- How was I selected for an audit?
- How can I prepare for an audit?
- How long will an audit take?
- What is an Entrance Meeting? Who should attend?
- Should I advise my employees of an audit in advance?
- How should I deliver requested information to the auditors?
- What if I don’t agree with a finding and/or a recommendation?
- What if I need more time to implement a recommendation?
- Who will have access to the final audit report?
- Do I have to undergo follow-up activities?
- What is a Third-Party audit? Do I have to contact WVOT?
- Will my agency be billed for an audit?
- How do I schedule/contact IT Internal Audit?
- What are some helpful links and resources about auditing?
1. Q: How was I selected for this audit?
A: Agencies can be selected for audits based on the following criteria:
- On an ad-hoc basis;
- As a client special request;
- Post incident; or
- As part of a risk assessment;
2. Q: How can I prepare for an audit?
A: Information Security audit clients are responsible for cooperating with both internal and third-party auditors. This cooperation may involve:
- Scheduling personnel for audit activities such as interviews, observation, re-performance, etc;
- Providing a secure on-site work area;
- Making data, records, and technology resources available to the auditor(s);
- Reviewing preliminary findings and providing requested comments in specified timeframes;
- Responding to finalized audit findings and recommendations in a timely
- Establishing and maintaining required controls.
During client initiated audit engagements, IT Audit Customers must provide the following to Internal auditors:
- Advance notice of audit – six (6) months;
- All relevant audit information;
- Start time for audit;
- Principle State contacts for the audit;
- Location for pre-planning meeting and the individual responsible for scheduling the meeting;
- Secure workspace;
- Person/entity requiring the performance of the audit;
- Any regulatory or legal basis for the audit;
- The defined need for, and authority of, the OISC Internal Audit Program in support of the audit;
- Copy of prior audit documentation, including findings and status of addressing said findings;
- Sign-off on the billable scope and extent of the requested audit services as agreed by both parties in a Statement of Work (SOW); and
- Full access to systems, information, work areas, reports, and agency policies and procedures, when requested.
3. Q: What is the duration of the audit?
A: Depending on the audit scope, the duration of an audit can range from less than a week to several months.
4. Q: What is an Entrance Meeting? Who should attend?
A: Entrance meetings take place during the Initiation and Planning phase of an audit. During this meeting, Internal Audit Team, along with the client, will review the formal audit agreement, audit objectives, and scope. The auditors will also request items from client, schedule client resources, and answer client questions. Any employee who will have a role in providing pertinent information for the audit should attend the Entrance Meeting.
5. Q: Should I advise my employees of an audit in advance?
A: This depends on the type of audit, as each type requires a different level of employee participation.
When performing Client Assessments or assisting in Third-Party engagements, auditors will need full access to employees, systems, information, work areas, reports, and agency policies and procedures.
In the case of an ad-hoc audit, an agency will have no advance notice.
6. Q: How should I deliver requested information to the auditors?
A: Unless otherwise negotiated, clients must provide all relevant information to auditors electronically. Any documents that are not available in electronic format must be posted in the audit management system. This must be completed prior to the audit or during the audit planning phase.
Generally, all requests for information must be received by the Internal Audit Team within at least five (5) days prior to the start of the audit. During the fieldwork phase, all requests for information must be received by the Internal Audit Team within three (3) days after request. When absolutely necessary, extensions can be negotiated. However, extensions may increase the duration or cost of the audit.
7. Q: What if I don’t agree with a finding and/or a recommendation?
A: If an audit client disagrees with an audit finding(s) or recommendation(s), the client should discuss the item with the auditor providing a reason for the objection and possibly a compensation control or solution. Clients are encouraged to discuss such items during the Exit Conference that typically occurs when the auditors finish fieldwork and analysis, but before issuance of the final report.
8. Q: What if I need more time to implement a recommendation?
A: Extensions will be granted on a case-by-case basis. This may depend upon staffing limitations, financial and/or valid time constraints, etc. If the implementation of a control or recommendation will take an extended period of time (years), agency progress will be taken into consideration.
9. Q: Who will have access to the final audit report?
A: The delivery of the final engagement findings and recommendations will be limited to the CTO, the CISO, the client Director, and other parties as authorized.
The Information Security Audit Program will only release engagement findings and recommendations to additional entities under the following circumstances: by request from the audit client, for peer review, and/or under order of subpoena. Only Information specific to the request will be released.
Internal audit reports are exempt from disclosure under the West Virginia’s Freedom of Information Act (West Virginia Code §29B-1-4). Examples of exemptions include internal memoranda or letters received or prepared by any public body; records containing specific or unique vulnerability assessments or specific or unique response plans, data, or databases; computing or telecommunications and network security records, passwords, etc.; security or disaster recovery plans, risk assessments, tests or the results of those tests, etc.
WVOT IT Auditors will not improperly disclose any such information to third parties under any circumstances.
10. Q: Do I have to undergo follow-up activities?
A: Generally, yes.
After a reasonable period, as agreed upon by both parties or mandated by the administration, auditors will contact the audit client to request a status report on corrective actions and/or schedule a follow-up meeting to discuss any needed corrective or strengthening measures.
Internal auditors will evaluate the effectiveness of the corrective action taken, and, if necessary, advise the client on alternatives that may be utilized to achieve desired improvements.
In larger, more complex audit situations, follow-up may be repeated several times as additional changes are initiated. Additional audits may be performed to ensure adequate implementation of recommendations. The follow-up phase may require additional documentation for the audit client.
11. Q: What is a Third-Party audit? Do I have to contact WVOT?
A: A Third-Party audit is an engagement conducted by an external (independent) qualified party. An example of this would be an IT Review associated with Annual Financial Statement audit or regulation.
Yes, you must contact the WVOT. Agencies engaging in any IT audit activity with third parties are responsible for contacting the WVOT Internal Audit Team as soon as notification of the audit has been received, preferably three to six months, so that OISC can assist in the coordination.
Internal Audit will then coordinate communications between Executive Branch personnel and third-party auditors, determine that audit objectives are clearly defined and achieved throughout the engagement, ensure that appropriate and accurate information is provided to the third-party auditors, and facilitate effective follow-up activities and monitor progress in addressing audit recommendations.
12. Q: Will my agency be billed for an audit?
A: Information Security Auditing will be charged on an hourly basis per engagement. Clients can reduce costs by providing sufficient notice of audit requests – ideally six (6) months before the due date. Also, clients can reduce audit and review costs by taking advantage of the OISC security and controls self-assessment engagements. The client can follow recommendations issued after a self-assessment to strengthen basic controls and perform advanced preparation for more in-depth audits or reviews.
13. Q: How do I schedule/contact IT Internal Audit?
A: WVOT Internal auditors will accept and attempt to fulfill all audit requests. However, to ensure that the auditors have the resources available to perform or coordinate the audits, clients must submit requests at least three (3) to six (6) months prior to an audit. Requests for coordination of IT Reviews associated with Annual Financial Statement Audits should be submitted as early possible.
14. Q: What are some helpful links and resources about auditing?
Agencies may contact WVOT Internal Audit at the following email address: firstname.lastname@example.org.