IS Auditing (my notes from the trenches)

AUDITING 'HOW-TO' KNOWLEDGE AND NOTES

Information System or Information Security - both are IS and are different types of audits. One learns this only after drowning in the world of security audit. This is the first of my shares of stuff which I have learned (informally) and this is what I continue to live by.

I just plunged into the business of Information Security sometime in 2001 and used common sense to understand what I need to do and how. ISACA publications helped and of course - the internet. Along the way it was necessary to observe and correlate with the reading / learning from these resources.

Many of you are privileged and lucky to have got jobs with audit firms where you were provided learning resources, templates and guidance, not me! For me it was the School of Hard Knocks.

I am sharing pointers from my learning and will be happy to have inputs from my all who read them as it will help me to straighten out my own kinks and update my skillset too.

Thanks in advance. (points are listed in no particular order)

1. most important.

• make sure you read about the company via their website and social media
• do not forget to read up about the person who is leading the auditee team too !
• do not rush.,,, take your time. Write your notes clearly and properly (as you have planned) but remember that you need to finish in time, so do not be the reason to delay or hold up the audit
• sticking to the schedule is important
• always arrive on time and this means arrive at least half hour early- make notes during audit (preferably on paper + record the session).
• if the questioning is control-wise then for each control make the note in the spreadsheet itself (include your own observations relating to the response and the auditee)
• repeat a question if you do not understand the response
• ask the auditee to explain if the response is not clear (you did not understand what was said)
• make sure the notes have some 'meat' and they cannot be just one liners as we cannot send one line in the final report
• one's notes should be made with a justification or explanation especially if it is a non-compliance
• a non compliance remark is a very sensitive issue and one has to tread softly justification is essential as well as empathy with the auditee- when using a notepad and pen to make notes, use a new page for each section / department / process- use hybrid note taking
• make final summary of the shortcomings

2. note taking

• before you start taking / making notes of the audit proceedings, plan and design your notes/tasks template for the same: e.g. names of auditees, date, location, clause or control ref, what you observed, what you were told, cross reference to other person or process or department etc.... and so on. This will help you in collating the data when you are doing the final report.
• the template can have sections for observations
• highlight (important) issues with icons like a star, a checkmark etc
• make a short list of categories (process, tech, people, mgmt etc) and put that against each noted comment... This is difficult as you will be hearing and making notes and conversing with the auditee
• print the documents which are provided as evidence and write the shortcomings on the same (it is easy when reviewing policy/procedure documents). You will find it good to write some notes on the printout
• screenshot evidence being presented? then copy and paste into a PPT slide or table in a document and write your comment against it
• pen-paper and digital recording will allow you to collate information for final analysis to create the best analysis and output

3. audio recording the notes

• take permission from all present to record the session
• then record the business being conducted for each department and don't forget to get the names of the auditees as well as their designations (email and phone number too, just in case you want to connect later. Even if you do not want to connect this info can be included in the report)

once someone told me that as an auditor I should come back with issues (NCs) else I have not done my job. Personally, I do not believe that this should be my skill as an auditor! Witch hunter or what ! I am happy being someone who goes in to assist in identifying SWOT and providing positive value.

NOTES Part 2

1. keep a blank template with the structure of your final report in hand before starting the audit / assessment (introduction, executive summary, objective, scope, findings, etc etc ....)

• at the end of the day, populate the findings / observations verbatim in the appropriate section in your report template (do not put this off for later !)
• try to use keywords as you may get responses from others which may relate to the same control
• keep populating a section which can be used as a Corrective Action Plan or Global Recommendations

2. manage overall shortcomings

• make a column in your report template to put your personal comments and observations
• this will jog your memory about the interview but remember to remove it before finalizing the report (along with your notes)
• you can make a section on the strengths of the organization which can be populated with findings where you can provide information about the good work being done
• if there are any follow up questions or evidence collection to be followed up that should be written in a different color and you should put a target date as well as the name of the person who will be responsible

3. create your own marking system like checkmarks or crosses or colors

• create your own marking system for compliant, NC, OFI etc so you are able to easily identify in your notes (if possible use diff color pen or font but that may slow you down for taking notes)
• rather than diff color pens consider making columns in your notebook or in excel to take notes- can the video recordings be numbered in the same sequence as they are captured- make sure you read the documents provided by the client prior to the audit engagement-- especial focus should be on the risk register,

4. observation-weaknesses

• stay within your scope sometimes questions move to sound like you are wanting to know about the business rather than trying to assess the process with correlation to ISO controls
• the objective of an audit is to identify SWOT, compliance / non compliance

Remember that this will considerably slow you down in your audit and that may become a problem. So go to your drawing board and plan on how you will finish the questions diligently and be able to provide a good report. Your best friends will be the voice recording and the handwritten notes!

If you have any thoughts to add to this list please go ahead.

Along with this I suggest you should get your hands on a copy of #"ISO 19011:2018 Guidelines for auditing management systems" and imbibe the principles there too. Other suggested reading is the voluminous strategic and functional information and learning shared by ISACA The Institute of Internal Auditors Inc. and the many other resource sites online.

I do hope my notes will help some folks and would like your feedback. There may be mistakes which I have made and it will be great if you can correct me too!