Upload
quasim
View
41
Download
0
Embed Size (px)
DESCRIPTION
Essential Audit Skills Learn How to Successfully Prepare and Perform Audits. Presented by Martin Holzke, Senior (IT) Auditor. Agenda. Presenter Motivation Planning the Audit Communication Performing the Audit Reporting Remediation Resources. Presenter. Martin Holzke - PowerPoint PPT Presentation
Citation preview
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Essential Audit Skills
Learn How to Successfully
Prepare and Perform AuditsPresented by
Martin Holzke, Senior (IT) Auditor
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
AgendaPresenterMotivationPlanning the Audit Communication Performing the Audit Reporting RemediationResources
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
PresenterMartin Holzke
Director of SoftQualM (Scotland) Ltd Degree in Physics IT Consultant since 1991 IT Trainer since 1993 IT Auditor since 2003 Author of “Essential Audit Skills”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
MotivationAudits are Assessments
Reality vs. Requirements, Expectations and
AssumptionsAudits can
Make all the Difference or Be a Waste of Resources
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
MotivationHands-on Experience
Customers, Colleagues, Trainees etc.Lack of Learning Resources
Loads on Domain Schemes (CISA, SOX etc.)
Little on Soft Skills Results
This High-Level Webinar Further Learning Resources
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the AuditThe Purpose of AuditsEstablishing the Scope of the AuditPreparing the AuditScheduling the Audit
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the AuditThe Purpose of Audits
Re-Assurance of Stakeholders Continuous Improvement Added Value
"Trust is good, control better."Vladimir Ilyich Lenin, Former Russian Leader
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the AuditEstablishing the Scope of the Audit
Scope? What Scope? Scoping Issues Documenting the Scope Reviewing the Scope
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the AuditExamples
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the AuditPreparing the Audit
Getting the Business Ready for the Audit Defining Reference Structures Keeping Evidence Defining the Audit Plan Managing Documents
“If it can’t be evidenced it doesn’t exist”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Planning the AuditScheduling the Audit
Who? What? When? Dependencies Testing Period Availability and Notification
Requirements Announcing the Schedule
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication Communication is Key Involving the Right PeopleCreating the Right AtmosphereOpening and Closing Meetings
with Management
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication Communication is Key
Jargon Free Language Respect Widen your Horizon
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication Involving the Right People
Internal and External Stakeholders Management Subject Matter Experts Team Heads and Operators Auditors External Advisors
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication Creating the Right Atmosphere
Personal Motivation Desire and Opportunity for Improvement Appreciation and Reward of Honesty No Blame Culture
“If it's going to come out eventually, better have it come out immediately.”
Henry A. Kissinger, Former US Secretary of State
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Communication Opening and Closing Meetings
with Management Awareness Progress and Status Commitment Support
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit Assessing Documentation and
Evidence Interviewing and Corroborative
Enquiry Sampling Approaches Identifying Exceptions and
Deficiencies
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit Assessing Documentation and
Evidence Clerical Sufficiency Reprocessability
“If it can’t be evidenced it doesn’t exist”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit Examples
5. User Access to Systems and Applications5.1. All new and amended user access to any system or application
is governed under this policy and respective procedures listed under 5.10. For the avoidance of any doubt amended user access here includes revoking the same.
5.2. All applications for new or amended user access require the current application form as referenced under 5.10. to be completed and send to the IT Security Officer.
5.3. Applications need to be authorised by signature of the respective employee’s line manager.
5.4. Access to business applications additionally has to be authorised by signature of the respective application owner. The list of current applications and respective owners is referenced under 5.10.
5.5. Applications owners are responsible to ensure segregation of duties requirements are not violated when authorising access.
5.6. Elevated access (sys admin etc.) to corporate servers and network elements additionally has to be authorised by signature of the Head of CIO.
...
5.10. Additional documentation referred to in this policy is available from http://security.mycomp.com/useraccess/ on the corporate intranet.
Review of Oracle DBA AccountsReview performed by: Joe Smith, Manager Oracle Support Team
Review performed on: 01/12/2007
Oracle DB reviewed: ORAFI on UX10
List of DBA accounts obtained:MEYERMBLOGGJBROWNDORABCK
Observations:All accounts belong to current Oracle Support Team members with DBA duties except ORABCK. Investigation of suspicious account ORABCK confirms requirement for extra privileges however well below DBA.
Actions: M. Meyer (RFC 001265643)
1Create DB role BCK2Remove DBA privileges from ORABCK3Grant role BCK to ORABCK
Conclusion:One exception noted and addressed.Successful completion TBC in next review due 01/01/2008.
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit Interviewing and Corroborative
Enquiry Know-how Reliability Filling the Gaps Proof of Absence Observation Last Resort Alternative to Evidence
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit Sampling Approaches
Sampling vs. Point-in-Time Sample Sizes Obtaining a Reliable Sample Resampling
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Performing the Audit Identifying Exceptions and
Deficiencies What Constitutes an Exception? Formal, Design and Isolated Exceptions The “Sake” of Exceptions When does it become a Deficiency?
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting Establishing Documentation
Standards Creating Workpapers Compiling the Audit ReportAdding Recommendations for
Improvements
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting Establishing Documentation
Standards Branding and Uniformity Structure and Content Ease-of-Use and Completeness Template Libraries Naming Conventions File Types
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting Creating Workpapers
Templates Transparency Clerical Reprocessability Tabular Sample Assessments, Scans and
Screenshots as Supporting Evidence
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
ReportingExamples
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting Compiling the Audit Report
Test Results Exceptions and Deficiencies Management Comments Statistics Conclusion
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Reporting Adding Recommendations for
Improvements Recommendations vs. Exceptions Always Room for Improvement Early Warning System
Subjects Business Processes and Evidence Education and Awareness Audit Structure
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-ThroughManagement ResponseRoot Cause Analysis Remediation Re-Assessment Process Improvement
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through Management Response
Acceptance and Remediation Acceptance without Remediation Rejection
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through Root Cause Analysis
Cause Behind the Cause Systematic and Structural: 5 Whys Problem Management
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-ThroughRemediation
Plan of Action Responsibilities Measurable Milestones Success Indicators Escalation
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through Re-Assessment
On Reported Success of Corrective Action
Scope Schedule
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
Audit Follow-Through Process Improvement
“The audit of the audit” “There’a always room for improvement” “Nobody is perfect!”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
ResourcesBooksTutoringCourses
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
ResourcesBooks by Martin Holzke
“Essential Audit Skills” ISBN 978-1-906972-03-5 (Paperback)ISBN 978-1-906972-06-6 (Kindle eBook)
“Oops-A-Daisy”ISBN 978-1-906972-01-1 (Paperback)ISBN 978-1-906972-07-3 (Kindle eBook)
www.softqualmpress.com
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
ResourcesTutoring
Standard Package to Accompany the Book
Tailored Coaching Packaging On-site, Distance Learning, In-house
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
ResourcesCourses
Full Range Hands-on Course (5 days) Tailored Courses on Selected Aspects On-site, Distance Learning, In-house
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
ResourcesUpcoming Series of 5 Webinars each
2 hours Coverage of One Domain Exercise to Take Home 26th & 31st July, 2nd, 7th & 9th August 2012 7PM UK Time (2PM Eastern, 12PM Pacific
Time) £49 (some €60 or US-$75) £195 for all 5 (some €240 or US-$300) plus
a free copy of the book “Essential Audit Skills”
www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.
The EndQ&A
Thanks for attending … I hope it was enjoyable …And You have gained from it.
Feel free to connect on LinkedIn.