Читать книгу Practical Guide to Auditing SAP Systems - Martin Metz - Страница 12

There are two major audit approaches: the risk-based approach and the control-based approach.

Risk-based approaches look at the risk capacity, risk appetite, risk register, risk assessments, and risk treatments of a company. Thus, this type of audit is based on the risk management processes of a company. An auditor identifies the most significant risks, evaluates the measures taken, and compares them to the risk appetite. The audit thus thrives on assuring the board of directors that the risk management processes are working correctly and that risks are being managed according to the company’s risk appetite. In risk-based audits, auditors want to assess how:

 Risks are identified, evaluated, and managed

 Risk management is performed according to the risk appetite

 Risks are classified

 Risks and responses are reported

 The effectiveness and efficiency of the risk management framework are monitored

The auditors must ensure that:

 The risk management processes are effective

 The management of the essential risks and controls is effective

 The risk classification and reporting are appropriate

Another main audit approach is the control-based approach. This focuses on the company’s internal control system (ICS), current control deficiencies, and non-compliance with policies and procedures. Using this approach, auditors want to assess:

 How controls are designed

 Whether controls are effective and efficient

This way, the auditors can ensure that:

 Controls have been adequately designed to prevent, detect, or correct financial misstatements and other events that impact the availability, confidentiality, and integrity of data

 The controls implemented are operated effectively, efficiently, and consistently

Both approaches require a deep understanding of either the risk management framework of a company or the internal control system. In the planning process for an audit, both approaches require the definition of the audit environment and audit criteria.

The audit environment comprises all items that are relevant for achieving the objectives of the audit assignment. It includes crucial places, personnel, information systems, data, and documents. Typically, budgets suffer from restraints. For this reason, an auditor defines the boundaries of an audit within a broader environment. Focusing on, for example, specific systems, reports, documents, etc., makes an audit more efficient. If the audit team tries to consider too many aspects, results will tend to be superficial. While the audit scope defines where, when, and with whom the audit takes place, the audit criteria set the basis for the specific audit plan and define the requirements and controls that fall within the scope of the audit. These include, among other things:

 Regulatory requirements

 Standards such as NIST, ISO, COSO, etc.

 Policies, guidelines, standard operating procedures, process definitions

 Customer requirements

Environment of a PAM audit

A company started an IS audit assignment to assess its privileged account management (PAM) environment. PAM systems manage the most privileged accounts of a company, lock in passwords, and monitor all activities performed on these accounts. The overall environment includes the PAM solution with a password safe, a jump host for monitoring administrative sessions, and an analytics engine for analyzing administrative sessions. Furthermore, it covers lots of interfaces—for example, to an identity management system or IT service management, target systems such as infrastructure components and applications, a reporting engine, as well as archives and backups. Because of the risk focus, an auditor may want to reduce this vast scope and instead, focus on the password safe, as this is the centerpiece of a PAM solution. An adequate monitoring of sessions would probably be of interest as well. Of all the target systems connected/monitored, the focus should be on the databases and servers within the infrastructure cluster. This is because unauthorized access to the databases and servers has more impact than access to a single application. Without a backup procedure, this critical PAM solution could fail without having any chance to recover. A proper and operationally efficient process design and governance are required to make the solution sustainable.

Therefore, the audit environment contains the safe, jump hosts, selected target systems, the backup, as well as processes and governance (see Figure 1.5).

Figure 1.5: Example audit environment for PAM

Based on the audit criteria, the auditor assembles the audit plan, which includes all detailed audit activities. Regardless of the form, all audit plans usually include:

 The field of work/process cluster

 The underlying risk

 The associated control targets

 The precise audit activities

 The related controls of leading practices like COSO, ISO, etc.

More often than not, to prepare for an audit, audit databases with pre-defined sets of controls and control activities are used and simply adjusted to the customer specifics. Another popular format is the Excel-based risk control matrix, which contains the information in the bulleted list above. The information collected is put into the matrices or databases and provides an overview of the status of each risk or control respectively.

The following example (Figure 1.6) depicts the usual minimum setup of such a risk control matrix.

Figure 1.6: Example risk control matrix

Once the precise audit plan has been set up, the data and information required is defined and requested. The necessary information and data include not only documents and reports, but also system access and authorizations needed to perform specific activities in the systems within the audit environment. Regulations regarding the handling of data (especially personal data) are also considered as part of this planning process (e.g., General Data Protection Regulation (GDPR) requirements). The result of this step is usually a request document that lists all the requirements identified above. The auditor hands this list over to the auditees or assigned dispatcher to obtain access to the systems and the required information as soon as possible.

In the last step, the interviewees are identified and appointments with them agreed upon. Now the audit can begin.