www. soft qualm.com©2009-2012 soft qualm (scotland) ltd. essential audit skills learn how to...
Post on 18-Dec-2015
213 views
TRANSCRIPT
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Essential Audit Skills
Learn How to Successfully
Prepare and Perform AuditsPresented by
Martin Holzke, Senior (IT) Auditor
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Agenda
PresenterMotivationPlanning the Audit Communication Performing the Audit Reporting RemediationResources
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Presenter
Martin Holzke Director of SoftQualM (Scotland) Ltd Degree in Physics IT Consultant since 1991 IT Trainer since 1993 IT Auditor since 2003 Author of “Essential Audit Skills”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Motivation
Audits are Assessments Reality vs. Requirements, Expectations and
AssumptionsAudits can
Make all the Difference or Be a Waste of Resources
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Motivation
Hands-on Experience Customers, Colleagues, Trainees etc.
Lack of Learning Resources Loads on Domain Schemes (CISA, SOX
etc.) Little on Soft Skills
Results This High-Level Webinar Further Learning Resources
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the Audit
The Purpose of AuditsEstablishing the Scope of the AuditPreparing the AuditScheduling the Audit
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the Audit
The Purpose of Audits Re-Assurance of Stakeholders Continuous Improvement Added Value
"Trust is good, control better."Vladimir Ilyich Lenin, Former Russian Leader
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the Audit
Establishing the Scope of the Audit Scope? What Scope? Scoping Issues Documenting the Scope Reviewing the Scope
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the Audit
Preparing the Audit Getting the Business Ready for the Audit Defining Reference Structures Keeping Evidence Defining the Audit Plan Managing Documents
“If it can’t be evidenced it doesn’t exist”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the Audit
Scheduling the Audit Who? What? When? Dependencies Testing Period Availability and Notification
Requirements Announcing the Schedule
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication
Communication is Key Involving the Right PeopleCreating the Right AtmosphereOpening and Closing Meetings
with Management
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication
Communication is Key Jargon Free Language Respect Widen your Horizon
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication
Involving the Right People Internal and External Stakeholders Management Subject Matter Experts Team Heads and Operators Auditors External Advisors
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication
Creating the Right Atmosphere Personal Motivation Desire and Opportunity for Improvement Appreciation and Reward of Honesty No Blame Culture
“If it's going to come out eventually, better have it come out immediately.”
Henry A. Kissinger, Former US Secretary of State
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication
Opening and Closing Meetings with Management Awareness Progress and Status Commitment Support
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit
Assessing Documentation and Evidence
Interviewing and Corroborative Enquiry
Sampling Approaches Identifying Exceptions and
Deficiencies
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit
Assessing Documentation and Evidence Clerical Sufficiency Reprocessability
“If it can’t be evidenced it doesn’t exist”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit
Examples5. User Access to Systems and Applications
5.1. All new and amended user access to any system or application is governed under this policy and respective procedures listed under 5.10. For the avoidance of any doubt amended user access here includes revoking the same.
5.2. All applications for new or amended user access require the current application form as referenced under 5.10. to be completed and send to the IT Security Officer.
5.3. Applications need to be authorised by signature of the respective employee’s line manager.
5.4. Access to business applications additionally has to be authorised by signature of the respective application owner. The list of current applications and respective owners is referenced under 5.10.
5.5. Applications owners are responsible to ensure segregation of duties requirements are not violated when authorising access.
5.6. Elevated access (sys admin etc.) to corporate servers and network elements additionally has to be authorised by signature of the Head of CIO.
...
5.10. Additional documentation referred to in this policy is available from http://security.mycomp.com/useraccess/ on the corporate intranet.
Review of Oracle DBA Accounts
Review performed by: Joe Smith, Manager Oracle Support Team
Review performed on: 01/12/2007
Oracle DB reviewed: ORAFI on UX10
List of DBA accounts obtained:MEYERMBLOGGJBROWNDORABCK
Observations:All accounts belong to current Oracle Support Team members with DBA duties except ORABCK. Investigation of suspicious account ORABCK confirms requirement for extra privileges however well below DBA.
Actions: M. Meyer (RFC 001265643)
1Create DB role BCK2Remove DBA privileges from ORABCK3Grant role BCK to ORABCK
Conclusion:One exception noted and addressed.Successful completion TBC in next review due 01/01/2008.
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit
Interviewing and Corroborative Enquiry Know-how Reliability Filling the Gaps Proof of Absence Observation Last Resort Alternative to Evidence
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit
Sampling Approaches Sampling vs. Point-in-Time Sample Sizes Obtaining a Reliable Sample Resampling
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit
Identifying Exceptions and Deficiencies What Constitutes an Exception? Formal, Design and Isolated Exceptions The “Sake” of Exceptions When does it become a Deficiency?
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting
Establishing Documentation Standards
Creating Workpapers Compiling the Audit ReportAdding Recommendations for
Improvements
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting
Establishing Documentation Standards Branding and Uniformity Structure and Content Ease-of-Use and Completeness Template Libraries Naming Conventions File Types
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting
Creating Workpapers Templates Transparency Clerical Reprocessability Tabular Sample Assessments, Scans and
Screenshots as Supporting Evidence
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting
Compiling the Audit Report Test Results Exceptions and Deficiencies Management Comments Statistics Conclusion
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting
Adding Recommendations for Improvements Recommendations vs. Exceptions Always Room for Improvement Early Warning System
Subjects Business Processes and Evidence Education and Awareness Audit Structure
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through
Management ResponseRoot Cause Analysis Remediation Re-Assessment Process Improvement
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through
Management Response Acceptance and Remediation Acceptance without Remediation Rejection
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through
Root Cause Analysis Cause Behind the Cause Systematic and Structural: 5 Whys Problem Management
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through
Remediation Plan of Action Responsibilities Measurable Milestones Success Indicators Escalation
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through
Re-Assessment On Reported Success of Corrective
Action Scope Schedule
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through
Process Improvement “The audit of the audit” “There’a always room for improvement” “Nobody is perfect!”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Resources
Books by Martin Holzke “Essential Audit Skills”
ISBN 978-1-906972-03-5 (Paperback)ISBN 978-1-906972-06-6 (Kindle eBook)
“Oops-A-Daisy”ISBN 978-1-906972-01-1 (Paperback)ISBN 978-1-906972-07-3 (Kindle eBook)
www.softqualmpress.com
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Resources
Tutoring Standard Package to Accompany the
Book Tailored Coaching Packaging On-site, Distance Learning, In-house
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Resources
Courses Full Range Hands-on Course (5 days) Tailored Courses on Selected Aspects On-site, Distance Learning, In-house
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Resources
Upcoming Series of 5 Webinars each 2 hours Coverage of One Domain Exercise to Take Home 26th & 31st July, 2nd, 7th & 9th August 2012 7PM UK Time (2PM Eastern, 12PM Pacific
Time) £49 (some €60 or US-$75) £195 for all 5 (some €240 or US-$300) plus
a free copy of the book “Essential Audit Skills”