The Audit Process
An organization undergoes an audit of its information systems to validate that they are operating in a manner that is secure and compliant with a governing agency. The audit is conducted by an independent, objective entity to ensure that the security controls in place meet a minimum level of assurance. The system must protect the confidentiality, availability, accountability, and integrity of data. The audit process should be a phased approach that clearly defines the objective, scope, audit execution, and reporting. The Wildcard methodology merges the financial audit principles that have been honed over a century with information system audit standards to deliver a report with high levels of assurance.
The audit process is broken into four prominent phases.
- Risk Assessment
Define Audit Objective
In this phase, the objective of the information system audit is clearly defined and aligned to comply with all Laws and Professional Standards. An Audit Charter or equivalent document is defined to detail objective, roles and responsibilities of the Information Systems Audit.
Set Audit Scope
Establishing the scope of the audit is essential to understanding the environment and providing the necessary resources to conduct an audit. The scope definition ensures that we are able to define the controls that are material to the audit and should be evaluated.
Risk Assessment Phase
Wildcard utilizes a risk-based approach to conducting its audits. Our primary focus is on the risk associated with the system and to provide assurance that risk is being managed by the established controls. We account for the following:
Inherent Risk: Susceptibility of the system to error
Control Risk: Risk that an error could occur in the system and will not be prevented or detected and corrected on a timely basis by an internal control
Detection Risks: Risk that the audit will not detect material information that renders the system non-compliant
In this phase, we evaluate the data provided from the previous phases to determine which areas of the system have the greatest amount of risk associated with it. Our auditors work with the client to determine the greatest areas of concern. We focus our efforts on these areas to validate that the controls in place protect the system’s assets.
At this stage, we have gathered enough details to design the audit strategy. We have decided what to test previously, and now must ascertain how to test it. In the Determining Procedures phase, the interviewees are identified, the tools to execute evaluation are selected, scripts are created, and control testing methodologies are defined.
The execution phase begins with capturing data utilizing the methods defined during the Determine Procedures phase. Wildcard collects data via interviews, tools, and diagrams and verifies that the actual environment reflects what has been shared via previous phases.
We then conduct tests via the following procedures where applicable:
- Sampling Control Tests: Performed by the auditor to obtain evidence about the achievement of specific control objectives.
- Compliance Tests: Performed by the auditor to obtain evidence about compliance with significant provisions of laws and regulations.
- Substantive Procedures: Performed by the auditor to obtain evidence that provides reasonable assurance about whether the statements are free of material misstatement.
Issue Discovery and Validation
Any discovered instances of noncompliance will be acquired during testing. In the event that issues are detected, Wildcard will attempt to validate by:
- Performing procedures to test that the same type of issue does not exist elsewhere in the population
- Evaluate the issue to prove it is not representative of the system
Wildcard will then document the nature, extent, and timing of procedures performed during this testing phase of the audit, as well as the results and conclusions reached. We specifically identify the procedures used to obtain assurance of the audit results. At a minimum, the following items are documented:
- For tests involving sampling:
- Sampling method used
- Sample size and the method of determining it
- How the sample was selected
- List of items tested
- Audit procedures performed
- Results of tests, including evaluations of sample results, and conclusions
- Interim testing procedures
- Individual and total issues
Wildcard will generate a draft in the same format that was defined in the Planning phase to match reporting requirements. The report will restate the scope, objectives, period of coverage, nature, timing, and the extent of the audit. Wildcard will discuss the draft report contents with the client prior to finalization and release. We include customer response to findings, conclusions and recommendations in the final report. Findings will include deficiencies that are less than significant but more than inconsequential.
Issue Report and Follow-up
Upon acceptance of the initial draft, Wildcard will deliver a finalized report that will be signed off by both parties.
Wildcard will follow up with the customer and continue to monitor any relevant information to conclude the engagement or conduct any after action activities.
Our audit framework is based on principles that have proven to be effective in producing a product which accurately reflects our customer’s environment. Our auditors follow a policy that minimize any audit risk while maximizing assurance in our findings and efficiency of the audit process. We prioritize being as minimally invasive as possible so we don’t disrupt operations or cause audit fatigue. We accomplish this by providing auditors who are skilled in business process, auditing, and technical controls. By dropping into environments and executing our processes to deliver quality products, we achieve your organizational objectives.