Www. Soft QualM.com©2009-2012 Soft QualM (Scotland) Ltd. Essential Audit Skills Learn How to...

www. SoftQualM.com©2009-2012 SoftQualM (Scotland) Ltd.

Essential Audit Skills

Learn How to Successfully

Prepare and Perform AuditsPresented by

Martin Holzke, Senior (IT) Auditor


Agenda

PresenterMotivationPlanning the Audit Communication Performing the Audit Reporting RemediationResources


Presenter

Martin Holzke Director of SoftQualM (Scotland) Ltd Degree in Physics IT Consultant since 1991 IT Trainer since 1993 IT Auditor since 2003 Author of “Essential Audit Skills”


Motivation

Audits are Assessments Reality vs. Requirements, Expectations and

AssumptionsAudits can

Make all the Difference or Be a Waste of Resources


Motivation

Hands-on Experience Customers, Colleagues, Trainees etc.

Lack of Learning Resources Loads on Domain Schemes (CISA, SOX

etc.) Little on Soft Skills

Results This High-Level Webinar Further Learning Resources


Planning the Audit

The Purpose of AuditsEstablishing the Scope of the AuditPreparing the AuditScheduling the Audit


Planning the Audit

The Purpose of Audits Re-Assurance of Stakeholders Continuous Improvement Added Value

"Trust is good, control better."Vladimir Ilyich Lenin, Former Russian Leader


Planning the Audit

Establishing the Scope of the Audit Scope? What Scope? Scoping Issues Documenting the Scope Reviewing the Scope


Planning the Audit

Examples


Planning the Audit

Preparing the Audit Getting the Business Ready for the Audit Defining Reference Structures Keeping Evidence Defining the Audit Plan Managing Documents

“If it can’t be evidenced it doesn’t exist”


Planning the Audit

Scheduling the Audit Who? What? When? Dependencies Testing Period Availability and Notification

Requirements Announcing the Schedule


Communication

Communication is Key Involving the Right PeopleCreating the Right AtmosphereOpening and Closing Meetings

with Management


Communication

Communication is Key Jargon Free Language Respect Widen your Horizon


Communication

Involving the Right People Internal and External Stakeholders Management Subject Matter Experts Team Heads and Operators Auditors External Advisors


Communication

Creating the Right Atmosphere Personal Motivation Desire and Opportunity for Improvement Appreciation and Reward of Honesty No Blame Culture

“If it's going to come out eventually, better have it come out immediately.”

Henry A. Kissinger, Former US Secretary of State


Communication

Opening and Closing Meetings with Management Awareness Progress and Status Commitment Support


Performing the Audit

Assessing Documentation and Evidence

Interviewing and Corroborative Enquiry

Sampling Approaches Identifying Exceptions and

Deficiencies



Assessing Documentation and Evidence Clerical Sufficiency Reprocessability

“If it can’t be evidenced it doesn’t exist”



Examples5. User Access to Systems and Applications

5.1. All new and amended user access to any system or application is governed under this policy and respective procedures listed under 5.10. For the avoidance of any doubt amended user access here includes revoking the same.

5.2. All applications for new or amended user access require the current application form as referenced under 5.10. to be completed and send to the IT Security Officer.

5.3. Applications need to be authorised by signature of the respective employee’s line manager.

5.4. Access to business applications additionally has to be authorised by signature of the respective application owner. The list of current applications and respective owners is referenced under 5.10.

5.5. Applications owners are responsible to ensure segregation of duties requirements are not violated when authorising access.

5.6. Elevated access (sys admin etc.) to corporate servers and network elements additionally has to be authorised by signature of the Head of CIO.

...

5.10. Additional documentation referred to in this policy is available from http://security.mycomp.com/useraccess/ on the corporate intranet.

Review of Oracle DBA Accounts

Review performed by: Joe Smith, Manager Oracle Support Team

Review performed on: 01/12/2007

Oracle DB reviewed: ORAFI on UX10

List of DBA accounts obtained:MEYERMBLOGGJBROWNDORABCK

Observations:All accounts belong to current Oracle Support Team members with DBA duties except ORABCK. Investigation of suspicious account ORABCK confirms requirement for extra privileges however well below DBA.

Actions: M. Meyer (RFC 001265643)

1Create DB role BCK2Remove DBA privileges from ORABCK3Grant role BCK to ORABCK

Conclusion:One exception noted and addressed.Successful completion TBC in next review due 01/01/2008.



Interviewing and Corroborative Enquiry Know-how Reliability Filling the Gaps Proof of Absence Observation Last Resort Alternative to Evidence



Sampling Approaches Sampling vs. Point-in-Time Sample Sizes Obtaining a Reliable Sample Resampling



Identifying Exceptions and Deficiencies What Constitutes an Exception? Formal, Design and Isolated Exceptions The “Sake” of Exceptions When does it become a Deficiency?


Reporting

Establishing Documentation Standards

Creating Workpapers Compiling the Audit ReportAdding Recommendations for

Improvements


Reporting

Establishing Documentation Standards Branding and Uniformity Structure and Content Ease-of-Use and Completeness Template Libraries Naming Conventions File Types


Reporting

Creating Workpapers Templates Transparency Clerical Reprocessability Tabular Sample Assessments, Scans and

Screenshots as Supporting Evidence


Reporting

Examples


Reporting

Compiling the Audit Report Test Results Exceptions and Deficiencies Management Comments Statistics Conclusion


Reporting

Adding Recommendations for Improvements Recommendations vs. Exceptions Always Room for Improvement Early Warning System

Subjects Business Processes and Evidence Education and Awareness Audit Structure


Audit Follow-Through

Management ResponseRoot Cause Analysis Remediation Re-Assessment Process Improvement



Management Response Acceptance and Remediation Acceptance without Remediation Rejection



Root Cause Analysis Cause Behind the Cause Systematic and Structural: 5 Whys Problem Management



Remediation Plan of Action Responsibilities Measurable Milestones Success Indicators Escalation



Re-Assessment On Reported Success of Corrective

Action Scope Schedule



Process Improvement “The audit of the audit” “There’a always room for improvement” “Nobody is perfect!”


Resources

BooksTutoringCourses


Resources

Books by Martin Holzke “Essential Audit Skills”

ISBN 978-1-906972-03-5 (Paperback)ISBN 978-1-906972-06-6 (Kindle eBook)

“Oops-A-Daisy”ISBN 978-1-906972-01-1 (Paperback)ISBN 978-1-906972-07-3 (Kindle eBook)

www.softqualmpress.com


Resources

Tutoring Standard Package to Accompany the

Book Tailored Coaching Packaging On-site, Distance Learning, In-house


Resources

Courses Full Range Hands-on Course (5 days) Tailored Courses on Selected Aspects On-site, Distance Learning, In-house


Resources

Upcoming Series of 5 Webinars each 2 hours Coverage of One Domain Exercise to Take Home 26th & 31st July, 2nd, 7th & 9th August 2012 7PM UK Time (2PM Eastern, 12PM Pacific

Time) £49 (some €60 or US-$75) £195 for all 5 (some €240 or US-$300) plus

a free copy of the book “Essential Audit Skills”


The End

Q&A

Thanks for attending … I hope it was enjoyable …And You have gained from it.

Feel free to connect on LinkedIn.

Www. Soft QualM.com©2009-2012 Soft QualM (Scotland) Ltd. Essential Audit Skills Learn How to...

Documents

Transcript of Www. Soft QualM.com©2009-2012 Soft QualM (Scotland) Ltd. Essential Audit Skills Learn How to...