Essential Audit Skills Learn How to Successfully Prepare and Perform Audits

www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.

Essential Audit Skills

Learn How to Successfully

Prepare and Perform AuditsPresented by

Martin Holzke, Senior (IT) Auditor


AgendaPresenterMotivationPlanning the Audit Communication Performing the Audit Reporting RemediationResources


PresenterMartin Holzke

Director of SoftQualM (Scotland) Ltd Degree in Physics IT Consultant since 1991 IT Trainer since 1993 IT Auditor since 2003 Author of “Essential Audit Skills”


MotivationAudits are Assessments

Reality vs. Requirements, Expectations and

AssumptionsAudits can

Make all the Difference or Be a Waste of Resources


MotivationHands-on Experience

Customers, Colleagues, Trainees etc.Lack of Learning Resources

Loads on Domain Schemes (CISA, SOX etc.)

Little on Soft Skills Results

This High-Level Webinar Further Learning Resources


Planning the AuditThe Purpose of AuditsEstablishing the Scope of the AuditPreparing the AuditScheduling the Audit


Planning the AuditThe Purpose of Audits

Re-Assurance of Stakeholders Continuous Improvement Added Value

"Trust is good, control better."Vladimir Ilyich Lenin, Former Russian Leader


Planning the AuditEstablishing the Scope of the Audit

Scope? What Scope? Scoping Issues Documenting the Scope Reviewing the Scope


Planning the AuditExamples


Planning the AuditPreparing the Audit

Getting the Business Ready for the Audit Defining Reference Structures Keeping Evidence Defining the Audit Plan Managing Documents

“If it can’t be evidenced it doesn’t exist”


Planning the AuditScheduling the Audit

Who? What? When? Dependencies Testing Period Availability and Notification

Requirements Announcing the Schedule


Communication Communication is Key Involving the Right PeopleCreating the Right AtmosphereOpening and Closing Meetings

with Management


Communication Communication is Key

Jargon Free Language Respect Widen your Horizon


Communication Involving the Right People

Internal and External Stakeholders Management Subject Matter Experts Team Heads and Operators Auditors External Advisors


Communication Creating the Right Atmosphere

Personal Motivation Desire and Opportunity for Improvement Appreciation and Reward of Honesty No Blame Culture

“If it's going to come out eventually, better have it come out immediately.”

Henry A. Kissinger, Former US Secretary of State


Communication Opening and Closing Meetings

with Management Awareness Progress and Status Commitment Support


Performing the Audit Assessing Documentation and

Evidence Interviewing and Corroborative

Enquiry Sampling Approaches Identifying Exceptions and

Deficiencies


Performing the Audit Assessing Documentation and

Evidence Clerical Sufficiency Reprocessability

“If it can’t be evidenced it doesn’t exist”


Performing the Audit Examples

5. User Access to Systems and Applications5.1. All new and amended user access to any system or application

is governed under this policy and respective procedures listed under 5.10. For the avoidance of any doubt amended user access here includes revoking the same.

5.2. All applications for new or amended user access require the current application form as referenced under 5.10. to be completed and send to the IT Security Officer.

5.3. Applications need to be authorised by signature of the respective employee’s line manager.

5.4. Access to business applications additionally has to be authorised by signature of the respective application owner. The list of current applications and respective owners is referenced under 5.10.

5.5. Applications owners are responsible to ensure segregation of duties requirements are not violated when authorising access.

5.6. Elevated access (sys admin etc.) to corporate servers and network elements additionally has to be authorised by signature of the Head of CIO.

...

5.10. Additional documentation referred to in this policy is available from http://security.mycomp.com/useraccess/ on the corporate intranet.

Review of Oracle DBA AccountsReview performed by: Joe Smith, Manager Oracle Support Team

Review performed on: 01/12/2007

Oracle DB reviewed: ORAFI on UX10

List of DBA accounts obtained:MEYERMBLOGGJBROWNDORABCK

Observations:All accounts belong to current Oracle Support Team members with DBA duties except ORABCK. Investigation of suspicious account ORABCK confirms requirement for extra privileges however well below DBA.

Actions: M. Meyer (RFC 001265643)

1Create DB role BCK2Remove DBA privileges from ORABCK3Grant role BCK to ORABCK

Conclusion:One exception noted and addressed.Successful completion TBC in next review due 01/01/2008.


Performing the Audit Interviewing and Corroborative

Enquiry Know-how Reliability Filling the Gaps Proof of Absence Observation Last Resort Alternative to Evidence


Performing the Audit Sampling Approaches

Sampling vs. Point-in-Time Sample Sizes Obtaining a Reliable Sample Resampling


Performing the Audit Identifying Exceptions and

Deficiencies What Constitutes an Exception? Formal, Design and Isolated Exceptions The “Sake” of Exceptions When does it become a Deficiency?


Reporting Establishing Documentation

Standards Creating Workpapers Compiling the Audit ReportAdding Recommendations for

Improvements


Reporting Establishing Documentation

Standards Branding and Uniformity Structure and Content Ease-of-Use and Completeness Template Libraries Naming Conventions File Types


Reporting Creating Workpapers

Templates Transparency Clerical Reprocessability Tabular Sample Assessments, Scans and

Screenshots as Supporting Evidence


ReportingExamples


Reporting Compiling the Audit Report

Test Results Exceptions and Deficiencies Management Comments Statistics Conclusion


Reporting Adding Recommendations for

Improvements Recommendations vs. Exceptions Always Room for Improvement Early Warning System

Subjects Business Processes and Evidence Education and Awareness Audit Structure


Audit Follow-ThroughManagement ResponseRoot Cause Analysis Remediation Re-Assessment Process Improvement


Audit Follow-Through Management Response

Acceptance and Remediation Acceptance without Remediation Rejection


Audit Follow-Through Root Cause Analysis

Cause Behind the Cause Systematic and Structural: 5 Whys Problem Management


Audit Follow-ThroughRemediation

Plan of Action Responsibilities Measurable Milestones Success Indicators Escalation


Audit Follow-Through Re-Assessment

On Reported Success of Corrective Action

Scope Schedule


Audit Follow-Through Process Improvement

“The audit of the audit” “There’a always room for improvement” “Nobody is perfect!”


ResourcesBooksTutoringCourses


ResourcesBooks by Martin Holzke

“Essential Audit Skills” ISBN 978-1-906972-03-5 (Paperback)ISBN 978-1-906972-06-6 (Kindle eBook)

“Oops-A-Daisy”ISBN 978-1-906972-01-1 (Paperback)ISBN 978-1-906972-07-3 (Kindle eBook)

www.softqualmpress.com


ResourcesTutoring

Standard Package to Accompany the Book

Tailored Coaching Packaging On-site, Distance Learning, In-house


ResourcesCourses

Full Range Hands-on Course (5 days) Tailored Courses on Selected Aspects On-site, Distance Learning, In-house


ResourcesUpcoming Series of 5 Webinars each

2 hours Coverage of One Domain Exercise to Take Home 26th & 31st July, 2nd, 7th & 9th August 2012 7PM UK Time (2PM Eastern, 12PM Pacific

Time) £49 (some €60 or US-$75) £195 for all 5 (some €240 or US-$300) plus

a free copy of the book “Essential Audit Skills”


The EndQ&A

Thanks for attending … I hope it was enjoyable …And You have gained from it.

Feel free to connect on LinkedIn.