There are so many different types of audits, and there is not one single audit type suitable for all industries or businesses. However, a few audit themes are a must in any audit. The core structure and idea of an audit remains consistent. Each audit has a lifecycle, from planning to execution to conclusion, and each phase in the audit lifecycle requires multiple steps. Auditors can adopt an agile methodology throughout the audit lifecycle and establish milestones to accomplish a group of audit steps. The final deliverable of the audit is usually in the form of a report to stakeholders. While this might seem like a standard and straightforward process, every audit comes with its own uniqueness and challenges.
Every phase in the audit lifecycle is crucial. However, the most critical step in the entire audit is planning the audit. A well-planned audit sets the stage for an efficient and effective deliverable. Some areas to consider when performing an audit include:
- There should be clarity about the type of audit to conduct and an understanding of the audit deliverables.
- It should be understood who the stakeholders and readers of the audit report are.
- It should be determined if the audit is of a new client/process/department and if the client is familiar with this type of audit.
- The scope of the audit should be defined and agreed on with the client. Any changes in scope beyond the planning phase might result in delays in the audit deliverables. Hence, it should be agreed on early in the audit process.
- The budget regarding the hours allocated for the audit should be adequate based on the complexity of the audit.
- The audit team should have the right skill set and knowledge of the client’s business. If the skills and knowledge of the auditor are not adequate, then an experienced audit team member can provide training on the job.
- The roles and responsibilities of the audit team should be clearly defined. It is essential for large engagements with multiple team members.
Another critical portion of the audit lifecycle is conducting the fieldwork execution. The audit should be periodically monitored throughout the fieldwork phase for timely completion of testing and resolving audit matters as they arise. As part of monitoring the audit, status reports should be sent to audit management and clients to provide visibility to the status of the audit. These reports should include any preliminary observations resulting from testing to give the clients the time and opportunity to either accept the observations or provide additional evidence to resolve the observations.
Someone other than the person preparing the file should complete the review, and draft deliverables should be provided to confirm the accuracy of the facts presented in the report. The final deliverables will then be issued when reviewing and vetting the report with the client.
Audits are gaining immense importance in the cybersecurity space. Therefore, learning from audit experience and implementing incremental improvements would benefit the audit team and the clients.
Editor’s note: For further insights on this topic, read Sushma Uniyal’s recent Journal article, “The Top-Five Audit Essentials for Driving Efficiency and Value,” ISACA Journal, volume 4 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!