Audit Process
Jay Al Attar CISSP, CISA, ITIL
Senior Manager IT Audit & IT SOX @ Marqeta | CISA, CISSP, ITIL, Business Analytics
Audit Process:
I get asked on a daily basis this question: What are the typical audit process? So today I put together a high-level audit process to share with everyone. You might have different audit process within your organization; I appreciate it if you can share your thoughts and your favorite WP/ GRC tools.
Upon receiving an audit, I will review the objective with IT audit management and discuss the primary areas of focus/ High risk area. The first process includes the planning phase. During this process, information is gathered, and research is conducted regarding the area to be audited. Part of the research and planning addresses best practices, standards, and company policies. For example, if a particular system, application, software or infrastructure is being audited, the vendor website will be checked for system/software configuration. This may include checking Microsoft standard, UNIX, IBM, PCI standard, COBIT, NIST, etc.
The second process involves scheduling the planning meeting with the IT management team. This includes explaining the audit process, timeline, areas of focus and lastly, obtaining IT contacts. Once this step has been completed, an information gathering meeting with the IT team will be held. The primary objective of this meeting is to achieve a better understanding of the environment. Narratives are drafted from the information gathering meeting and sent to the IT team for validation and update if applicable.
Next, a draft of the scope document memo is reviewed and approved by Audit management, after which a copy is sent to the IT team. Once this has been completed, fieldwork begins. This consists of preparing the initial document request list and sending it to IT with a deadline. An audit project is then created using a GRC or any Workpapers tools used by the company. Teammate is my favorite.
Once the document request is returned, they are marked as received and reviewed. A daily status report which includes follow-up questions and additional requests are then prepared and sent to the IT team. A meeting with the IT team is held bi-weekly or as needed to discuss the audit progress and finding/observations identified to date.
Once the fieldwork has been completed, a closing meeting is held with the IT team. In this meeting, the team is provided an update of the audit result and finding. Findings are then risk-ranked, and the audit report is drafted and submitted to Internal Audit management for review/approval. The report is then sent to the company executives with all findings, recommendations, action plan and deadline for mitigating all finding identified during the course of the audit. The audit will then be closed in in the GRC tool and findings are exported into a central database for tracking and future follow-up. Survey sometimes is shared with the auditee for any future audit process recommendation/ improvement.
Please share any thoughts you might have on your audit process and you do differently in your Internal Audit department.
Jay Al Attar