Auditing Explained in IT & Information Security

What is Auditing

The purpose of audit processes is to determine the exact condition of a specific aspect of business operations. This is done by defining management goals that are made actionable through specific control objectives, and then evaluating or auditing the target function against these objectives. The resulting process focuses on a particular area of operation.

Traditional audits ensure accountability and control within an organization, requiring clear identification and frequent evaluation of a given resource. Thus, the goal of auditing is to always maintain a clear understanding of the status of an asset under management.

In principle, audit is accountable to

◾◾Identify significant system elements/controls
◾◾Document control design
◾◾Evaluate control design
◾◾Evaluate operational effectiveness
◾◾Identify and remediate deficiencies
◾◾Document process and results build sustainability

The audit starts with an initial review of all relevant aspects of the audit target, including the current system documentation. If this review reveals that the system lacks adequate controls, the audit should be halted at this point. This is a critical exit stage since audits are both costly and time-consuming.

However, if the system’s controls appear sufficient for auditing, an audit plan is created. Typically, the lead auditor drafts the plan, which is then approved by the client before proceeding. The audit officially begins with an opening meeting involving the auditee’s senior management. From this meeting, auditors prepare their working documents, such as checklists and forms. Checklists are used to assess system components, while forms are utilized to record observations and gather evidence. Auditors then collect evidence using these prepared documentation tools.

CISSP Study Notes

Information Security 101 | Study Notes

After completing the analysis and documentation, the audit team compiles a list of major nonconformities, based on the collected evidence, and ranks them according to priority. The auditors then form conclusions about how well the control system adheres to required policies and how effectively it meets its intended objectives. Before drafting the final audit report, the auditors review their evidence, observations, conclusions, and nonconformities with the auditee’s senior management.

The lead auditor is tasked with preparing the final report. Once completed, the report is sent to the client, who in turn forwards it to the auditee. The auditee is responsible for implementing the necessary actions to correct or prevent any identified nonconformities in the control system. Follow-up audits may be arranged to ensure that these corrective and preventive measures have been properly executed.

Audit Management

The nine standard elements of the conventional audit process are:

1. Planning
2. Approval of audit plan by initiator
3. Conduct of an opening meeting
4. Preparation for audit by auditors
5. The examination and evidence collection
6. Closing meeting and reporting
7. Preliminary conclusions
8. Problems experienced
9. Recommendations

Additionally, it is essential to ensure that audit teams are fully capable of carrying out the audit tasks. This includes the responsibility of selecting qualified auditors and lead auditors. The selection process should be formally approved by a separate auditor evaluation panel.

The audit manager should select auditors who:

◾◾Understand the system standards that will be applied
◾◾Are generally familiar with the auditee’s products and services
◾◾Have studied the regulations that govern the auditee’s activities

◾◾Have the technical qualifications needed to carry out a proper audit
◾◾Have the professional qualifications needed to carry out an audit
◾◾Are suitably trained

Auditing Process Steps

The auditing process follows a series of logical, sequential steps. The first step is to establish the appropriate scope of the audit. This involves investigating, analyzing, and defining the relevant business processes. Audit targets include not only the platforms and information systems supporting these processes but also their connections with other systems. IT roles and responsibilities that may be examined encompass both in-house and outsourced organizational elements and functions, along with the related business risks and strategic decisions.

The next step involves identifying the specific information requirements that are particularly relevant to the business processes. In conjunction with this, it is necessary to identify the inherent IT risks and assess the overall level of control associated with the business process.

To carry this out properly, there is a need to identify the following:

◾◾Recent changes in the business environment having an IT impact
◾◾Recent changes to the IT environment, new developments, and so on
◾◾Recent incidents relevant to the controls and business environment
◾◾IT monitoring controls applied by management
◾◾Recent audit and/or certification reports
◾◾Recent results of self-assessments

Based on the information gathered, the relevant processes and the associated resources can be targeted for investigation. This may mean that certain key processes need to be audited multiple times, with each audit focusing on a different platform or system. The audit strategy should be shaped according to how the detailed audit plan needs to be further developed.

Finally, all the steps, tasks, and decision points to perform the audit need to be considered. That includes the following 16 considerations:

1. Definition of audit scope
2. Identification of the business process concerned
3. Identification of platforms, systems and their interconnectivity, supporting the process
4. Identification of roles, responsibilities, and organizational structure
5. Identification of information requirements relevant for the business process
6. Identification of relevance to the business process
7. Identification of inherent IT risks and overall level of control
8. Identification of recent changes and incidents in business and technology environment
9. Identification of the results of prior audits, self-assessments, and certification
10. Identification of monitoring controls applied by management
11. Selection of relevant processes and platforms to audit
12. Identification of the overall process architecture
13. Itemization of resources
14. Establishment of audit strategy
15. Itemization of controls, by risk
16. Identification of decision points

Finally, there are audit steps that need to be performed to substantiate the risk of the control objective not being met. The objective of these steps is to support the audit report and to “shock” management into action where necessary. Needless to say, auditors have to be creative in finding and presenting this often sensitive and confidential information:

◾◾Document the control weaknesses, and resulting threats and vulnerabilities.
◾◾Identify and document the actual and potential impact; for example, through root-cause analysis.
◾◾Provide comparative information, for example, through benchmarks.

Why Auditing is Required?

Audits are typically required by external organizations, such as regulatory bodies, to ensure compliance with established requirements. They can also be initiated by the organization itself to verify adherence to internal policies, regulations, and guidelines, or to conduct third-party verification of compliance with external standards or regulations. By definition, the auditor is an impartial third party, even when the audit is performed internally. Audits are more costly than reviews or assessments, so they are meticulously planned and resourced. Due to their formal nature, audits require careful scheduling, allocation of resources, and secure funding.

The selection of the auditor, along with the assignment of roles and responsibilities, follows a formal process aimed at ensuring the integrity of the audit. Information system assurance audits are conducted within a well-defined asset accounting and control framework that is both comprehensive and coherent for the specific aspect being controlled. These audits are based on clear objectives with measurable outcomes.

Information system security audits often rely on accounting and control models such as COBIT or ISO 27000 in the private sector, and NIST 800–53 in the public sector.

At the highest level, the overall audit approach is guided by the selected control model, which supports process classification and defines the audit process requirements. This includes guidelines for conducting IT process audits and the general control principles outlined in the model. The detailed audit guidelines for each IT process are usually provided in the main body of the relevant publication.

Conducting an Audit Process

The first step is to establish the correct scope of the audit. This involves investigating, analyzing, and defining the relevant business processes. The audit should cover the platforms and information systems that support these processes, along with their connections to other systems. It is also necessary to define IT roles and responsibilities, including those that have been outsourced, as this links the audit to related business risks and strategic decisions.

Next, the audit must identify the key information requirements related to the business processes. Following this, there is a need to assess the inherent IT risks and the overall level of control associated with the business process. This involves identifying any recent changes in the business environment that impact IT, as well as any updates to the IT environment, such as new developments. Additionally, any recent incidents relevant to controls and the business environment must be reviewed.

Based on the gathered information, the appropriate control processes from the audit template can be selected and customized, and the associated business resources can be targeted. This may require auditing specific parts of the business multiple times, with each audit focusing on a different platform or system. Finally, all necessary steps, tasks, and decision points for performing the audit must be considered. This includes defining the explicit audit scope, identifying the business processes, and documenting all platforms, systems, and their interconnections that support the process. It also involves clarifying roles, responsibilities, the organizational structure, and the information requirements essential to executing the process.

As previously mentioned, best-practice control objective requirements are too complex to create spontaneously, so standard control frameworks are used instead. The most commonly adopted frameworks are ISO 27000, COBIT, and NIST 800–53. These models reflect a shared body of knowledge based on best practices in information system management control, and all are supported by some form of audit process. The guidelines provided by these frameworks are expressed as a set of specific behavioral controls, tailored to each process, with each control function linked to a particular element of IT work.

These comprehensive strategic frameworks can be used by IT managers, staff, and auditors to ensure that IT functions operate correctly both internally and externally. More significantly, they convey best practices to business process owners. The framework is built around specifying a set of behavioral requirements called control objectives, which clearly define the actions needed to ensure effectiveness, efficiency, and economy in the use of IT resources. These control objectives translate the framework’s broader concepts into specific, actionable steps for each IT process.

Each process within the framework has corresponding detailed control objectives, which represent the minimum required controls. The approach involves using a small set of high-level control objectives to classify and focus efforts, then implementing these high-level objectives through specific control statements. Each control statement outlines the applicable control behaviors and is tied to a corresponding process or activity within the framework.

Cybersecurity Auditing Frameworks

COBIT (Control Objectives for Information and Related Technologies)

COBIT, developed by ISACA, is a framework for IT governance and management. It helps ensure that an organization’s IT infrastructure is aligned with business goals and adequately protected from cyber threats.

Components:

• Governance and Management Objectives: 40 objectives covering various areas, from strategy to operations.
• Processes and Practices: Focuses on creating value through IT by balancing risks, resources, and performance.
• Maturity Models: Assess the maturity of an organization’s IT governance processes.

Key Strengths:

• Aligns IT and business strategies.
• Provides tools for risk management and performance optimization.
• Focuses on governance and accountability.

ISO/IEC 27001

The ISO/IEC 27001 framework is a globally recognized standard for information security management systems (ISMS). It focuses on establishing, implementing, maintaining, and continually improving an organization’s ISMS.

Components:

• Annex A: Lists security control objectives and controls.
• Management System: Helps create a risk management process to address vulnerabilities.
• ISMS Lifecycle: Plan, Do, Check, Act (PDCA) cycle for continuous improvement.

Key Strengths:

• Certifiable: Organizations can achieve ISO 27001 certification.
• Provides a comprehensive, systematic approach to managing sensitive information.
• Promotes business continuity planning.
• Compliance Focus: Data security, legal requirements, contractual obligations.

IT Auditing Frameworks

ITIL (Information Technology Infrastructure Library)

ITIL is a framework focused on IT service management (ITSM), helping organizations align IT services with the needs of the business. While not traditionally an auditing framework, ITIL provides key processes that are often audited for effectiveness and alignment.

• Five Core Stages: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.
• Service Lifecycle: Ensures that IT services are aligned with business objectives from inception through operation and retirement.

Key Strengths:

• Strong focus on customer satisfaction and service delivery.
• Provides best practices for optimizing IT services.
• Promotes continual improvement and adaptability.
• Audit Focus: IT service delivery, performance monitoring, change management, service level agreements (SLAs).