The effectiveness and efficiency of an audit process are only possible due to the robustness of planning the audit or audit planning. The audit process is the process of gathering evidence, evaluate the strengths and weaknesses of internal controls through field visit and prepare an audit report with the recommendation for remediation.
The basic concept of the audit process is described by the figure below:
The above figure is the comprehensive reference model of auditing established by ISACA in ITAF. These phases have been divided into various steps.
This blog covers the steps involved in planning an audit in detail with an example. The steps are performed based on the virtual environment set up in the AWS environment.
1. Determine the audit subjects.
The auditor must identify and determine the area to be audited. (e.g., business function, system, physical location). For example, our audit subject is the AWS environment i.e. cloud environment that operates the web server, SQL server, and Bastian server. For this, the potential source of information could be risk assessment, organizational change plans, and legal or regulatory changes.
2. Define the audit objective.
After determining the audit subject, the next step of the audit planning is defining the purpose of the audit. For example, in the case of the AWS environment, the major objective is to ensure the confidentiality, integrity, and availability of the information and system. Also, assuring the compliance of the system with the legal and regulatory requirements is also a major concern for the case. Here the governance framework, standards, policies and procedures that are implemented in the AWS environment are the source of information. Also the executive management, risk assessment is the potential source of information to define the audit objective.
3. Set audit scope.
The next step of the audit planning is to set the audit scope that identifies the specific systems, function or unit of the organization to be included in the review. The auditor gets overall information about the scenario and set the evaluation criteria. For example in the case of the AWS environment, the scope of audit can be limited to the security audit in the environment but does not include the operating system and internal environment of the system. Besides that focusing on the security compliance of the system within a limited period of time is also setting a scope.
4. Perform pre-audit planning.
The fourth step of planning an audit is the pre-audit planning that focuses on conducting a risk assessment and determine the final scope of the audit on the basis of risk assessment. In this step, The audit team is formed in this step that is based on the skills and resources needed, roles and responsibility of the team, time frame, budget, source of information. In the case of the AWS environment, the structure of the AWS structure can be mapped based on the organizational chart, risk assessment, SLAs.
5. Determine audit procedures and steps for data gathering.
At the last stage of the audit process, the audit team selects the approach and develop a strategy based on the information and develop an audit program. The data are gathered based on specific department policies, standards, and guidelines, compliance requirements, interviews, methods, and methodology.
In summary, in the process of the audit plan, the IS auditor must gain an understanding of the business's mission, objectives, purposes, and process. He/She should have an understanding of business environment changes and identify the stated policies, standards, laws and regulations, guidelines required, procedures and organizational structure. He/She must review the prior audit works and perform a risk analysis that will shape the audit plan. He/She must determine the personnel and logistics required with an appropriate approach. Also, he/she must have an understanding of IS controls and select the appropriate controls that satisfy the concepts of effective, efficient, confidential, integrity, availability, compliance, and reliability.
Once the audit planning is done then fieldwork and documentation are carried forward and the reporting and follow-up are done.
The next blog will cover the details about the fieldwork and reporting of the audit.
Sources:
Amazon Web Services, Inc. . (2020). AWS Security Audit Guidelines. Retrieved from AWS Security Audit Guidelines - AWS General Reference: https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html
Information Systems Audit and Control Association, Inc (ISACA). (2016). Information Systems Auditing: Tools and Techniques. USA: Information Systems Audit and Control Association, Inc. (ISACA).
ISACA. (2016). CISA Review Manual 26th Edition. USA: ISACA.
Kommentare