There are a variety of assignments that an information risk manager/auditor may be asked to undertake using their specialist knowledge and skills. This could be:
• A regular review or audit of a particular topic to provide ongoing compliance comfort (e.g. part of internal audit plan or regular management testing for Sarbanes-Oxley compliance).
• As part of a bigger team on a large assignment (e.g. the external financial audit of an entity, due diligence review of a potential acquisition target).
• A specific review of a particular issue – (e.g. response to a denial of service attack, health check review of an ERP implementation project).
Stages of a review
I find the Kaizen cycle for continuous improvement a useful tool for considering assignments. The cycle involves four steps (PDCA – Plan, Do, Check, Act) that are repeated as part of a continuous improvement cycle. For example, the first iteration may be that an organisation does not have a disaster recovery plan. Once this is in place, future iterations may be to improve the quality of individual elements of the plan.
Do – using the agreed plan to execute the process and deliver the required product or outcome. This includes gathering information for the next stages.
Check – compare the actual to expected results, for example by testing, to ascertain any differences or deviations from the plan. For an audit report for example, ‘check’ could be agreeing factual accuracy with the key stakeholders.
Act – (or Adjust) – make corrections for any significant deviations identified during the check phase.
I find the cycle useful in two ways:
1. To understand the nature of the assignment and how it will help the client.
2. To look at the lifecycle of the assignment itself.
We will explore both of these concepts in the rest of this chapter.
If our work is part of a bigger assignment, the IRM specialist may be involved at any or all of the PDCA steps. However, in my experience we are often forgotten and brought in during the later stages of a review – causing time pressures for completion in line with the rest of the assignment. The best way to deal with this is to have a close working relationship with other teams and be aware of their upcoming assignments.
IRM assignment planning
To quote an old saying ‘failure to plan is planning to fail’. Time spent planning can avoid issues and problems later in the review. Planning can be at two levels, to cover:
1. Extent of coverage of all assignments within a programme of reviews.
2. An individual assignment.
The overall plan for all reviews may be part of an annual or strategic plan, or could relate to a particular area (e.g. over the lifecycle of a project to implement a new system). There may be tools for this plan – or it could be a spreadsheet. Some organisations are now using Scrum and Agile rather than traditional audit planning (TAP) to agree plans. In either case, planning should be based on perceived risks, including emerging risks. If Scrum is used, you may find an ‘audit product backlog’ rather than an audit or compliance test plan.
In planning assignments, we need to determine the following:
• Objectives for the review – what are the risks we are to assess?
• The scope (and limitations) of the review (e.g. does it cover more than one site? How does this review fit into the overall plan?).
• Resources required to complete the work.
• Findings of previous, similar or related reviews (for follow-up) – also, any other reviews that are planned for the same area (e.g. from external audit).
• Relevant organisation policies, standards and guidance.
• Best practice policies, standards and guidance (e.g. ISO27001, COBIT 5).
• Key stakeholders and other actors.
The most important item is to clearly understand the scope and objectives for the review. It is useful here to use the CIA mnemonic (Confidentiality/Integrity/Availability) to assist thinking – see example below.
Example of assessing risks
Scenario: A garden centre is considering implementing online sales of its goods and services. You need to plan a review of the arrangements.
Will need to ensure appropriate levels of security over:
• Customer data will need to be secured – particularly master data of customer details and transactional data, such as credit card details.
• Standing information price lists, deals, discounts, etc. will need to be secured.
• Verification of customers will need to be identified on the system. Will they have user IDs, passwords, etc.? What if they forget them?
Need to ensure that:
• prices are correctly calculated.
• stock availability is accurate.
• deliveries are made as promised.
Need to ensure that the system is available when required by customers and outages are identified and resolved. Also ensure that adequate disaster recovery arrangements are in place to reduce impact on customers.
The plan should be documented and agreed by the key stakeholders.
Conducting an IRM review
The nature of the fieldwork will depend upon the assignment. In summary, it is likely to consist of:
• Preparing a work plan
• Review of available documentation
• Verification/testing to confirm answers from enquiries
• Assessing the information obtained to reach a conclusion on the objective and identifying any recommendations.
The work plan breaks the assignment down into individual aspects and identifies the objective for that part of the review and how it is to be completed – for example, the specific documents to be reviewed, staff to be interviewed, etc.
When reviewing documentation, making enquiries or testing, it is important to keep good working papers. These should show the objectives, findings and conclusions/recommendations. Working papers should be sufficient to support the findings and conclusions, and to allow a competent person to repeat the work and arrive at the same conclusion. They also enable similar audits to be undertaken in the future. I have had some bad experiences as an auditee where I have been repeatedly asked the same questions by different teams of auditors or assurance specialists.
Reviewing the audit review
Once work has been completed, it needs to be checked for factual accuracy and quality. Confirming factual accuracy with those being reviewed ensures that there are fewer embarrassments later in the process – a review can lose credibility if findings and recommendations have to be changed or removed. The discussion of findings also reduces the risk of nasty surprises for those being reviewed and gives them time to consider how to respond. I remember on one occasion discussing a finding about lack of handover arrangements between shifts of operators – they agreed and a new procedure was in place in time for the next shift change!
The quality review is to ensure that the objectives for the review have been met and that the working papers and report are aligned with the findings. Having worked in the Big4, this form of review is normal for me – but for some it can be daunting. Such reviews are necessary to ensure consistency of work and reporting. My most common review point to raise is ‘So what?’. I have found that technical specialists, for example, can raise an issue without fully explaining the implications or impact. For example:
“Password policy to specify length and format of passwords is not complied with for the new system.”
Whilst this may be accurate and concise it does not convey the impact to a lay reader. It is far better to state something like
“There is an increased risk of unauthorised access, leading to loss or fraud, because the password policy to prevent easily guessable passwords has not been complied with.”
The final check will be the issuing of the report and agreeing actions to be taken.
Ensuring action after the review
Having completed the review and issued the report, management should prepare an action plan to implement any findings, depending on their priority and urgency. They should also ensure that the findings are shared with any related areas. As an auditor I have often prepared a number of reports (or even follow-up reviews at a later stage) where the findings are the same. Whilst using the word swap facility on MS Word, etc. is an easy way to complete reviews, it is not an effective way to improve the control environment of an organisation. There should also be a mechanism to review and report on the progress of the action plan. The use of key performance indicators is a good way to ensure actions have been implemented and continue to operate effectively. They give an early warning of any changes so that management can investigate root causes and take appropriate actions.
Planning and the process of undertaking an IRM audit or assurance exercise is no different to that for any other area. The tools used and form of analysis may be different. There is also a need to ensure that a proper logical process is used for the review, and that findings are supported by good analysis and working papers. The process is less important than the outcome which should be to provide a level of assurance that the risks are covered, or to provide recommendations as to how this can be achieved.