Process life cycles and methodologies
Process life cycles and methodologies
Although individual audit engagements typically have a defined scope, set of objectives, and initiation and completion dates, few audits are truly isolated events. Whether or not an organization achieves its intended objectives from an IT audit,
162 CHAPTER 8 IT Audit Processes
from the findings and conclusions in the audit report it learns aspects of its con- trols or capabilities that are not operating as intended, fail to conform to applicable standards or criteria, or are insufficient or ineffective to support the organizational purposes for which they are intended. Such findings represent opportunities for improvement as well as potential focus areas for subsequent audits covering the same controls or capabilities. With the possible exception of audits conducted as part of an investigation, virtually all types of IT audits are conducted more than once in an organization, at regular intervals specified in laws, regulations, or cer- tification requirements or at a frequency determined by organizations in their internal audit strategies. The cyclical and iterative nature of most audit processes reflects an expectation that audits will be repeated. This repetition is a defining characteristic of continuous improvement initiatives and corresponding meth- odologies, notably including the PDCA cycle on which many auditing processes are based.
The PDCA model attained prominence as a central element of a theory of man- agement in manufacturing companies and firms in service industries that empha- sized continuous improvement and highlighted the benefits to organizations from effecting change that leads to higher quality products or services [17] . Although the process in practice can be applied to almost any type of organizational change, it is particularly well suited to auditing and other types of assessments that identify areas of relative weakness or inefficiency that, if corrected, can result in gains in productivity, operational efficiency and effectiveness, market position, or competi- tive advantage. An organization’s ability to realize these outcomes on an ongoing basis rests on its execution of the “check” and “act” phases of the process, in which it analyzes results such as IT audit findings and commits to corrective action not only to mitigate risk, but also to improve operational quality and enhance the value IT delivers to the organization in supporting the achievement of mission and busi- ness objectives. Beyond its pervasive use in quality management standards and methodologies, the PDCA process cycle features prominently in governance, risk, and compliance frameworks and in control evaluation and assessment methodolo- gies, particularly for information security management.
Available methodologies and guidance on auditing offer many process life cycles to organizations that differ in terms of the number of steps they include and their areas of emphasis, but these alternatives feature more similarities than differ- ences, in part, due to their reliance on similar standards and foundational concepts. For instance, ISO 19011, Guidelines for Auditing Management Systems, applies the PDCA life cycle model to the process of managing an audit program and prescribes
a six-step process for performing individual audits [1] . Both of these elements are incorporated by reference into other standards, including those addressing require- ments for auditors providing certification audits and [7] and audits of information security management systems [11] . Not all audit methodologies explicitly include steps for closing out the audit and following up on audit findings and corrective actions, but both audit-specific and more general control assessment processes
Relevant Source Material 163
specify activities for planning, performing, and reporting the results of formal eval- uations such as IT audits. Relevant examples include:
The Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF) specifies performance standards for planning and performing audit engagements and communicating results of such engagements [5] ;
The American Society for Quality’s ASQ Auditing Handbook describes a four-step audit process including preparation, performance, reporting, and follow-up [6] ;
● ISACA’s IT Audit Framework defines information system audit and assurance guidelines in three major categories: general (preparatory), performance, and
reporting [9] ;
The Federal Information System Controls Audit Manual (FISCAM) used in audits of U.S. government agencies defines an audit methodology organized into the three core steps of plan, perform, and report [13] ;
National Institute of Standards and Technology (NIST) special publication 800-
30, Guide for Conducting Risk Assessments, prescribes a three-step process of preparing, conducting, and maintaining assessments [18] ; and ● ISACA’s COBIT 5 for Assurance approach includes three primary phases: determining the scope of, performing, and communicating about an assurance initiative [19] .
Chapter 9 provides more detailed descriptions of major frameworks and methodolo- gies used in auditing, IT governance, risk management, and security control assessment.