest risk, gaps in coverage and IS/IT’s contribution. Formulating a Draft Audit PlanIt is not sensible to believe that a small group of auditors (or even a large group) can do justice to all the items in the preceding list, and this means choices have to be made as to what gets audited and when. The mapping exercise in the previous section should deliver the information required to correlate the most important areas of business risk against the role that IS/IT plays in each of them. Once IS/IT’s role has been identified, it is up to the auditors, in discussion with risk managers and the CIO, to specify the scope and granularity of the audit, i.e., what merits auditing, the controls to be assessed and the rationale for doing so. Some of these risk areas may have no IS/IT direct component. For example, nongovernmental organizations providing humanitarian support (famine, medical, refugee assistance, war relief) in unstable regions may be more concerned with protecting their personnel from being taken hostage than an IS service interruption. To limit this risk, their practices and controls consist of not providing data about them online and advising them not to disclose information on social networks. Discussing the Draft PlanIt is at this stage that it becomes possible to decide whether such an audit would be a sensible use of resources (of both audit and audit clients). This should be addressed first with the chief audit executive and then with the audit clients. If agreement to proceed is reached, the next steps are to explore who will conduct the audit, when, who will need to be involved and how long it will take to complete the process. Endnotes1 Information Technology
Infrastructure Library, www.itil.org.uk Ed Gelbstein, Ph.D., 1940-2015 |