In this blog, I will try to give an overview of the steps to follow when you have to perform an audit. I immediately jump into the best practices and will not overwhelm you with theoretical definitions, conceptual ideas, methodologies, frameworks etc. If you want the theoretical stuff, just use Google or Bing to fulfil your needs.
Let’s get started!
1. First of all, the scope.
An important steps is to clarify the scope of the assessment. What is the audit about? What has to be assessed? What are the boundaries? What is in-scope? What is out-of-scope? If you get it SMART* you will avoid misinterpretations and keep your customer satisfied. To get things clear, do some intake meetings with the stakeholders, ask for extra documentation and information. An audit is all about asking, listing and reading (and – a bit of – writing at the end).
*Specific – Measurable – Achievable – Relevant – Timebound
2. How do you start?
Don’t reinvent the wheel. There’re several ways to audit an organization, department, (IT) project, process, engineered model etc. Use an existing worldwide accepted framework. You can follow your own thoughts, ideas and approach on how to perform and execute an assessment but your audit report will be susceptible to interpretation which could tackle the audit report.
Using such an accepted framework will not only guide you through the audit, it will also help you to identify what to assess and how to assess it:
- What are the risk drivers and business benefits
- What must be checked and verified.
When you google, you will find more than one framework:
- CobiT – www.isaca.com
- MOF – https://technet.microsoft.com/en-us/solutionaccelerators/dd320379.aspx
- COSO – www.coso.org
In my humble opinion, CobiT is the best documented framework when you must audit IT processes. Lots and lots of information is available on the internet. The following steps in this blog are based on the usage of CobiT.
Choose the CobiT version (4.1, 5) and carefully read the documentation. Take your time to understand the processes and control objectives you want to investigate. Make sure they fit in the scope of the audit. Get clear which roles you want to speak and ask your primary contact person their names.
4. Compose a facts based list
Before you start the interviews, it is very handy to compose a facts based question list for each selected control objective. These questions will guide you through the interviews, make sure you ask the right questions and identify the strengths and weaknesses. The following example gives you an idea of some questions:
CobiT process DS11 Manage Data – control objective DS11.5 Backup and Restoration:
A procedure on how to backup ‘data’ is available and regularly reviewed/updated?
A procedure on how to restore backups is available and regularly reviewed/updated?
A (automatic) process is in place to backup ‘data’?
Monitoring of these backups is in place, issues are reported and actions are defined to solve problems?
Issues are logged and used for management, SLA … reporting purposes?
Responsibilities are clear, communicated and well understood?
5. Interviews, documents and interviews
If you don’t understand the answer to your question, ask more detail (and keep asking until you’re satisfied). Keep in mind that the interviewee understands the assessed subject but you’re uninformed. Get to the bottom of the subject. Ask supporting documents – evidence – to verify what has been told.
6. Pre and post processing
Before the interview, make sure all questions are in place and you are well prepared. Afterwards, map the answers on your predefined list, add comment and give a ‘score’. CobiT provides a maturity level that allows you to determine which processes are under control and which processes represent (potential) pain points. Depending the CobiT version, the maturity level can have some differences.
The table below shows CobiT 4.1 maturity level:
|0 Non-existent||Management processes are not applied at all|
|1 Initial/Ad hoc||Processes are ad hoc and disorganized|
|2 Repeatable||Processes follow a regular pattern|
|3 Defined||Processes are documented and communicated|
|4 Managed||Processes are monitored and measured|
|5 Optimised||Best practices are followed and automated|
7. Ask for feedback
First of all, an audit is an independent (and official) examination (carried out by a neutral third party) to evaluate the internal control design and its effectiveness. Still, it is very useful and meaningful to regularly discuss the outcome with your primary stakeholder.
Ask feedback to be sure you’re on (the right) track and thoughts are aligned.
8. The audit report
Don’t lose time and start writing the report during the interview phase. With the interviews fresh in mind, it’s easier to write down the findings and recommendations. Afterwards you can always change certain chapters due to new insights.
Your audit report should contain the following chapters:
- Introduction and background
- What is the background of the subject?
- Explain what the document is about
- Executive summary
Write a short (maximum three A4 page’s) high-level executive/management summary. Either the higher management isn’t interested in the details or doesn’t have the time to struggle through the document, they’re still interested in the high-level outcome. Sum-up the most important recommendations (don’t get lost in details).
- When took the assessment place; which period?
- Who were the interviewers and interviewees? Mention the role of the interviewees.
- How? Briefly explain the chosen framework and which processes where identified in the assessment.
- Assessment details
Per assessed CobiT process and control objective write down the following
- Findings: What did the interviewees tell? Summarize this, stay objective and mention facts.
- Recommendations: If applicable: write down, bullet point wise, what can/must be improved.
- Recommendations overview
- Some audit reports will add, at the end of report, an overview of all recommendations.
- Inventory of all consulted documents
- Add a chapter where you sum-up all related documents. Mention the author, status, version, document name and document date.
- Information about the chosen framework
- Add a bit of documentation about the used framework and where more information can be found.
9. Distribute final review
Make a stunning presentation about the audit. Present this to the stakeholders/board.
At last, after completing all steps, the final audit report is ready for distribution to all stakeholders!