Essential Audit Skills
advertisement
Essential Audit Skills Learn How to Successfully Prepare and Perform Audits Presented by Martin Holzke, Senior (IT) Auditor ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Agenda Presenter Motivation Planning the Audit Communication Performing the Audit Reporting Remediation Resources ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Presenter Martin Holzke of SoftQualM (Scotland) Ltd Degree in Physics IT Consultant since 1991 IT Trainer since 1993 IT Auditor since 2003 Author of “Essential Audit Skills” Director ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Motivation Audits are Assessments Reality vs. Requirements, Expectations and Assumptions Audits can Make all the Difference or Be a Waste of Resources ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Motivation Hands-on Experience Customers, Lack Colleagues, Trainees etc. of Learning Resources Loads on Domain Schemes (CISA, SOX etc.) Little on Soft Skills Results This High-Level Webinar Further Learning Resources ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Planning the Audit The Purpose of Audits Establishing the Scope of the Audit Preparing the Audit Scheduling the Audit ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Planning the Audit The Purpose of Audits Re-Assurance of Stakeholders Continuous Improvement Added Value "Trust is good, control better." Vladimir Ilyich Lenin, Former Russian Leader ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Planning the Audit Establishing the Scope of the Audit Scope? What Scope? Scoping Issues Documenting the Scope Reviewing the Scope ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Planning the Audit Examples ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Planning the Audit Preparing the Audit Getting the Business Ready for the Audit Defining Reference Structures Keeping Evidence Defining the Audit Plan Managing Documents “If it can’t be evidenced it doesn’t exist” ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Planning the Audit Scheduling the Audit Who? What? When? Dependencies Testing Period Availability and Notification Requirements Announcing the Schedule ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Communication Communication is Key Involving the Right People Creating the Right Atmosphere Opening and Closing Meetings with Management ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Communication Communication is Key Jargon Free Language Respect Widen your Horizon ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Communication Involving the Right People Internal and External Stakeholders Management Subject Matter Experts Team Heads and Operators Auditors External Advisors ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Communication Creating the Right Atmosphere Personal Motivation Desire and Opportunity for Improvement Appreciation and Reward of Honesty No Blame Culture “If it's going to come out eventually, better have it come out immediately.” Henry A. Kissinger, Former US Secretary of State ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Communication Opening and Closing Meetings with Management Awareness Progress and Status Commitment Support ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Performing the Audit Assessing Documentation and Evidence Interviewing and Corroborative Enquiry Sampling Approaches Identifying Exceptions and Deficiencies ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Performing the Audit Assessing Documentation and Evidence Clerical Sufficiency Reprocessability “If it can’t be evidenced it doesn’t exist” ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Performing the Audit Examples Review of Oracle DBA Accounts Review performed by: Joe Smith, Manager Oracle Support Team 5. User Access to Systems and Applications 5.1. All new and amended user access to any system or application is governed under this policy and respective procedures listed under 5.10. For the avoidance of any doubt amended user access here includes revoking the same. 5.2. All applications for new or amended user access require the current application form as referenced under 5.10. to be completed and send to the IT Security Officer. 5.3. Applications need to be authorised by signature of the respective employee’s line manager. 5.4. Access to business applications additionally has to be authorised by signature of the respective application owner. The list of current applications and respective owners is referenced under 5.10. 5.5. Applications owners are responsible to ensure segregation of duties requirements are not violated when authorising access. 5.6. Elevated access (sys admin etc.) to corporate servers and network elements additionally has to be authorised by signature of the Head of CIO. ... Review performed on: 01/12/2007 Oracle DB reviewed: ORAFI on UX10 List of DBA accounts obtained: MEYERM BLOGGJ BROWND ORABCK Observations: All accounts belong to current Oracle Support Team members with DBA duties except ORABCK. Investigation of suspicious account ORABCK confirms requirement for extra privileges however well below DBA. Actions: M. Meyer (RFC 001265643) 1Create DB role BCK 2Remove DBA privileges from ORABCK 3Grant role BCK to ORABCK Conclusion: One exception noted and addressed. Successful completion TBC in next review due 01/01/2008. 5.10. Additional documentation referred to in this policy is available from http://security.mycomp.com/useraccess/ on the corporate intranet. ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Performing the Audit Interviewing and Corroborative Enquiry Know-how Reliability Filling the Gaps Proof of Absence Observation Last Resort Alternative to Evidence ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Performing the Audit Sampling Approaches Sampling vs. Point-in-Time Sample Sizes Obtaining a Reliable Sample Resampling ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Performing the Audit Identifying Exceptions and Deficiencies What Constitutes an Exception? Formal, Design and Isolated Exceptions The “Sake” of Exceptions When does it become a Deficiency? ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Reporting Establishing Documentation Standards Creating Workpapers Compiling the Audit Report Adding Recommendations for Improvements ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Reporting Establishing Documentation Standards Branding and Uniformity Structure and Content Ease-of-Use and Completeness Template Libraries Naming Conventions File Types ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Reporting Creating Workpapers Templates Transparency Clerical Reprocessability Tabular Sample Assessments, Scans and Screenshots as Supporting Evidence ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Reporting Examples ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Reporting Compiling the Audit Report Test Results Exceptions and Deficiencies Management Comments Statistics Conclusion ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Reporting Adding Recommendations for Improvements Recommendations vs. Exceptions Always Room for Improvement Early Warning System Subjects Business Processes and Evidence Education and Awareness Audit Structure ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Audit Follow-Through Management Response Root Cause Analysis Remediation Re-Assessment Process Improvement ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Audit Follow-Through Management Response Acceptance and Remediation Acceptance without Remediation Rejection ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Audit Follow-Through Root Cause Analysis Cause Behind the Cause Systematic and Structural: 5 Whys Problem Management ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Audit Follow-Through Remediation Plan of Action Responsibilities Measurable Milestones Success Indicators Escalation ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Audit Follow-Through Re-Assessment On Reported Success of Corrective Action Scope Schedule ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Audit Follow-Through Process Improvement “The audit of the audit” “There’a always room for improvement” “Nobody is perfect!” ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Resources Books Tutoring Courses ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Resources Books by Martin Holzke “Essential Audit Skills” ISBN 978-1-906972-03-5 (Paperback) ISBN 978-1-906972-06-6 (Kindle eBook) “Oops-A-Daisy” ISBN 978-1-906972-01-1 (Paperback) ISBN 978-1-906972-07-3 (Kindle eBook) www.softqualmpress.com ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Resources Tutoring Standard Package to Accompany the Book Tailored Coaching Packaging On-site, Distance Learning, In-house ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Resources Courses Full Range Hands-on Course (5 days) Tailored Courses on Selected Aspects On-site, Distance Learning, In-house ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com Resources Upcoming Series of 5 Webinars each 2 hours Coverage of One Domain Exercise to Take Home 26th & 31st July, 2nd, 7th & 9th August 2012 7PM UK Time (2PM Eastern, 12PM Pacific Time) £49 (some €60 or US-$75) £195 for all 5 (some €240 or US-$300) plus a free copy of the book “Essential Audit Skills” ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com The End Q&A Thanks for attending … I hope it was enjoyable … And You have gained from it. Feel free to connect on LinkedIn. ©2009-2012 SoftQualM (Scotland) Ltd. www. SoftQualM.com
