Audit Programs

Audit programs are guides specifically directing auditors' activities.

The audit program is a comprehensive, detailed document addressing the relevant audit areas, and in some cases, the methodology of the audit. It is an action-oriented document, with much more detail than the audit plan. An audit program has the following purposes:

Provides detailed communications to the intended recipients and audit team members of the audit objectives

Facilitates direction, scope, and control over the audit process; directs team members having specialized skills and knowledge to specific areas

Delivers a record of the audit process

Directs the collection of evidence in specific areas

Suggests the sampling methodology to be used in specific audit areas

Documents the professional due diligence of the audit process, including planning, fieldwork, and supervision

Becomes included in the auditors' work papers and is thereby maintained for future review

In some cases, it documents specific audit assignments

Standard Audit Programs
There are several standard security assessment or audit programs. There are certain advantages for auditors to use one of the standard audit programs:

They usually have a history of successful engagements and results.

They frequently have been adopted by industries as governing instruments.

They may save a significant amount of auditor resources by suggesting business operations to be tested.

One of the most comprehensive standard information technology programs is the COBIT™ program. The Information Systems Audit and Control Association (ISACA, www.isaca.org) developed this program. It is a generally applicable and accepted standard for information and information technology control. COBIT is fully adaptable and applicable for enterprise-level and smaller organization information technology areas. It starts from a control framework, it is management oriented, and it is based on critical review of tasks and activities regarding business operations.

COBIT deals with three levels:

1. Domain. This is a natural grouping of processes, often matching an organizational domain of responsibility.

2. Processes. This is a series of jointed activities with natural breaks.

3. Activities. Actions needed to achieve a measurable result. Activities have a life cycle where tasks are discreet.

Control objectives domains are divided into four areas:

1. Planning and organization

2. Acquisition and implementation

3. Delivery and support

4. Monitoring

One of the more-popular security guidance standards is BS 7799, a British Standard Institute program publication. It was submitted to the International Standards Organization who published it as the Code of Practice for Information Security Management and was subsequently published by ISO under the number 17799 in 2000. [2]

The stated purpose of 17799:2000 is to

give recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. It is intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.

ISO 17799 is a general organizational management and best practices guide intended to deliver secure system operations. It is not applicable to all organizations and does not attempt to address all required internal controls. It generally covers the following areas:

Policies

Security architecture

Information controls

Human resources

Physical security matters

Access control

Business continuity procedures

The United States government through the National Institute for Standards and Technology (NIST, www.nist.gov) has several high-quality guidance publications relevant to security practices in information technology systems:

Generally Accepted Principles and Practices for Security Information Technology Systems

Security Issues in the Database Language SQL

Computer Security

Guidelines for Automatic Data Processing Physical Security and Risk Management

Guide for Developing Security Plans for Information Technology Systems

Engineering Principles for Information Technology Security

These U.S. government documents are general and high-level documents adaptable to most organizational structures and functions. They can provide auditors with a variety of domains that should be considered when developing audit plans and programs.

Audit Risk (Incident Management)

Auditors must make judgments on the acceptable levels of audit risk. It is important to remember that the levels of risk will vary across the different segments of the audit, as there are systems that are more susceptible to errors, ineffectiveness,

inefficiencies, and fraud.

An example of different types of risks associated with different segments of the audit, systems involving handling of cash are very susceptible to theft, where data processing systems are usually susceptible to inefficient resource allocation. In planning to manage audits, the most difficult judgment is the level of acceptable risk relevant to each audit segment. It is for this reason that auditors should be knowledgeable and experienced persons. Auditors must understand the control environment and the associated risks by examining management and application controls already in place. For example, when auditors review system development activities, they are seeking to understand the controls that are associated with these tasks.

They attempt to understand the business processes, including components such as human expertise, information technology, communications, management controls and application controls so they can assess related vulnerabilities and attendant risks. By understanding processes, components, behavior, and intended results, auditors can provide appropriate safeguard recommendations, if any apply.

Planning the Audit
In order to conduct an audit properly, a comprehensive audit management plan must be crafted.

The audit management plan should be action oriented, by listing the primary objectives to be performed. It should be tailored to the specific targeted business unit or division.

In drafting the audit management plan, a thorough review must be made of the organization's policies, with particular attention paid to risk management activities.

In the crafting, development, and implementation of policies, procedures, and standards, the organization is providing a process governing the activities of its employees consistent with the particular organization's goals and objectives. In many cases there are laws, regulations, and requirements affecting how the organization must conduct all or part of their business processes. Risk management is an integral part of the policy and procedure implementation. Auditing is basically an impartial review and investigation into the application of the organization's policies, procedures, and standards.

In crafting the audit management plan, the organization's strategic plan and objectives should be reviewed. This is essentially the basic guiding documentation for the organization. Depending on the business' units that are being audited, their applicable policies, procedures, and standards should be carefully reviewed. Job descriptions, organizational charts, lines of reporting, lines of authority, and chains of command should be made part of the information cache used to form the basis of the audit management plan.

In some business environments, audit management planning requires the auditors to conduct a preliminary survey through questionnaires to establish the appropriate scope addressing relevant business risks, develop the audit management plan, and direct auditor activities within the audit program. Often senior audit managers prepare questionnaires, also known as interrogatories, and send them to appropriate senior managers of the audit target. When completed, these questionnaires will provide the auditors with comprehensive visibility into the processes of the business unit.

These questionnaires may help auditors identify critical areas on which they need to focus their attention rather than taking a scattered, "shotgun" approach. As part of this preliminary questionnaire survey, auditors should review systems and processes to identify key controls already in place.

General questions that should be asked in preparing audit management plan questionnaires include but not limited to:

What are the critical issues regarding this business unit's operation?

What are the critical assets of this business unit?

What are the critical management functions?

What are the critical applications?

Does this business unit process sensitive data?

What are the risks to the business unit?

What substantive steps have been taken to address these risks?

What processes are least tested in the unit's business unit's daily operations? For example, if the business unit suffers from frequent power-outages and uses emergency power sources, including uninterruptible power sources and emergency generators, to restore operations, then power recovery requirements are likely to be well-formulated and tested. However, in the case of a complete disaster recovery plan, it may not be tested, and in fact, may not exist at all. The audit management plan should be the governing document for the "biggest bang for the buck."

Another valuable source in the development of an audit management plan is the review of previously performed audit reports. Many times these documents will identify potential weaknesses that should have been corrected or addressed earlier. The audit management plan is merely that, an activity plan. It should address those areas to be evaluated, and not too much more. Audit programs are different from audit plans in that they are comprehensive documents delving into the audit's "nuts and bolts."

Exhibit 1 is a brief example of an audit management plan.

====================================================================

Audit Step

Planning

1. Discuss nature and scope of audit with key senior personnel

2. Discuss audit requirements with senior managers

3. Assemble required audit staff and build team

4. Draft comprehensive audit program

Draft initial budget

Reporting

1. Hold opening meeting with appropriate personnel at initiation of audit

2. Use standard audit reports format including compilation of audit findings and recommendations

3. Hold closing meeting with key managers to review draft of final audit report

4. Identify key senior managers in the event of reporting irregularities before audit conclusion

Preliminary Audit Steps

1. Identify key employee contacts for audit

2. Obtain appropriate organization and business unit documentation including

A. Strategic business plans

B. Relevant policies, procedures, and standards for firewall administration unit

C. Relevant documentation to gain an understanding of the operations of the firewall administration unit

Audit Procedures

1. Understand unit's business practices and compare with organization's policies, practices, and standards

2. Understand and document business process flows

3. Interview pertinent employees in firewall administration unit to gain an understanding of their functions, risks, and other relevant issues

Testing

1. Testing will be performed to increase auditor's understanding of the firewall administration unit's function and activities

2. Testing will increase the auditor's understanding of managerial and application controls

3. Auditor will test if relevant controls are operating correctly and consistently

4. Auditor will test metrics to manage firewall administration

5. Auditor will test the correct design, development, and implementation of firewall administration