Audit Risk (Incident Management)

Auditors must make judgments on the acceptable levels of audit risk. It is important to remember that the levels of risk will vary across the different segments of the audit, as there are systems that are more susceptible to errors, ineffectiveness,
inefficiencies, and fraud.

An example of different types of risks associated with different segments of the audit, systems involving handling of cash are very susceptible to theft, where data processing systems are usually susceptible to inefficient resource allocation. In planning to manage audits, the most difficult judgment is the level of acceptable risk relevant to each audit segment. It is for this reason that auditors should be knowledgeable and experienced persons. Auditors must understand the control environment and the associated risks by examining management and application controls already in place. For example, when auditors review system development activities, they are seeking to understand the controls that are associated with these tasks.

They attempt to understand the business processes, including components such as human expertise, information technology, communications, management controls and application controls so they can assess related vulnerabilities and attendant risks. By understanding processes, components, behavior, and intended results, auditors can provide appropriate safeguard recommendations, if any apply.

Planning the Audit
In order to conduct an audit properly, a comprehensive audit management plan must be crafted.

The audit management plan should be action oriented, by listing the primary objectives to be performed. It should be tailored to the specific targeted business unit or division.

In drafting the audit management plan, a thorough review must be made of the organization's policies, with particular attention paid to risk management activities.

In the crafting, development, and implementation of policies, procedures, and standards, the organization is providing a process governing the activities of its employees consistent with the particular organization's goals and objectives. In many cases there are laws, regulations, and requirements affecting how the organization must conduct all or part of their business processes. Risk management is an integral part of the policy and procedure implementation. Auditing is basically an impartial review and investigation into the application of the organization's policies, procedures, and standards.

In crafting the audit management plan, the organization's strategic plan and objectives should be reviewed. This is essentially the basic guiding documentation for the organization. Depending on the business' units that are being audited, their applicable policies, procedures, and standards should be carefully reviewed. Job descriptions, organizational charts, lines of reporting, lines of authority, and chains of command should be made part of the information cache used to form the basis of the audit management plan.

In some business environments, audit management planning requires the auditors to conduct a preliminary survey through questionnaires to establish the appropriate scope addressing relevant business risks, develop the audit management plan, and direct auditor activities within the audit program. Often senior audit managers prepare questionnaires, also known as interrogatories, and send them to appropriate senior managers of the audit target. When completed, these questionnaires will provide the auditors with comprehensive visibility into the processes of the business unit.

These questionnaires may help auditors identify critical areas on which they need to focus their attention rather than taking a scattered, "shotgun" approach. As part of this preliminary questionnaire survey, auditors should review systems and processes to identify key controls already in place.

General questions that should be asked in preparing audit management plan questionnaires include but not limited to:

What are the critical issues regarding this business unit's operation?

What are the critical assets of this business unit?

What are the critical management functions?

What are the critical applications?

Does this business unit process sensitive data?

What are the risks to the business unit?

What substantive steps have been taken to address these risks?

What processes are least tested in the unit's business unit's daily operations? For example, if the business unit suffers from frequent power-outages and uses emergency power sources, including uninterruptible power sources and emergency generators, to restore operations, then power recovery requirements are likely to be well-formulated and tested. However, in the case of a complete disaster recovery plan, it may not be tested, and in fact, may not exist at all. The audit management plan should be the governing document for the "biggest bang for the buck."

Another valuable source in the development of an audit management plan is the review of previously performed audit reports. Many times these documents will identify potential weaknesses that should have been corrected or addressed earlier. The audit management plan is merely that, an activity plan. It should address those areas to be evaluated, and not too much more. Audit programs are different from audit plans in that they are comprehensive documents delving into the audit's "nuts and bolts."

Exhibit 1 is a brief example of an audit management plan.

====================================================================


Audit Step

Planning

1. Discuss nature and scope of audit with key senior personnel

2. Discuss audit requirements with senior managers

3. Assemble required audit staff and build team

4. Draft comprehensive audit program

Draft initial budget


Reporting

1. Hold opening meeting with appropriate personnel at initiation of audit

2. Use standard audit reports format including compilation of audit findings and recommendations

3. Hold closing meeting with key managers to review draft of final audit report

4. Identify key senior managers in the event of reporting irregularities before audit conclusion


Preliminary Audit Steps

1. Identify key employee contacts for audit

2. Obtain appropriate organization and business unit documentation including

A. Strategic business plans

B. Relevant policies, procedures, and standards for firewall administration unit

C. Relevant documentation to gain an understanding of the operations of the firewall administration unit


Audit Procedures

1. Understand unit's business practices and compare with organization's policies, practices, and standards

2. Understand and document business process flows

3. Interview pertinent employees in firewall administration unit to gain an understanding of their functions, risks, and other relevant issues


Testing

1. Testing will be performed to increase auditor's understanding of the firewall administration unit's function and activities

2. Testing will increase the auditor's understanding of managerial and application controls

3. Auditor will test if relevant controls are operating correctly and consistently

4. Auditor will test metrics to manage firewall administration

5. Auditor will test the correct design, development, and implementation of firewall administration

0 comments:

Popular Posts