Audit Conferences: More (but Important) Meetings You Need to Attend

< Day Day Up >

Opening Conferences

Opening conferences occur at the initiation of the audit and should communicate the scope of the audit, the audit's objectives, introduce the audit staff, agendas, schedules, and relevant handouts. In part it is an opportunity to explain in professional terms the purpose and expected results of the audit to the employees who are going to be going to be participating in the audit. The entrance conference should be conducted with the following in attendance: Directors, or department heads responsible for the area being audited, managers and their subordinates who work in the specific audit target and any appropriate senior employees.

A typical entrance conference will have an agenda similar to the following:

Welcome
Introduce auditors and related audit participants
Review audit objectives
Review audit steps
Review time schedule
Identify relevant points of contact for each step
Describe the audit process from the auditor's and target's perspective
Set up first contact appointments
Conclusion

Other Conferences

During the course of the audit, there will likely be reasons for other conferences. For example, if an auditor finds there is something of a fraudulent nature, this should be brought to the attention of senior managers immediately. This meeting will take place behind closed doors. It is recommended that conferences between the entrance and exit conference take place away from the eyes of employees. If held before employees' view, they tend to foster unwarranted speculation, and damaging rumors can be fomented. Conferences of this type should be scheduled away from the work area being audited. In the case of reporting potential criminal activities, it is strongly recommended that the persons participating in this conference communicate through out-of-band means. Cellular telephones and communications methods, not using the organization's communication networks, are the best out-of-band communications. Involve the appropriate levels of staff including senior managers, legal unit, security unit, and risk managers in all conferences.

One point of professional due diligence is the discussion of the audit findings somewhere toward the end of the audit with the senior managers of the unit being audited. This gives them a chance to see any "hot grounders" headed their way. Responding to the auditor's findings is an effective way of determining if the auditors "hit their marks" with their work. Most senior managers realize their strengths and weaknesses before the audit takes place. Often the audit results merely provide them with the motivation to take corrective action.

An end of audit conference provides a formal means for a meeting of the minds and makes a matter of record of the audit's performance in the eyes of the responding managers. If there are serious differences between the auditor's findings and the manager's responses, it may be the auditors did not have a sufficient grasp of their material or they were not diligent in their efforts. In a worst-case scenario, it could mean the senior managers were out of touch with their business processes. In the former case, it is the responsibility of the audit managers to see that audit team members receive training to bring their skills up to par or find ways to motivate them to diligently perform their tasks.

Meetings whose purpose it is to preliminarily discuss their findings, allow senior managers an informal opportunity to discuss the audit findings and recommendations. This is a useful technique in addressing significant findings and permits the meeting's participants to determine if a follow-up audit is going to be needed.

Experience Note.

In the case of significant, relevant findings or irregularities, it is strongly recommended that a follow-up audit is performed.

Usually, follow-up audits are very narrow in their scope focusing entirely on those significant findings of the previous audit. Follow-up audits are much abbreviated, do not have opening or closing conferences and are staffed only with enough auditors to review the findings for compliance.

Experience Note.

Remember, conference agendas, schedules, and notes are all part of the audit record and considered work papers. These documents should be archived because you never know who is going to request them.

Exit Conferences

The auditors have completed their work, the report is done, and it is time to bring the audit to a close. Often, auditors deliver a performance survey to the managers of the target business unit. Such surveys have the purpose of collecting information about the performance of the auditors and the audit in general. Audit managers commonly use these surveys in completing the auditors' performance appraisals.

The agenda below is typical of a closing conference:

Welcome
Review audit objectives
Review audit steps
Briefly review controls adequacy
Briefly review controls recommendations
Present draft report
Field any questions from the attendees
Conclusion

Summary of Audit Steps

By way of summary, here are some steps to successfully completing audits:

Preparation
- Predication for audit, routinely scheduled or based on an allegation
- Form audit team from qualified employees
- Prepare audit management plan
- Prepare and deliver preliminary questionnaires
- Prepare audit program
- Prepare audit budget
Field work
- Entrance conference
- Audit field work
- Audit status conference
- Prepare draft of report including senior management responses
- Exit conference
Conclusion
- Prepare final audit report
- Complete audit performance survey
- Schedule follow-up audit, if necessary

Audit Program for a Small IT Department

Exhibit 10 is an example of an audit program covering general controls for a small business' IT department. It will provide an example on which to build for future audits.

Exhibit 10: General Controls Review for IT Department

Information Technology General Controls Review Audit Program for XYZ Corporation
General Controls	Where applicable, review previous audit report findings and recommendations relevant to data processing activities. Ascertain if appropriate corrective actions have been completed. Describe and document any and all corrective actions relevant to previous audit's findings and recommendations. Where applicable, review the findings and recommendations of regulatory agency reports applicable to the XYZ Corporation's information technology business processes. Describe and document the computer platforms used by the XYZ Corporation and the applications installed on each relevant platform. Information pertinent to computer platforms includes: Equipment model Manufacturer's name Quantity Information for installed software applications should include: Name of the application Vendor name/internally developed Current version number Document that adequate hardware and software inventory has been completed in the last year. Ascertain, by sampling, if there is a correct number of licenses corresponding to the installed applications.
IT Organization	Obtain current organization chart and accompanying job descriptions for the Information Technology Unit. Ascertain that key functions (i.e., systems programming, application programming, computer operations) within the IT unit are appropriately segregated. Describe if there is an implemented doctrine of least privilege in the IT unit. Through interviews with IT personnel, evaluate proper segregation of critical processing functions. Document and describe the function of the IT steering committee or an equivalent committee within the XYZ Corporation.
Data Processing Center Access	Evaluate the location of the data processing center and its position in the building in which it is lodged. By sampling and interview, determine that there are no combustible materials are stored on the floors surrounding the data processing center. Describe the fire suppression system and ascertain its adequacy in light of critical asset priorities.
Data Processing Center Access	Tour the data processing center. Describe and document measures that have been taken to restrict physical access to this center and the surrounding facilities including cabling closets, electrical facilities, and telecommunications closets. Identify all entrances to the data processing center and ensure that each adequately restricts access. Ascertain if these doors are adequately alarmed for intruders and unauthorized exits. Describe and document all measures requiring data processing center visitors are screened for identification and purpose and that they are required to sign-in and are accompanied at all times while visiting the XYZ Corporation office space. Describe and document surveillance methods including but not limited to, security guards and electronic card keys are used to restrict data processing center access. Describe and document all computer environmental controls that have been installed and are active: Fire suppression/control equipment. Uninterruptible power supplies attached to individual critical equipment Emergency power system, e.g., generators Temperature and humidity control equipment with appropriate redundancy relevant to employees and equipment Emergency power switches Smoke and water detectors Emergency lighting for the data processing center and exits Describe the steps taken to test and maintain the above equipment. Describe and document the location of system consoles used to operate the system; determine if all are located within the data processing center and are secure from all be specific access.
Data and Information Security	Determine existence of data and information security policy. Ascertain if this policy is communicated and acknowledged by appropriate employees. Obtain a copy of information security policy are review for adequacy of coverage. Consider whether this policy includes all types of data including electronic and paper-based. Consider whether the policy addresses ownership, confidentiality, integrity, and availability of information. Determine how system resources (i.e., batch, online transactions, datasets, and sensitive utilities) are protected on all computing platforms including mainframe, minicomputer, and microcomputer. Identify all installed applications that provide their own security mechanisms. Ensure the following capabilities have been implemented: Unique and nonsequential user identifications are assigned to all users Unattended terminals are automatically logged off after five minutes of inactivity Applications are configured requiring users to change passwords every 60 days or less In cases of sensitive areas, biometrics or tokens are required to sign in along with passwords Document and describe policies and procedures requesting and removing access to systems. Document and evaluate policies and procedures established to remove users from the system when an employee departs the XYZ Corporation. Document policies and procedures auditing the activities of departing employees covering a period of 90 days before their actual departure. Document and describe to whom the results of these audits are provided. Select a sample of at least five users defined to the system's security configuration and ensure that system access has been properly authorized and documented. Select five datasets and document steps that ensure appropriate access has been implemented. Observe the establishment of at least three new user accounts and document procedures. Identify those users that have been granted privileges on the security features. Document and describe the procedures for monitoring the activity of the privileged users. Verify existence and regular review of user activity and transaction logs.
Systems Development and Application Maintenance	Obtain an understanding of the systems development and change management processes. Document and describe the methodology the XYZ Corporation implemented for the development of new systems, including hardware and software. Document the adequacy of the methodology for procuring commercial off-the-shelf software systems. Document and describe the adequacy of the Systems Development Life Cycle and consider the following elements: User participation in all phases including feasibility, planning, development, implementation, monitoring and disposal System testing Certification and accreditation Proper review and approval by appropriate officers at the completion of key stages in the SDLC Select and sample five systems in the development life cycle process. Review documentation to determine compliance with the SDLC methodology. Document and describe the application change management process. Review procedures to ascertain the status of the following functions: Documenting the program change request, including feasibility, necessity, and implementation approvals User approval of the system change request System changes implemented into the production environment by employees not responsible for making the changes, thereby observing adequate separation of duties and least privilege Select and sample five recently completed program changes and review change management documentation for compliance to the organization application program change policies and procedures. Document and describe the adequacy/existence of a test environment for the development, testing changes and systems prior to their implementation into the production environment. Document and describe the organization's emergency program change management procedures. Select and sample five emergency program management changes to determine compliance to the organization's established policies and procedures. Document and describe the organization's policies and procedures for making rate changes (i.e., tax rates) to appropriate applications. Document and describe the programming standards implemented by the XYZ Corporation. Consideration should be directed to standards featuring naming conventions and use of structured code. Document and describe what, if any, security steps have been implemented regarding the security of source code and other sensitive/proprietary files.
System Operations	Describe the process implemented for scheduling production batch processes. Ascertain if users authorized all changes prior to installation to the production environment. Select and sample ten schedule changes and review for established procedure compliance. Document and describe means by which schedule of production environment is controlled. Ascertain adequacy of these controls. Document and describe means by which production output is distributed to users and steps taken to ensure sensitive materials are adequately safeguarded and controlled.
Backup/Recovery	Review system backup, recovery, and business recovery policies and procedures. Document and describe processes implemented to ensure that system backup is performed adequately to permit timely restoration of services. Document and describe through observation the frequency of the backups and determine that all files and programs are being backed up properly. Document online transaction backups that provide recovery for updated databases. Document and describe policies and procedures ensuring that backup copies of system, programs, and data files are stored in adequate offsite storage facilities. Determine if there are any regulatory or legal requirements applicable to this information storage and ensure compliance. Determine adequacy of backup copy inventory.
Contingency Planning/Disaster Recovery	Observe that the written business resumption plan has been developed, implemented, and tested at least annually. Through examinations, ascertain if the plan is current and includes all key business components. Describe the scope of the business resumption plan tests performed and obtain the results of the last test. Included in these test results should be the results of the posttest critique. Document, describe, and evaluate the hot-site contract, if applicable, to ensure hot site adequately addresses all critical assets. Determine if contractor is completing contract requirements and in substantial compliance.

< Day Day Up >