Managing The Audit Process

Managing The Audit Process

Cybersecurity audit management is a crucial process that helps organizations ensure the security of their digital assets. With the increasing number of cyber threats, it has become essential for businesses to implement effective cybersecurity measures and regularly audit them to identify any vulnerabilities.

The process of cybersecurity audit management involves conducting a comprehensive assessment of an organization’s IT infrastructure, policies, and procedures to identify any weaknesses or areas of improvement. This helps companies prioritize their cybersecurity efforts and allocate resources to address the most critical risks.

External Auditors

There are two types of external auditors that you will work with:

a. Independent Firms hired by management.

Management brings this group is to help obtain independent assurance that proper controls are in place and functioning effectively.

b. Regulators.

This group of auditors is assigned by your regulating body to conduct audits and prove that proper controls are in place and functioning accordingly. For example, if you are a Healthcare organization, the Department of Health and Human Services Office of Civil Rights (OCR) might conduct an audit to ensure that the covered entity complies with the HIPAA requirements.

    Internal Auditors

    This group is also called the Office of Internal Audit (OIA). They act on behalf of the Board (or highest level of executive management) to deliver assurance and help the executive leadership team manage risk for the organization. Their role and activities are pretty much the same as those of external auditors, but they are on the organization’s staff. The benefit they bring is that they are usually knowledgeable of the company’s operations, making the audit process smoother.

    It is extremely important to know that auditors (internal and external alike) are heavily focused on Processes. This is because they are not technology or security experts. Therefore, they focus on ensuring proper processes are in place and executed as expected as they conduct the audit.

    Audit Roles and Responsibilities

    Here’s a list of stakeholders usually involved in the audit process and their roles.

    1. The Auditor’s Role¹.

    As Raymond Pompon defines in his book IT Security Risk Control Management, An Audit Preparation Plan, the auditor’s role is to evaluate your scoped assets against the compliance standard for the agreed-upon period. Auditors are responsible for keeping you informed. They publish a project schedule and give you updates as they progress. They report findings and observations promptly so you don’t get a massive wave of information. Generally, they let you know if they find something as soon as they’ve confirmed it.

      Auditors are also bound to keep everything confidential except the contents of the final report.

      2. The Audited Organization’s Role¹.

      The audited organization has many responsibilities as well. An important one is designating a primary contact to coordinate all the audit activity. This person, perhaps you as the Security Manager, is responsible for scheduling the auditor’s visits, arraigning office space, scheduling interviews, and procuring documents for the auditors. The audited organization is also responsible for being open and forthcoming about its environment and controls. Not only should you be transparent and honest when answering questions, but you should also keep the auditor up to date about major changes or problems in the organization that could affect the audit.

      3. Control Owner’s Role.

      In our case, the control owner would usually be within the IT or Security team. As the subject matter expert and responsible entity for managing and operating the audited control, the owner’s role is to participate in all stages of the audit process, provide all supporting documentation and evidence, and describe processes and procedures to the auditor during fieldwork. The control owner should also feel comfortable expressing her opinion regarding findings and observations. As with all roles, transparency is expected and encouraged.

      4. Security Manager.

      A key role of a security manager is to develop a continuous compliance and control assessment program, or in other words, “check before the auditor checks”. Of course, the security manager will also play a key role during the audit process by ensuring that audits are sourced properly and that the process is as smooth as possible. Additional responsibilities for security managers include:

      • Keeping management informed of progress.Ensure the agreement is executed as expected.Ensure that the team working on the audit are honest and forthcoming.Review the final report and provide feedback.Coordinate management’s response to the auditAssist control owners with developing mitigating actions.Ensure that compensating controls are evaluated and accounted for.

      5. IT and Security Leadership.

      The leadership team’s role is to ensure that proper resources are allocated to the audit and that everyone understands the rules of engagement and the scope of the audit. The leadership team is critical in reviewing findings and the audit’s final report as they would usually be the delegate of the Executive team for providing the organization’s response to the audit. They will also ensure that mitigating activities, schedules, resources, budget, and any commitment resulting from the audit are managed to treat the finding properly (accept or mitigate the associated risk).

      6. Executive Leadership Team (ELT).

      All audit reports should end with the ELT because the audit owner is usually an executive team member who then delegates responsibilities to the IT and Security leadership team. The audit owner is the most senior executive of the audited division who ultimately owns the risk and relegated risk treatment commitments derived from the audit (for example, the Chief Information Security Officer, the Chief Information Officer, or the Chief Operating Officer).

      7. The Board of Directors.

      Acting on behalf of the organization’s shareholders, the Board should receive periodic reports on audit activities and issues found. They should support the ELT to treat risk properly and be aware of any risk acceptance derived from audits.

      The Audit Process

      Managing a cybersecurity audit can be a complex and challenging task. Still, there are several best practices that you can follow to ensure a successful outcome, and they are broken down into different phases. These phases are (the name for these phases may vary at different companies):

      1. Pre-Planning Phase
      2. Planning Phase
      3. Fieldwork Phase
      4. Reporting Phase
      5. Post-Audit Monitoring Phase

      1. Pre-Planning Phase

      During this phase, an internal audit team would review and develop an understanding of the current risk profile, critical process, and regulatory and contractual obligations of the organization to select, along with senior management, the audits to be performed during the upcoming period. This is usually completed well before the official “audit kick-off”.

      A good Internal Audit team would usually discuss the plan for the upcoming period with executive, senior, and middle leadership teams to ensure that their audit plan is realistic for the period and does not disrupt other projects and operational activities planned for the period. Furthermore, as changes emerge in the company’s operations, regulatory and contractual obligations, and risk profile, the OIA would also adjust its audit schedule, accordingly, working closely with management.

      2. Planning Phase

      Once the audit schedule for the period is established, there are a series of activities that the auditor coordinates with the audited entity. Some of these activities include but are not limited to:

      • Define Audit Scope and Objectives. This is typically done in collaboration with control owners to clarify the scope of the audit, including the systems, processes, applications, and data that will be audited. This will help you focus your efforts and ensure that all relevant areas are covered.
      • Define Audit Schedule/Duration
      • Audit Announcement Memo. Directed to control owners and executives, the announcement should include the Scope and Objectives agreed upon and the Audit Schedule.
      • Prepare for the audit: Make sure your organization is prepared for the audit. This includes ensuring that all systems and applications are up to date, security policies are in place, and all relevant documentation is available.
      • Audit Kick-off meeting. First of a series of meetings with control owners and operators. The audit team would be defined in this meeting or before it.
      • Interviews and data extraction.
      • Develop testing methodology.

      3. Fieldwork Phase

      Auditors perform additional interviews, data extraction, and analysis in this phase. They would evaluate control effectiveness and compliance against scope policies, standards, and regulations. In some cases, the auditor would shadow control owners and control operators to gain a deeper understanding of the process and gather evidence, such as screenshots, to ensure that their findings, observations, and opinion are accurate.

      During the audit, work closely with the team to ensure they have access to all the necessary information and systems. Monitor their progress and address any issues that arise.

      4. Reporting and Responding Phase

      Once the audit is completed, review the findings with the audit team and develop a plan to address any identified vulnerabilities or deficiencies. Make sure to prioritize the most critical issues and develop a timeline for remediation. With all the information gathered in the previous phases now, the auditor is ready to issue the final report to management and close the audit. It is crucial that the entire audit team and management are engaged in this phase to ensure that the information in the report is accurate. Activities a security manager should ensure happen include:

      • Review the report for accuracy.
      • Provide feedback and, where appropriate, corrections to the report.
      • Ensure that compensating controls are considered as risk rating of findings is assigned.
      • Ensure that the audit team and management agree with the risk rating of the findings.
      • Coordinate discussion between all audit stakeholders to develop management’s response to the audit.
      • Support control owners and operators in developing remediation plans and timelines.

      Once there’s agreement on the final report, the auditor usually schedules an Audit Exit meeting to deliver findings to management and request a response. The report usually has the following items:

      • Background, Audit Objectives, and Scope
      • Audit Opinion (or Conclusion). This tells management whether the result of the process audited was satisfactory, needs improvement, or is unsatisfactory. Sometimes a high-level overview of findings and observations is also included in this section.
      • Management Response. In a nutshell, whether management agrees with the findings and observations.
      • Findings and Observations. This section includes:
        • Detailed description of the finding or deficiency
        • Risk rating of the finding or deficiency
        • Plan of Actions and Milestones (POAM, a.k.a. Corrective Action Plan)
        • Corrective Action Owner and Timeline

      5. Post-Audit Monitoring Phase

      In this phase, the Corrective Action Plan and Timeline are monitored to ensure progress toward risk mitigation. Monitoring is usually done by the OIA team, and in most organizations, the Security Manager would also monitors it. The security leader should ensure an open line of communication with the mitigation owner to identify early warnings of issues or risks of being unable to complete the corrective action in the agreed-upon timeline. This is because mitigation plans that expire before completion would usually be reported to the Executive team and the Board as open items.

      As a Security Manager, you must report risk mitigation progress to different organizational committees. Below is an example of an artifact that we developed to visualize how the control deficiencies derived from audits related to the NIST CSF controls when I first started in one organization. This tool helped me visualize the areas that needed the most attention and was also used to adjust the organization’s policies and standards.

      In conclusion, cybersecurity audit management will become even more critical for organizations as cyber threats continue to evolve. Companies must prioritize cybersecurity and invest in the necessary resources to protect their digital assets.

      In the future, we can expect to see more advanced technologies and automation in cybersecurity audit management and increased collaboration between businesses, governments, and cybersecurity experts to share information and best practices. For now, you should build solid audit management processes to respond quickly and appropriately to all your auditors. Let us know if we can help you build your process.

      Leave a Reply

      Your email address will not be published. Required fields are marked *