Principles, program, and planning of audit and governance.

1. Principles of technical auditing.


In this section, we will address the following questions:

  1. Detailing the fundamental reason why independence is one of the essential principles in auditing and how it significantly influences the integrity and validity of the auditing process.
  1. Identifying three contexts in which a conflict of independence may arise during a corporate audit, including at least one situation involving a first-party audit conducted by an external entity. We will analyze the underlying causes and explain how these could impact audit outcomes.

The solution to the questions posed is as follows:

  1. As we are well aware, an audit is characterized by its independence and systematic approach. Therefore, independence is one of the principles of auditing because it is necessary to ensure that the auditor maintains impartiality and objectivity in the final conclusions of their work. This is achieved by relying exclusively on the evidence provided by the client or obtained during the audit process, and ensuring that these conclusions are not influenced by external interests. It is important to note that the auditor does not necessarily have to be external to the organization being audited, but they must be independent of the specific activity being audited. In other words, the auditor should not have any conflicts of interest or be influenced by the activity they are auditing, such as being involved in the implementation of the systems under audit, among others. If the auditor fails to adhere to the principle of independence in any way (e.g., conflicts of interest), they could be disqualified from practicing, and the audit would be invalidated, as it would cast doubt on the reliability of the results.
  1. In the case of a company dedicated, for example, to the development, marketing, and maintenance of web and cryptographic technology-based banking applications, several situations that may pose a conflict of independence for the auditor can be identified:
  1. Financial Interest: One situation is where the auditor has a financial interest in the company being audited, such as a significant investment in its stocks. In this case, the auditor cannot be considered independent because they have a personal interest in the company’s success and may be less inclined to highlight issues or irregularities in their report.
  2. Internal Auditor Supervision: Another situation could arise when an internal auditor is hired, and they are directly supervised by the company’s management. In such a scenario, the internal auditor may face pressures to downplay problems or not to emphasize problematic areas that could reflect negatively on the management.
  3. Conflict in External Audit: An example of a situation where an external auditor may have a conflict of independence in a first-party audit is as follows:
    • Let’s assume the company hires an external auditor to conduct a security audit of its banking applications. The company heavily relies on the security of its banking applications to maintain its reputation and customer trust. However, the external auditor also provides cybersecurity services to other clients in the same industry, such as banks and other financial technology companies that directly compete with the company. In this situation, the external auditor could have a conflict of interest because their work for the financial technology company may negatively impact their other clients. Additionally, the external auditor may have a close relationship with the company, such as a financial or personal relationship, that could influence their ability to conduct an independent and objective audit.

In any of these situations, the lack of independence can have a significant impact on the validity of the audit. Audit results may be less reliable if the auditor cannot provide an objective and balanced assessment. This can jeopardize the confidence of shareholders and regulators, among others, and as a result, the audit findings may be questioned or invalidated due to a lack of professional rigor.


2. Audit program.


At this point, we will outline the minimum aspects that an Audit Program should cover, explaining its relevance in terms of establishing an organizational framework for the Audit Function within a company. Using the previous company scenario, we will propose a staffing structure for the Internal Audit Department, which would carry out the Audit Function. We will detail the necessary roles along with their characteristics and functions within the team. Finally, we will reflect on the potential challenges in terms of sizing and resource availability that the organization might face, offering options to address them.

The solution to the questions posed is as follows:

An audit program is essential to ensure that an organization’s audit function is organized and carried out effectively and efficiently. The purpose of having an audit program is to ensure that the organization’s audit function is conducted effectively and efficiently. A well-designed and executed audit program can help the organization identify areas for improvement and ensure compliance with applicable standards and regulations. Additionally, it can provide an independent assessment of the organization’s internal control systems and help identify and mitigate risks.

The Audit Program should include the following aspects:

  1. Audit Program Objectives and Scope: It should be clearly defined which aspects will be audited, what will be evaluated, what the specific objectives are, and the scope of the audit.
  2. Audit Planning: An audit plan should be established, including the audit schedule, necessary resources, risk identification, legal requirements, deadlines, and expected outcomes.
  3. Audit Procedures, Criteria, and Techniques: The set of procedures, criteria, and audit techniques to be used to achieve audit objectives should be detailed. Procedures for conducting all aspects of the program should be clear and detailed so that auditors know exactly what to do at each stage of the audit process. Audit criteria should be established to ensure that audit results are comparable and consistent.
  4. Audit Team Management: The profile of the audit team should be detailed to ensure they can successfully carry out the audit exercise. Some of these aspects include professional experience, industry certifications, among others.
  5. Logistical and Budgetary Management: Managing logistical and budgetary aspects is essential to ensure that the audit program has the necessary resources to function effectively. Proper budget and resource management should be in place to ensure that all relevant areas of the organization are adequately covered.

The Internal Audit Department should be composed of a team of professionals with specialized knowledge in the areas of security, technology, and finance. The minimum team structure could include the following roles:

  1. Chief Internal Auditor or Audit Head: Responsible for leading the internal audit function and overseeing the team of auditors. Should possess leadership skills and a strategic vision to develop the audit program. It is advisable for them to hold industry-relevant professional certifications that guarantee prior experience in this type of work (CISSP, PMP, among others).
  2. Senior Auditor: In charge of planning and executing the most complex audits. Should have a minimum of 5 years of audit experience and specialized knowledge in computer security and web and cryptographic technologies. They may supervise a junior auditor, who should have basic knowledge in auditing and computer security. Both should hold industry-relevant professional certifications (ISO 27001, others).
  3. Technical Expert in Computer Security: Responsible for assessing and improving the security of the banking applications developed by the company. Should have advanced knowledge in computer security and cryptography, as well as experience in similar roles. Should hold industry-relevant professional certifications (CEH, OSCP, among others).
  4. Technical Expert in Web Technologies: Responsible for evaluating and enhancing the security and quality of the web applications developed by the company. Should have advanced knowledge in web technologies and software development, along with experience in similar roles. Should hold industry-relevant professional certifications (OSWE, others).
  5. Risk Analysis and Management Expert: Responsible for assessing the risk to which the organization’s assets are exposed and developing an action plan for their management. Should have advanced knowledge of the Magerit v.3.0 methodology and experience in similar roles (ENS, ISO27001, others).

The members of the audit team should have signed the relevant Non-Disclosure Agreements (NDAs) and provide written commitment to adhere to the principles of auditing, including independence (impartiality, objectivity), reliability, and professional ethical conduct.

Regarding the challenges of sizing and resource availability that the organization may face, there could be difficulties in recruiting and retaining highly skilled personnel and securing the budget for implementing the audit program.

To address these issues, the company could consider outsourcing some audit services, hiring independent auditors, or forming alliances with other organizations to share resources and knowledge. Additionally, investing in training and professional development for internal audit staff to keep them updated and committed to the organization’s objectives could be considered.


3. Audit Planning and IT Governance.


In this instance, we will assume the role of the security manager in the previously described company. Given that the company has an Information Security Management System (ISMS) that we assume is certified, it is essential to have an auditing function and continuously improve the ISMS. This continuous improvement is based, among other things, on the results of internal audits (conducted by internal or external personnel but considered first-party audits). Therefore, it is imperative that the organization plans the audits it will carry out throughout the year and during the three-year validity period of the ISMS certificate.

This consideration requires the development of an annual audit plan, specifying whether the audit actions are one-time, recurring annually, or with a longer periodicity (considering the three-year validity framework of the ISMS certificate). For each audit action, it will be necessary to describe the corresponding scope.

The solution to the questions posed is as follows:

As the cybersecurity manager, the requested audit planning could be as follows:

  1. Internal Audit: An internal audit will be conducted in the first year, lasting one year, with the aim of assessing the ISMS’s compliance with ISO 27001 requirements and the organization’s internal procedures. It will be carried out by the internal audit team of the review department. The scope of the audit could be as follows:
    • Risk Analysis and Management: This allows the organization to identify and assess the risks it faces and take proactive measures to mitigate or reduce them, thus identifying opportunities to improve performance and increase operational efficiency. Special attention will be given to assets categorized as essential and personal, following the methodology outlined in Magerit v3.0.
    • Access Records Review: Access records to systems and applications may be reviewed to verify compliance with access policies and to detect unauthorized users or suspicious activities.
    • Ethical Hacking Tests and Stress Tests: Intrusion tests or attack simulations may be conducted to assess the effectiveness of security controls and the ability to detect and respond to incidents. This will be specifically directed at the controlled documentation repository used by the organization to store all ISMS-related information and its operations. Stress tests will aim to ensure system availability by subjecting them to extreme usage conditions.
    • Interviews with Staff: Interviews with staff may be conducted to assess their knowledge and understanding of security policies and procedures, as well as their involvement in ISMS implementation.
    • Business Continuity Tests: Business continuity tests may be conducted to evaluate the organization’s ability to maintain operations in the event of incidents or disasters.
  2. External Audit: An external audit will be conducted in the second year, lasting one year, by an accredited certification body with the aim of assessing ISMS compliance with ISO 27001 requirements and issuing a certification report. The audit scope will be determined by the certification body and must include at least the points covered in the internal audit to verify that everything is correct. Audit team members must hold the corresponding Personal Security Clearance (HPS) to ensure the proper handling of the organization’s confidential information.
  3. Follow-up Audit: A follow-up audit will be conducted six months after the completion of the external audit (to allow time to correct deficiencies), during the third year, before the end of the ISMS certification validity period. It will be carried out by an internal audit team to assess the implementation of corrective actions resulting from the previous audit. It should include a review of changes made in systems and applications to evaluate whether change management procedures are being followed and if associated risks are being assessed.
  4. Recertification Audit: At the end of the ISMS certification validity period, after 3 years, to renew the certification.

If you need an audit plan, you can contact us through our contact form.

Spain

No puedes copiar el contenido