Essential Audit Skills Learn How to Successfully Prepare and Perform Audits

1
Essential Audit Skills Learn How to
Successfully Prepare and Perform Audits

• Presented by
• Martin Holzke, Senior (IT) Auditor

2
Agenda

• Presenter
• Motivation
• Planning the Audit
• Communication
• Performing the Audit
• Reporting
• Remediation
• Resources

3
Presenter

• Martin Holzke
• Director of SoftQualM (Scotland) Ltd
• Degree in Physics
• IT Consultant since 1991
• IT Trainer since 1993
• IT Auditor since 2003
• Author of Essential Audit Skills

4
Motivation

• Audits are Assessments
• Reality vs.
• Requirements, Expectations and Assumptions
• Audits can
• Make all the Difference or
• Be a Waste of Resources

5
Motivation

• Hands-on Experience
• Customers, Colleagues, Trainees etc.
• Lack of Learning Resources
• Loads on Domain Schemes (CISA, SOX etc.)
• Little on Soft Skills
• Results
• This High-Level Webinar
• Further Learning Resources

6
Planning the Audit

• The Purpose of Audits
• Establishing the Scope of the Audit
• Preparing the Audit
• Scheduling the Audit

7
Planning the Audit

• The Purpose of Audits
• Re-Assurance of Stakeholders
• Continuous Improvement
• Added Value
• "Trust is good, control better."
• Vladimir Ilyich Lenin, Former Russian Leader

8
Planning the Audit

• Establishing the Scope of the Audit
• Scope? What Scope?
• Scoping Issues
• Documenting the Scope
• Reviewing the Scope

9
Planning the Audit

• Examples

10
Planning the Audit

• Preparing the Audit
• Getting the Business Ready for the Audit
• Defining Reference Structures
• Keeping Evidence
• Defining the Audit Plan
• Managing Documents
• If it cant be evidenced it doesnt exist

11
Planning the Audit

• Scheduling the Audit
• Who? What? When?
• Dependencies
• Testing Period
• Availability and Notification Requirements
• Announcing the Schedule

12
Communication

• Communication is Key
• Involving the Right People
• Creating the Right Atmosphere
• Opening and Closing Meetings with Management

13
Communication

• Communication is Key
• Jargon Free Language
• Respect
• Widen your Horizon

14
Communication

• Involving the Right People
• Internal and External Stakeholders
• Management
• Subject Matter Experts
• Team Heads and Operators
• Auditors
• External Advisors

15
Communication

• Creating the Right Atmosphere
• Personal Motivation
• Desire and Opportunity for Improvement
• Appreciation and Reward of Honesty
• No Blame Culture
• If it's going to come out eventually, better
  have it come out immediately.
• Henry A. Kissinger, Former US Secretary of State

16
Communication

• Opening and Closing Meetings with Management
• Awareness
• Progress and Status
• Commitment
• Support

17
Performing the Audit

• Assessing Documentation and Evidence
• Interviewing and Corroborative Enquiry
• Sampling Approaches
• Identifying Exceptions and Deficiencies

18
Performing the Audit

• Assessing Documentation and Evidence
• Clerical
• Sufficiency
• Reprocessability
• If it cant be evidenced it doesnt exist

19
Performing the Audit

• Examples

• Review of Oracle DBA Accounts
• Review performed by Joe Smith, Manager Oracle
  Support Team
• Review performed on 01/12/2007
• Oracle DB reviewed ORAFI on UX10
• List of DBA accounts obtained
• MEYERM
• BLOGGJ
• BROWND
• ORABCK
• Observations
• All accounts belong to current Oracle Support
  Team members with DBA duties except ORABCK.
• Investigation of suspicious account ORABCK
  confirms requirement for extra privileges however
  well below DBA.
• Actions
• M. Meyer (RFC 001265643)
• Create DB role BCK
• Remove DBA privileges from ORABCK
• Grant role BCK to ORABCK
• Conclusion
• One exception noted and addressed.

5. User Access to Systems and Applications 5.1. A
ll new and amended user access to any system or
application is governed under this policy and
respective procedures listed under 5.10. For the
avoidance of any doubt amended user access here
includes revoking the same. 5.2. All
applications for new or amended user access
require the current application form as
referenced under 5.10. to be completed and send
to the IT Security Officer. 5.3. Applications
need to be authorised by signature of the
respective employees line manager. 5.4. Access
to business applications additionally has to be
authorised by signature of the respective
application owner. The list of current
applications and respective owners is referenced
under 5.10. 5.5. Applications owners are
responsible to ensure segregation of duties
requirements are not violated when authorising
access. 5.6. Elevated access (sys admin etc.) to
corporate servers and network elements
additionally has to be authorised by signature of
the Head of CIO. ... 5.10. Additional
documentation referred to in this policy is
available from http//security.mycomp.com/useracce
ss/ on the corporate intranet.
20
Performing the Audit

• Interviewing and Corroborative Enquiry
• Know-how
• Reliability
• Filling the Gaps
• Proof of Absence
• Observation
• Last Resort Alternative to Evidence

21
Performing the Audit

• Sampling Approaches
• Sampling vs. Point-in-Time
• Sample Sizes
• Obtaining a Reliable Sample
• Resampling

22
Performing the Audit

• Identifying Exceptions and Deficiencies
• What Constitutes an Exception?
• Formal, Design and Isolated Exceptions
• The Sake of Exceptions
• When does it become a Deficiency?

23
Reporting

• Establishing Documentation Standards
• Creating Workpapers
• Compiling the Audit Report
• Adding Recommendations for Improvements

24
Reporting

• Establishing Documentation Standards
• Branding and Uniformity
• Structure and Content
• Ease-of-Use and Completeness
• Template Libraries
• Naming Conventions
• File Types

25
Reporting

• Creating Workpapers
• Templates
• Transparency
• Clerical
• Reprocessability
• Tabular Sample Assessments, Scans and Screenshots
  as Supporting Evidence

26
Reporting

• Examples

27
Reporting

• Compiling the Audit Report
• Test Results
• Exceptions and Deficiencies
• Management Comments
• Statistics
• Conclusion

28
Reporting

• Adding Recommendations for Improvements
• Recommendations vs. Exceptions
• Always Room for Improvement
• Early Warning System
• Subjects
• Business Processes and Evidence
• Education and Awareness
• Audit Structure

29
Audit Follow-Through

• Management Response
• Root Cause Analysis
• Remediation
• Re-Assessment
• Process Improvement

30
Audit Follow-Through

• Management Response
• Acceptance and Remediation
• Acceptance without Remediation
• Rejection

31
Audit Follow-Through

• Root Cause Analysis
• Cause Behind the Cause
• Systematic and Structural 5 Whys
• Problem Management

32
Audit Follow-Through

• Remediation
• Plan of Action
• Responsibilities
• Measurable Milestones
• Success Indicators
• Escalation

33
Audit Follow-Through

• Re-Assessment
• On Reported Success of Corrective Action
• Scope
• Schedule

34
Audit Follow-Through

• Process Improvement
• The audit of the audit
• Therea always room for improvement
• Nobody is perfect!

35
Resources

• Books
• Tutoring
• Courses

36
Resources

• Books by Martin Holzke
• Essential Audit Skills ISBN 978-1-906972-03-5
  (Paperback)ISBN 978-1-906972-06-6 (Kindle eBook)
• Oops-A-DaisyISBN 978-1-906972-01-1
  (Paperback)ISBN 978-1-906972-07-3 (Kindle eBook)
• www.softqualmpress.com

37
Resources

• Tutoring
• Standard Package to Accompany the Book
• Tailored Coaching Packaging
• On-site, Distance Learning, In-house

38
Resources

• Courses
• Full Range Hands-on Course (5 days)
• Tailored Courses on Selected Aspects
• On-site, Distance Learning, In-house

39
Resources

• Upcoming Series of 5 Webinars each
• 2 hours Coverage of One Domain
• Exercise to Take Home
• 26th 31st July, 2nd, 7th 9th August 2012
• 7PM UK Time (2PM Eastern, 12PM Pacific Time)
• 49 (some 60 or US-75)
• 195 for all 5 (some 240 or US-300) plus a
  free copy of the book Essential Audit Skills

40
The End

• QA
• Thanks for attending
• I hope it was enjoyable
• And You have gained from it.
• Feel free to connect on LinkedIn.