Click here for the IT Audit Phases.
Generally, audits performed or managed by the Information Security Audit Program go through the following five phases:
1. Initiation and Planning - All requests for information must be received by the OISC Internal Audit Team within at least five (5) days prior to the start of the audit. This phase may include the following activities:
- Conducting a preliminary review of the client’s environment, mission, operations, polices, and practices;
- Performing risk assessments of client environment, data, and technology resources;
- Completing research of regulations, industry standards, practices, and issues;
- Reviewing current policies, controls, operations, and practices;
- Developing/creating a formal agreement (e.g., statement of work, audit memorandum, or engagement memo) to state the audit objectives, scope, and audit protocol; and
- Holding an Entrance Meeting to review the engagement memo, to request items from the client, schedule client resources, and to answer client questions.
2. Fieldwork - The purpose of fieldwork is to accumulate and verify sufficient, competent, relevant, and useful evidence to reach a conclusion related to the audit objectives and to support audit findings and recommendations.
- During this phase, the auditor will conduct interviews, observe procedures and practices, perform automated and manual tests, and other tasks.
- Fieldwork activities may be performed at the client’s worksite(s) or at remote locations, depending on the nature of the audit.
- All requests for information must be received by the OISC Audit Team within 1-2 days after request.
3. Analysis and Review – Analysis and review are performed to ensure that all fieldwork activities and evidence items are documented, that they support the audit findings and recommendations, and that they are presented accurately in the audit report. Any inconsistencies or open issues are addressed at this time. The auditor may remain on-site during this phase to enable prompt resolution of questions and issues.
- At the end of this phase, the auditor will hold an Exit Meeting with the client to discuss findings and recommendations, address client questions, discuss corrective actions, and resolve any outstanding issues.
- A first draft of the findings and recommendations may be presented to the client during the exit meeting.
4. Final Reporting – Generally, the Information Security Audit Program will provide three versions of the audit report.
- After completing fieldwork and analysis, the auditor will present the first draft of findings and recommendations to the client during the exit meeting.
- If changes to the first draft of the report are needed, the auditor may issue a second draft. The client will have 15 working days, unless otherwise negotiated, to respond to the first or second draft, respectively.
- The final report will be issued with the auditor’s findings and recommendations, as well as the client’s responses.
- If the client does not respond to the first draft, the Information Security Audit Program will issue the final report without client responses.
5. Follow-up - After a reasonable period, as agreed upon by both parties or mandated by the administration, the auditor will contact the audit client to request a status report on corrective actions and/or schedule a follow-up engagement to confirm corrective action.
- The auditor will evaluate the effectiveness of the corrective action taken, and, if necessary, advise the client on alternatives that may be utilized to achieve desired improvements.
- In larger, more complex audit situations, follow-up may be repeated several times as additional changes are initiated. Additional audits may be performed to ensure adequate implementation of recommendations.
- The level of risk and severity of the control weakness or vulnerability dictate the time allowed between the reporting phase and the follow-up phase.
- The follow-up phase may require additional documentation for the audit client.