Audit: Planning

by admin

Previous article in series – Audit: Internal and External Audit Controls

In line with financial, compliance, regulatory, and other risk-related audits, the requirement for scoping and ensuring the appropriate focus and emphasis on components most relevant to cloud computing (and associated outsourcing) should include the following phases:

 

Define Audit Objectives

The high-level objectives should define the goals and resultant outputs from the audit:

  • Document and define audit objectives
  • Define audit outputs and format
  • Define frequency and audit focus
  • Define number of auditors and subject matter experts required
  • Ensure alignment with audit/risk management processes (internal)

Define Audit Scope

Ensure the audit has a core focus and operates with certain boundaries:

  • Document list of current services/resources utilized from cloud service provider(s)
  • Define key components of services (storage, utilization, processing, etc.)
  • Define cloud services to be audited (IaaS, PaaS, SaaS)
  • Define geographic locations permitted/required
  • Define locations for audits to be undertaken
  • Define key stages to audit (information gathering, workshops, gap analysis, verification evidence, etc.)
  • Document key points of contact within cloud service provider and internal to organization
  • Define escalation and communication points
  • Define criteria and metrics by which the cloud service provider will be assessed
  • Ensure criteria is consistent with the SLA and contract
  • Factor in “busy periods” or organizational periods (financial year end, launches, new services, etc.)
  • Ensure findings captured in previous reports or stated by the cloud service provider are actioned/verified
  • Ensure previous nonconformities/high-risk items are reassessed/verified as part of the audit process
  • Ensure any internal operational or business changes have been captured as part of the audit plan (reporting changes, governance, etc.)
  • Agree on final reporting dates (conscious of business operations and operational availability)
  • Ensure findings are captured and communicated back to relevant business stakeholders/executives
  • Confirm report circulation/target audience
  • Document risk management/risk treatment processes to be utilized as part of any remediation plans
  • Agree on an auditable process for remediation actions (ensuring traceability and accountability)

Refine Audit Process from Lessons Learned

To refine the audit process over time, an organization must ensure that previous reviews are adequately analyzed and acted upon, with the intention to streamline and obtain maximum value and complete coverage for future audits. The process of refinement will:

  • Ensure approach and scope are still relevant
  • Ensure audit criteria and scope are still accurate (factoring in any business changes)
  • Factor in where any provider changes have occurred
  • Ensure reporting details are sufficient to enable clear, concise, and appropriate business decisions to be made
  • Determine opportunities for reporting improvement/enhancement
  • Ensure that duplication of efforts is minimal (crossover or duplication with other audit/risk efforts)
  • Have a clear understanding of what levels of information/details could be collected using automated methods/mechanisms
  • Ensure the right skill sets are available and utilized to provide accurate results and reporting
  • Ensure that the plan, do, check, act (PDCA) cycle is also applied to the cloud service provider auditing planning/processes

The above listed phases may coincide with other audit-related activities depending on organizational structure or may be structured (often influenced by compliance and regulatory requirements) or reside with a single individual (not recommended).

To ensure that cloud services auditing is both effective and efficient, each of the above listed steps/phases should be undertaken either as standalone activities or as part of a structured framework.

Fieldwork

During the fieldwork phase, audit evidence is gathered by the auditor(s) by:

  • Interviewing staff, managers, and other stakeholders
  • Reviewing ISMS documents, printouts, and data
  • Observing ISMS processes in action
  • Checking system security configurations
  • Performing audit tests to validate the evidence as it is gathered

Analysis

The accumulated audit evidence is:

  • Sorted out and filed
  • Reviewed
  • Examined in relation to the risks and control objectives

Gap Analysis

Gap analysis offers a valuable and necessary function to begin benchmarking and identifying relevant areas where requirements are not met against specified frameworks or standards.

Typically, resources or personnel who are not engaged or functioning within the area of scope perform gap analysis. The use of independent or impartial resources is the best method to ensure no conflicts, favoritism, or existing relationships with the department personnel can dilute or in any way affect the findings (positively or negatively).

The gap analysis is performed by an auditor or subject matter expert against several listed requirements, which could range from a complete assessment to a random sample of controls (subset). The gap analysis results in a report highlighting the findings, including risks, recommendations, and level of conformity (or compliance) measured against the specified standards (ISO/IEC 27001:2013, PCI DSS, etc.)

Never underestimate the impact of an impartial resource or entity providing a report highlighting risks. Given that the report will most likely be signed off on or be required to be signed off on by a senior member of the organization, the report will prompt risk treatment and a process of work to remediate or reduce the identified and reported risks.

Gap Analysis Stages

Several stages (which can vary depending on the review) are carried out prior to commencing a gap analysis review, including:

  • Obtain management support
  • Define scope and objectives
  • Plan assessment schedule
  • Agree on a plan
  • Conduct information gathering exercises
  • Interview key personnel
  • Review evidence/supporting documentation
  • Verify information obtained
  • Identify the risks/potential risks
  • Document findings
  • Develop the report and recommendations
  • Present the report
  • Sign off/accept the report

Reporting

The following are sections of the final report on an ISMS audit:

  • Title: Title and introduction naming the organization and clarifying the scope, objectives, period of coverage, and the nature, timing, and extent of the audit work performed.
  • Executive summary: An executive summary indicating the key audit findings, a brief analysis and commentary, and an overall conclusion, typically along the lines of “We find the ISMS compliant with ISO/IEC 27001 and worthy of certification.”
  • Recipient list: The intended report recipients plus (since the contents may be confidential) appropriate document classification or restrictions on circulation.
  • Auditors’ credentials: An outline of the auditors’ credentials, audit methods, etc.
  • Audit findings: Detailed audit findings and analysis, sometimes with extracts from the supporting evidence in the audit files where this aids comprehension.
  • Conclusions: The audit conclusions and recommendations, perhaps initially presented as tentative proposals to be discussed with management and eventually incorporated as agreed-upon plans depending on local practices.
  • Auditor statement: A formal statement by the auditors of any reservations, qualifications, scope limitations, or other caveats with respect to the audit.
  • Management notes: Depending on normal audit practices, management may be invited to provide a short commentary or formal response, accepting the results of the audit and committing to any agreed-upon actions.

Next article in series – Audit: Assurance Challenges of Virtualization and Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *